Podcasts about bsides las vegas

Link to blog post This week's Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Dennis Pickett, vp, CISO, Westat Thanks to our show sponsor, Dropzone AI Dropzone AI's Analyst investigates alerts with unmatched speed and precision, providing clear, actionable reports. Experience the power of autonomous threat detection. Meet Dropzone AI at BSides Las Vegas. Visit dropzone.ai for a 3-month free trial. All links and the video of this episode can be found on CISO Series.com      

Erich and Javvad are back after taking a couple of weeks off to vacation and to attend BSides Las Vegas, Blackhat and DEFCON. In this episode they talk about the conference and what has been happening in the cyber world for the past couple of weeks   Stories from the show: Danish cloud host says customers ‘lost all data' after ransomware attack https://techcrunch.com/2023/08/23/cloudnordic-azero-cloud-host-ransomware/ Cybercriminals turn to AI to bypass modern email security measures https://www.helpnetsecurity.com/2023/08/23/ai-enabled-email-threats/ TP-Link smart bulbs can let hackers steal your WiFi password  https://www.bleepingcomputer.com/news/security/tp-link-smart-bulbs-can-let-hackers-steal-your-wifi-password/ Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal https://www.bbc.co.uk/news/technology-60864283

In this episode, Erich and Javvad talk about the upcoming BSides Las Vegas, Black Hat and DEFCON conferences, NHS sharing data via WhatsApp, the #cyber skills gap, and much more Stories from the show: Humans Unable to Reliably Detect Deepfake Speech  https://www.infosecurity-magazine.com/news/humans-detect-deefake-speech/ NHS Staff Reprimanded For WhatsApp Data Sharing  https://www.infosecurity-magazine.com/news/nhs-staff-reprimanded-whatsapp/ Microsoft Teams Targeted in Midnight Blizzard Phishing Attacks https://www.infosecurity-magazine.com/news/microsoft-teams-midnight-blizzard/ Hacktivist Collective “Mysterious Team Bangladesh” Revealed  https://www.infosecurity-magazine.com/news/mysterious-team-bangladesh-revealed/ Report outlines causes of cyber security skills gap https://www.publicsectorexecutive.com/articles/report-outlines-causes-cyber-security-skills-gap 

Dave has 30 years of industry experience. He has extensive experience in IT security operations and management. He is the founder of the security site Liquidmatrix Security Digest & podcast as well as the host of DuoTV and the Plaintext podcast. He is currently a member of the board of directors for BSides Las Vegas.  Previously he served on the board of directors for (ISC)2 as well as being a founder of BSides Toronto conference. Dave has been a DEF CON speaker operations goon for over 10 years. Lewis also serves on the advisory board for the Black Hat Sector Security Conference and the CFP review board for 44CON.  He is currently working towards his graduate degree at Harvard. Dave has previously written columns for Forbes, CSO Online, Huffington Post, The Daily Swig and others. For fun he is a curator of small mammals (his kids) plays bass guitar, grills, is part owner of a whisky distillery and a soccer team. In this interview, Dave Lewis shares his highlights from his keynote presentation at SINCON 2023, the first cybersecurity conference in Singapore for the year 2023. Globalisation and supply chain attacks - He shared his thoughts on how threat actors have exploited globalisation of supply chain: that as organisations move to a cloud-based iteration “for everything” and thereby extending targets of opportunities for the attackers. This means that we have extended from protecting the “four walls” to an “unfathomable number of walls”. In particular, as we digitalise, we have to “make sure we are not outpacing security”, and that we understand our fallback position if “there's a global catastrophe and we have to cut off from the rest of the world.” One example is critical infrastructure, where there is “accumulated security debt” (e.g. deprecated applications) and where “stakes are higher”. Zero trust - Dave stressed that “zero trust” is an “iterative process” and there is “no end state”. Rather, it is about reducing the risks and addressing the core fundamentals from 30 years ago – managing our core users, our network segmentation, critical applications in our environment. Cybersecurity skills and resources - Dave also shared how we need “more adults at the table”, that maturing our cybersecurity posture requires more senior level involvement. He also advised that we need to “get away from the “sensationalisation” of the hacker culture” – that cybersecurity is not strictly the hacker sub-culture. Cyber threat landscape - Using Wannacry as an example, Dave noted that the SMBv1 vulnerability had been known but remained unfixed for 10 years. This “security debt” was an example of how we as cybersecurity practitioners tend to “lose our focus collectively”. As we are at that “juncture where we have to figure out how we are going to mature as an industry and be able to handle these risks in a coherent fashion”, he predicted that “we will keep making the same mistakes for a while.”  Further, referencing how the ransomware have evolved since the first version by Dr Joseph Popp in 1989, he said “financial motivation will not go away, it is just how they are going to get their money.” Recorded 5th January 2023, 11.30am, VOCO hotel, Singapore.

If it's August in Las Vegas, it's time for Hacker Summer Camp. There are three hacker conferences that coordinate to happen next to each other every year: BSides Las Vegas, Black Hat and DEF CON. My first trip to DEF CON was last year and I was hooked - I hope to go back every year. This was the big 30th anniversary of DEF CON and several of the news stories this week came from one of these hacker conferences. And next week I'll air my wonderful interview with DEF CON's CEO and Founder, Jeff Moss (aka The Dark Tangent). In the news this week: Several malicious Mac apps have slipped through Apple's App Store security checks and contain malware - you should delete them ASAP; iOS VPN apps aren't properly securing connections made before activating the VPN; TikTok's in-app browser injects JavaScript code that could enable it to snoop on your session, including capturing keystrokes; Cisco's network breach has lessons for all of us; Signal's use of phone numbers as identifiers highlighted due to breach at Twilio; a new jailbreak has been found on John Deere tractors that might allow farmers to service their own equipment; Amazon is planning to release a reality TV show based on Ring doorbell footage; a digital hallway pass allows schools to intrusively monitor its students; and law enforcement is tapping into DNA databases of the blood samples taken at birth by hospitals to solve crimes. Article Links [Tom's Guide] These Mac apps are secretly spreading malware — delete them now https://www.tomsguide.com/news/these-mac-apps-are-secretly-spreading-malware-delete-them-now[Ars Technica] iOS VPNs have leaked traffic for years, researcher claims [Updated] https://arstechnica.com/information-technology/2022/08/ios-vpns-still-leak-traffic-more-than-2-years-later-researcher-claims/[Forbes] TikTok's In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/[None] Cisco Confirms Network Breach Via Hacked Employee Google Account https://threatpost.com/cisco-network-breach-google/180385/[TechCrunch] Signal says 1,900 users' phone numbers exposed by Twilio breach https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/[Ars Technica] A new jailbreak for John Deere tractors rides the right-to-repair wave https://arstechnica.com/information-technology/2022/08/a-new-jailbreak-for-john-deere-tractors-rides-the-right-to-repair-wave/[VICE] 'Ring Nation' Is Amazon's Reality Show for Our Surveillance Dystopia https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia[VICE] A Tool That Monitors How Long Kids Are in the Bathroom Is Now in 1,000 American Schools https://www.vice.com/en/article/dy73n7/ehallpass-1000-thousand-schools-monitor-bathroom[WIRED] Police Used a Baby's DNA to Investigate Its Father for a Crime https://www.wired.com/story/police-used-a-babys-dna-to-investigate-its-father-for-a-crime/Tip of the Week: https://firewallsdontstopdragons.com/be-my-guest-no-i-insist/ Further Info A few Amulets of Entropy are still left: https://hackerboxes.com/collections/past-hackerboxes/products/hackerbox-0080-entropySubscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:17: DEFCON 30 notes0:03:00: Quick security notes0:03:46: News run down0:06:50: Delete these Apple apps immediately0:10:44: iOS VPN apps fail to secure old connections0:15:00: TikTok's in-app browser a...

The way you build trust can take you in different directions: Down a destructive path of ruined reputation or up a rewarding road of unlimited relationships and referrals. What do you choose? In this episode, I had a brutally honest conversation with Joshua Marpet, CEO of MJM Growth, about his challenges, goals, what vendors do that piss him off, and the alternatives. Josh is an ex-cop, ex-fireman, ex-blacksmith, and ex-horse dentist (not a joke). He has also worked for the Federal Reserve Bank of Philadelphia, has advised the largest companies in the world, and runs conferences through BSides Delaware along with his wife and business partners. He is also on the board of BSides DC and previously served on the board of BSides Las Vegas and Hackers for Charity. Join Audience 1st Today Join 300+ cybersecurity marketers and sellers mastering security buyer research to better understand their audience and turn them into loyal customers: https://www.audience1st.fm/

02:01 - Kat's Superpower: Terrible Puns! * Puns & ADHD; Divergent Thinking (https://en.wikipedia.org/wiki/Divergent_thinking) * Punching Down (https://www.urbandictionary.com/define.php?term=punching%20down) * Idioms (https://www.ef.edu/english-resources/english-idioms/) 08:07 - Security Awareness Education & Accessibility * Phishing * Unconscious Bias Training That Works (https://hbr.org/2021/09/unconscious-bias-training-that-works) * Psychological Safety * 239: Accessibility and Sexuality with Eli Holderness (https://www.greaterthancode.com/accessibility-and-sexuality) * Management Theory of Frederick Taylor (https://www.business.com/articles/management-theory-of-frederick-taylor/) * Building a Security Culture For Oh Sh*t Moments | Human Layer Security Summit (https://www.youtube.com/watch?time_continue=21&v=d2girBtrbCQ&feature=emb_logo) * Decision Fatigue 20:58 - Making the Safe Thing Easy * (in)Secure Development - Why some product teams are great and others aren't… (https://tldrsec.com/blog/insecure-development-why-some-product-teams-are-great-and-others-arent/) * The Swiss Cheese Model of Error Prevention (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1298298/) 22:43 - Awareness; Security Motivation; Behavior and Culture (ABC) * AIDA: Awareness, Interest, Desire, Action (https://en.wikipedia.org/wiki/AIDA_(marketing)) * Inbound Marketing (https://www.hubspot.com/inbound-marketing) 33:34 - Dietary Accessibility; Harm Reduction and Threat Monitoring * Celiac Disease (https://celiac.org/about-celiac-disease/what-is-celiac-disease/) * A Beginner's Guide to a Low FODMAP Diet (https://www.benefiber.com/fiber-in-your-life/fiber-and-wellness/beginners-guide-to-low-fodmap-diet/?gclsrc=aw.ds&gclid=Cj0KCQiAnuGNBhCPARIsACbnLzqJkfl2XxxUQVSAGU96cmdVl5S7gn6GXnOQAHf-Sn0zEHvBBKINObUaAlOvEALw_wcB) * Casin (https://en.wikipedia.org/wiki/Casein) * DisInfoSec 2021: Kat Sweet - Dietary Accessibility in Tech Workplaces (https://www.youtube.com/watch?v=rG1DApAlcK4&feature=youtu.be) Reflections: John: Internal teams relating to other internal teams as a marketing issue. Casey: Phishing emails cause harm. Kat: AIDA: Awareness, Interest, Desire, Action (https://en.wikipedia.org/wiki/AIDA_(marketing)) Unconscious Bias Training That Works (https://hbr.org/2021/09/unconscious-bias-training-that-works) The Responsible Communication Style Guide (https://rcstyleguide.com/) This episode was brought to you by @therubyrep (https://twitter.com/therubyrep) of DevReps, LLC (http://www.devreps.com/). To pledge your support and to join our awesome Slack community, visit patreon.com/greaterthancode (https://www.patreon.com/greaterthancode) To make a one-time donation so that we can continue to bring you more content and transcripts like this, please do so at paypal.me/devreps (https://www.paypal.me/devreps). You will also get an invitation to our Slack community this way as well. Transcript: PRE-ROLL: Software is broken, but it can be fixed. Test Double's superpower is improving how the world builds software by building both great software and great teams. And you can help! Test Double is hiring empathetic senior software engineers and DevOps engineers. We work in Ruby, JavaScript, Elixir and a lot more. Test Double trusts developers with autonomy and flexibility at a remote, 100% employee-owned software consulting agency. Looking for more challenges? Enjoy lots of variety while working with the best teams in tech as a developer consultant at Test Double. Find out more and check out remote openings at link.testdouble.com/greater. That's link.testdouble.com/greater. JOHN: Welcome to Episode 263 of Greater Than Code. I'm John Sawers and I'm here with Casey Watts. CASEY: Hi, I'm Casey! And we're both here with our guest today, Kat Sweet. Hi, Kat. KAT: Hi, John! Hi, Casey! CASEY: Well, Kat Sweet is a security professional who specializes in security education and engagement. She currently works at HubSpot building out their employee security awareness program, and is also active in their disability ERG, Employee Resource Group. Since 2017, she has served on the staff of the security conference BSides Las Vegas, co-leading their lockpick village. Her other superpower is terrible puns, or, if they're printed on paper—she gave me this one—tearable puns. [laughter] KAT: Like written paper. CASEY: Anyway. Welcome, Kat. So glad to have you. KAT: Thanks! I'm happy to be here. CASEY: Let's kick it off with our question. What is your superpower and how did you acquire it? KAT: [chuckles] Well, as I was saying to both of y'all before this show started, I was thinking I'm going to do a really serious skillful superpower that makes me sound smart because that's what a lot of other people did in theirs. I don't know, something like I'm a connector, or I am good at crosspollination. Then I realized no, [chuckles] like it, or not, terrible puns are my actual superpower. [laughter] Might as well just embrace it. I think as far as where I acquired it, probably a mix of forces. Having a dad who was the king of dad puns certainly helped and actually, my dad's whole extended family is really into terrible puns as well. We have biweekly Zoom calls and they just turn into everyone telling bad jokes sometimes. [laughter] But I think it also probably helps that, I don't know, having ADHD, my brain hops around a lot and so, sometimes makes connections in weird places. Sometimes that happens with language and there were probably also some amount of influences just growing up, I don't know, listening to Weird Al, gets puns in his parodies. Oh, and Carlos from The Magic School Bus. CASEY: Mm hmm. Role models. I agree. Me too. [laughter] KAT: Indeed. So now I'm a pundit. CASEY: I got a pun counter going in my head. It just went ding! KAT: Ding! [laughter] CASEY: I never got – [overtalk] KAT: They've only gotten worse during the pandemic. CASEY: Oh! Ding! [laughter] Maybe we'll keep it up. We'll see. I never thought of the overlap of puns and ADHD. I wonder if there's any study showing if it does correlate. It sounds right. It sounds right to me. KAT: Yeah, that sounds like a thing. I have absolutely no idea, but I don't know, something to do with divergent thinking. CASEY: Yeah. JOHN: Yeah. I'm on board with that. CASEY: Sometimes I hang out in the channels on Slack that are like #puns, or #dadjokes. Are you in any of those? What's the first one that comes to mind for you, your pun community online? KAT: Oh yeah. So actually at work, I joined my current role in August and during the first week, aside from my regular team channels, I had three orders of business. I found the queer ERG Slack channel, I found the disability ERG Slack channel, and I found the dad jokes channel. [laughter] That was a couple of jobs ago when I worked at Duo Security. I've been told that some of them who are still there are still talking about my puns because we would get [laughs] pretty bad pun threads going in the Slack channels there. CASEY: What a good reputation. KAT: Good, bad, whatever. [laughs] CASEY: Yeah. KAT: I don't know. Decent as a form of humor that's safe for work goes, too because it's generally hard to, I guess, punch down with them other than the fact that everyone's getting punched with a really bad pun, but they're generally an equalizing force. [chuckles] CASEY: Yeah. I love that concept. Can you explain to our listeners, punching down? KAT: So this is now the Great British Bake Off and we're talking about bread. No, just kidding. [laughter] No, I think in humor a lot of times, sometimes people talk about punching up versus punching down in terms of who is actually in on the joke. When you're trying to be funny, are you poking fun at people who are more marginalized than you, or are you poking at the people with a ton of privilege? And I know it's not always an even concept because obviously, intersectionality is a thing and it's not just a – privilege isn't a linear thing. But generally, what comes to mind a lot is, I don't know, white comedians making fun of how Black people talk, or men comedians making rape jokes at women's expense, or something like that. Like who's actually being punched? [chuckles] CASEY: Yeah. KAT: Obviously, ideally, you don't want to punch anyone, but that whole concept of where's the humor directed and is it contributing to marginalization? CASEY: Right, right. And I guess puns aren't really punching at all. KAT: Yeah. CASEY: Ding! KAT: Ding! There goes the pun counter. Yeah, the only thing I have to mindful of, too is not over relying on them in my – my current role is in a very global company so even though all employees speak English to some extent, English isn't everyone's first language and there are going to be some things that fly over people's heads. So I don't want to use that exclusively as a way to connect with people. CASEY: Right, right. JOHN: Yeah. It is so specific to culture even, right. Because I would imagine even UK English would have a whole gray area where the puns may not land and vice versa. KAT: Oh, totally. Just humor in general is so different in every single culture. Yeah, it's really interesting. JOHN: Yeah, that reminds me. Actually, just today, I started becoming weirdly aware as I was typing something to one of my Indian colleagues and I'm not sure what triggered it, but I started being aware of all the idioms that I was using and what I was typing. I was like, “Well, this is what I would normally say to an American,” and I'm just like, “Wait, is this all going to come through?” I think that way might lead to madness, though if you start trying to analyze every idiom you use as you're speaking. But it was something that just suddenly popped into my mind that I'm going to try and keep being a little bit more aware of because there's so many ways to miss with communication when you rely on obscure idioms, or certain ways of saying things that aren't nearly as clear as they could be. [chuckles] KAT: Yeah, absolutely. I'm sure that's definitely a thing in all the corporate speak about doubling down, circling back, parking lots, and just all the clicking, all of those things. [laughter] But yeah, that's actually something that was on my run recently, too with revamping one of the general security awareness courses that everyone gets is that in the way we talk about how to look for a phishing – spot a phishing email. First of all, one of the things that at least they didn't do was say, “Oh, look for poor grammar, or misspelled words,” because that's automatically really exclusive to people whose first language isn't English, or people who have dyslexia. But I was also thinking we talk about things like subtle language cues in suspicious emails around a sense of urgency, like a request being made trying to prey on your emotion and I'm like, “How accessible is that, I guess, for people whose first language is English to try and spot a phishing email based on those kind of things?” Like how much – [chuckles] how much is too much to ask of…? Like opinions about phishing emails, or the phishing training anyway being too much to ask of people to some degree, but I don't know. There's so much subtlety in it that just is really easy for people to lose. JOHN: Yeah. I mean, I would imagine that even American English speakers – [overtalk] KAT: Yeah. JOHN: With a lot of experience still have trouble. Like actually, [chuckles] I just got apparently caught by one of them, the test phishing emails, but they notified me by sending me an email and saying, “You were phished, click here to go to the training.” And I'm like, “I'm not going to click on that!” [laughter] I just got phished! KAT: Yeah. JOHN: But I think my larger point is again, you're talking about so many subtleties of language and interpretations to try and tease these things out. I'm sure there are a lot of people with a range of non-typical neurologies where that sort of thing isn't going to be obvious, even if they are native English speakers. KAT: Exactly. Myself included having ADHD. [laughs] JOHN: Yeah. KAT: Yeah. It's been interesting trying to think through building out security awareness stuff in my current role and in past roles, and having ADHD and just thinking about how ADHD unfriendly a lot of the [laughs] traditional approaches are to all this. Even like you were just saying, “You got phished, take this training.” It seems like the wrong sequence of events because if you're trying to teach someone a concept, you need to not really delay the amount of time in between presenting somebody with a piece of information and giving them a chance to commit it to memory. ADHD-ers have less working memory than neurotypical people to begin with, but that concept goes for everyone. So when you're giving someone training that they might not actually use in practice for several more months until they potentially get phished again, then it becomes just information overload. So that's something that I think about. Another way that I see this playing out in phishing training in particular, but other security awareness stuff is motivation and reward because we have a less amount of intrinsic motivation. Something like, I don't know, motivation and reward system just works differently with people who have trouble hanging onto dopamine. ADHD-ers and other people's various executive dysfunction stuff. So when you're sitting through security training that's not engaging, that's not particular lead novel, or challenging, or of personal interest, or is going to have a very delayed sense of reward rather than something that immediately gratifying, there's going to be a limitation to how much people will actually learn, be engaged, and can actually be detrimental. So I definitely think about stuff like that. CASEY: That reminds me of a paper I read recently about—I said this on a previous episode, too. I guess, maybe I should find the paper, dig it up, and share. KAT: Cool. [laughter] CASEY: Oh, but it said, “Implicit bias awareness training doesn't work at all ever” was an original paper. No, that's not what it said of course, but that's how people read it and then a follow-up said, “No, boring! PowerPoint slide presentations that aren't interactive aren't interactive.” [laughter] “But the interactive ones are.” Surprise! KAT: Right. That's the thing. That's the thing. Yeah, and I think there's also just, I don't know. I remember when I was first getting into security, people were in offices more and security awareness posters were a big thing. Who is going to remember that? Who's going to need to know that they need to email security at when they're in the bathroom? [laughs] Stuff like that that's not particularly engaging nor particularly useful in the moment. But that DEI paper is an interesting one, too. I'll have to read that. CASEY: Do you have experience making some of these trainings more interactive and getting the quicker reward that's not delayed and what does that look like for something like phishing, or another example? KAT: It's a mixed bag and it's something that I'm still kind of – there's something that I'm figuring out just as we're scaling up because in past roles, mostly been in smaller companies. But one thing that I think people, who are building security awareness and security education content for employees, miss is the fact that there's a certain amount of baseline level of interaction and context that you can't really automate a way, especially for new hires. I know having just gone through process that onboarding weeks are always kind of information overload. But people are going to at least remember more, or be more engaged if they're getting some kind of actual human contact with somebody who they're going to be working with; they've got the face, they've got some context for who their security team is, what they do, and they won't just be clicking through a training that's got canned information that is no context to where they're working and really no narrative and nowhere for them to ask questions. Because I always get really interesting questions every time I give some kind of live security education stuff; people are curious. I think it's important that security education and engagement is really an enhancer to a security program. It can't be carrying all the weight of relationships between the security team and the rest of the company. You're going to get dividends by having ongoing positive relationships with your colleagues that aren't just contact the security team once a year during training. CASEY: And even John's email, like the sample test email, which I think is better than not doing it for sure. But that's like a ha ha got you. That's not really [chuckles] relationship building. Barely. You've got to already have the relationship for it to – [overtalk] KAT: No, it's not and that's – yeah. And that's why I think phishing campaigns are so tricky. I think they're required by some compliance frameworks and by cyber insurance frameworks. So some places just have to have them. You can't just say we're not going to run internal phishing campaigns, unfortunately, regardless of whether that's actually the right thing for businesses. But I think the angle should always be familiarizing people with how to report email like that to the security team and reinforcing psychological safety. Not making people feel judged, not making people feel bad, and also not making them sit through training if they get caught because that's not psychological safety either and it really doesn't pay attention to results. It's very interesting, I remember I listened to your episode with Eli Holderness and at some point, one of the hosts mentioned something about human factors and safety science on the evolving nature of how people management happens in the workplace. How there was this old model of humans being a problem to be managed, supervised, and well, just controlled and how the new view of organizational psychology and people management is more humans are your source of success so you need to enable their growth and build them up. I think a lot of security education approaches are kind of still stuck in that old model, almost. I've seen progress, but I think a lot of them have a lot of work to do in still being, even if they're not necessarily as antagonistic, or punitive, they still feel sometimes paternalistic. Humans are like, “If I hear the phrase, ‘Humans are the weakest link one more time,' I'm going to table flip.” First of all, humans are all the links, but also – [overtalk] JOHN: Yeah. KAT: It's saying like, we need to save humans, which are somehow the security team is not humans. We need to save humans from themselves because they're too incompetent to know what to do. So we need, yeah – which is a terrible attitude. CASEY: Yeah. KAT: And I think it misses the point that first of all, not everyone is going to become a security expert, or hypervigilant all the time and that's okay. But what we can do is focus on the good relationships, focus on making the training we have and need to do somewhat interactive and personal and contextual, and let go of the things you can't control. [chuckles] JOHN: Yeah, I think Taylorism is the name for that management style. I think it came around in the 40s and – [overtalk] KAT: Really? JOHN: Yeah, ruined a lot of lives. [laughs] Yeah, and I think your point about actually accepting the individual humanity of the people you're trying to influence and work with rather than as some sort of big amorphous group of fuckups, [laughs] for lack of a better word. Giving them some credit, giving them, like you said, something that's not punitive, somewhere where they don't get punished for their security lapses, or forgetting a thing, or clicking the link is going to be a lot more rewarding than, like you said, just making someone sit through training. Like for me, the training I want from whatever it was I clicked on is show me the email I clicked on, I will figure out how it tricked me and then I will learn. I don't need a whole – [overtalk] KAT: Yes. JOHN: 3 hours of video courses, or whatever. I will see the video, [chuckles] I will see the email, and that is a much more organic thing than here's the training for you. KAT: Exactly. Yeah, you have to again, give some people a way to actually commit it to memory. Get it out of RAM and into SSD. JOHN: Yeah. [laughter] KAT: But yeah, I love that and fortunately, I think some other places are starting to do interesting, innovative approaches. My former colleague, Kim Burton, who was the Security Education Lead at Duo when I was there and just moved to Texas, gave a webinar recently on doing the annuals security training as a choose your own adventure so that it could be replicated among a wide group of people, but that people could take various security education stuff that was specific to their own role and to their own threat model. I really liked that. I like being able to give people some amount of personalization and get them actually thinking about what they're specifically interacting with. JOHN: Yeah, yeah. That's great and it also makes me think about there are undoubtedly things I'm pretty well informed in security and other things that I'm completely ignorant about. I'd rather not sit through a training that covers both of those things. Like if there's a way for me to choose my own adventure through it so that I go to the parts where I'm actually learning useful things. Again, a, it saves everybody time and b, it means I'm not fast forwarding through the video, hoping it'll just end, and then possibly missing things that are actually useful to me. CASEY: I'm thinking of a concrete example, I always remember and think of and that's links and emails. I always hover and look at the URL except when I'm on my phone and you can't do that. Oh, I don't know. It has never come up in a training I've seen. KAT: Yeah, you can click and hold, but it's harder and I think that speaks to the fact that security teams should lead into putting protections around email security more so than relying entirely on their user base to hover every single link, or click and hold on their phone, or just do nothing when it comes to reporting suspicious emails. There's a lot of decision fatigue that, I think security teams still put on people whose job is not security and I hope that that continues to shift over time. JOHN: Yeah. I mean, you're bringing up the talking about management and safety theory that probably came from Rein Henrichs, who is one of our other hosts. But one of the things he also has talked about on, I think probably multiple shows is about setting the environment for the people that makes the safe thing easy. KAT: Right. JOHN: So that all the defaults roll downhill into safety and security rather than well, here's a level playing field you have to navigate yourself through and there's some potholes and da, da, da, and you have to be aware of them and constantly on alert and all those things. Whereas, if you tilt the field a little bit, you make sure everything runs in the right direction, then the right thing becomes the easy thing and then you win. KAT: Exactly, exactly. I think it's important to put that not only in the technical defaults – [overtalk] JOHN: Yeah, yeah. KAT: But also process defaults to some degree. One of my colleagues just showed me a talk that was, I think from perhaps at AppSec Cali. I'll have to dig it up. But there was somebody talking about making I guess, threat modeling and anti-abuse mindsets more of a default in product development teams and how they added one single line to their sprint planning—how could this feature potentially be misused by a user—and that alone just got people thinking just that little process change. JOHN: Yeah. That's beautiful. But such a small thing, but constantly repeated at a low level. It's not yelling at anyone to… KAT: Yeah. JOHN: Yeah. KAT: Yeah. And even if the developers and product designers themselves weren't security experts, or anti-abuse experts, it would just get them thinking, “Oh hey, we should reach out to the trust and safety team.” CASEY: Yeah. I'm thinking about so many steps and so many of these steps could be hard. The next one here is the security team responsive and that has a lot to do with are they well-staffed and is this a priority for them? Oh my goodness. KAT: Yeah. [laughs] So many things. CASEY: It's layers. But I'm sure you've heard of this, Kat. The Swiss cheese model of error prevention? KAT: Yeah. Defense in depth. CASEY: Yeah. [chuckles] I like to bring it up on the podcast, too because a lot of engineers and a lot of non-security people don't know about it. KAT: Hmm. CASEY: Do you want to explain it? I don't mind. I can. KAT: Oh, yeah. Basically that there are going to be holes in every step of the process, or the tech and so, that's why it's important to have this layered approach. Because over time, even if something gets through the first set of holes, it may not get through a second set where the holes are in different spots. So you end up with a giant stack of Swiss cheese, which is delicious, and you come out with something that's hopefully pretty same. [laughter] CASEY: Yeah, and it's the layers that are – the mind-blowing thing here is that there can be more than one layer. We don't just need one layer of Swiss cheese on this sandwich, which is everybody pay attention and don't ever get phished, or it's your fault. You can have so many layers than that. It can be like a grilled cheese, really, really thick, grilled cheese. [laughter] KAT: Yes. A grilled cheese where the bread is also cheese. CASEY: Yes! [laughs] MID-ROLL: This episode is supported by Compiler, an original podcast from Red Hat discussing tech topics big, small, and strange. Compiler unravels industry topics, trends, and the things you've always wanted to know about tech, through interviews with the people who know it best. On their show, you will hear a chorus of perspectives from the diverse communities behind the code. Compiler brings together a curious team of Red Hatters to tackle big questions in tech like, what is technical debt? What are tech hiring managers actually looking for? And do you have to know how to code to get started in open source? I checked out the “Should Managers Code?” episode of Compiler, and I thought it was interesting how the hosts spoke with Red Hatters who are vocal about what role, if any, that managers should have in code bases—and why they often fight to keep their hands on keys for as long as they can. Listen to Compiler on Apple Podcasts, or anywhere you listen to podcasts. We'll also include a link in the show notes. Our thanks to Compiler for their support. CASEY: Earlier, you mentioned awareness, Kat as something interesting. You want to talk about awareness more as a term and how it relates to this? KAT: Oh, yeah. So I – and technically, my job title has security awareness in it, but the more I've worked in the security space doing employee security education stuff as part of all my job. I know language isn't perfect, but I'm kind of the mindset that awareness isn't a good capture of what a role like mine actually should be doing because awareness without behavior change, or action is just noise. It's just we're all very aware of things, but if we don't have an environment that's friendly to us putting that awareness into some kind of action, or engagement, or response, we are just aware and scared. [laughs] CASEY: Yeah, awareness alone just makes us feel bad. We need more than that. KAT: Yeah. So I think security awareness is sometimes just a product of a term that got standardized over several years as it's in all of the compliance control frameworks, security awareness is a part of it. I don't know it's the best practice thing. I hope over time it will continue to evolve. CASEY: Yeah. KAT: As with any other kind of domains. JOHN: Yeah. I think that maybe security motivation might be a better term for it. KAT: I've seen a bunch of different ones used. So I end up speaking in terms of, I don't know, security education and engagement is what I'm working on. Security culture is my vision. I've seen things like security awareness, behavior, and culture, ABC, things like that. But all this to say security awareness not being in a vacuum. CASEY: I like those. This reminds me of a framework I've been thinking about a lot and I use in some of my DEI workshops. AIDA is an acronym. A-I-D-A. The first one's Awareness, the last one is Action, and in the middle is Interest and Desire. KAT: Nice. CASEY: So the questions I use to frame is like, are they aware of, for example, if they're misgendering someone? That's the context I'm using this in a lot. Are they aware of this person's pronouns in the first place? Are they interested in caring about this person and do they want to do anything about it and did they do it? Did they use their proper pronouns? Did they correct their actions? It's like 4 stages – [overtalk] KAT: I like that. CASEY: AIDA. It's used in marketing a lot for like a sales funnel, but I apply it to all sorts of how do you get someone from aware to action? KAT: I like that a lot. It's been interesting working at a place that makes a product that's more in the sales and marketing space. Definitely learned a lot because a couple of previous roles I've had been with security vendors. I think one of the interesting ideas that was a new concept to me when I started was this idea of inbound marketing, where instead of just cold contacting people and telling them, “Be interested in us, be interested in us, buy our stuff,” you generate this reputation as being of good service by putting out useful free nuggets of content, like blog posts, webinars, and things. Then you get people who are interested based on them knowing that you've got this, that you offer a good perspective, and then they all their friend. They are satisfied customers, and they go promote it to people. I think about this as it applies to security teams and the services they provide, because even though corporate security teams are internal, they've still got internal customers. They've still got services that they provide for people. So by making sure that the security team is visible, accessible, and that the good services that they provide are known and you've got satisfied customers, they become promoters to the rest of their teams. Think about like security can definitely learn a lot from [chuckles] these sales and marketing models. CASEY: I can totally imagine the security team being the fun team, the one you want to go work with and do workshops with because they make it so engaging and you want to. You can afford to spend your time on this thing. [laughter] KAT: Oh yes. CASEY: You might do it. [laughter] JOHN: Yeah, and I think marketing's a great model for that. Marketing sort of has a bad reputation, I think amongst a lot of people because it's done badly and evilly by a lot of people. But it's certainly possible and I think inbound market is one of those ways that you're engaging, you're spreading awareness, you're letting people select themselves into your service, and bring their interest to you. If you can develop that kind of rapport with the employees at your company as a security team, everybody wins. KAT: Yeah, absolutely, and it can absolutely be done. When I was working at Duo a couple jobs ago, I was on their security operations team and we were responsible, among other things, for both, the employee security education and being the point of intake; being the people that our colleagues would reach out to with security concerns to security and it definitely could see those relationships pay off by being visible and being of good service. CASEY: So now I'm getting my product manager hat on, like team management. KAT: Yeah. CASEY: I will want to choose the right metrics for a security team that incentivizes letting this marketing kind of approach happen and being the fun team people want to reach out to have the bigger impact and probably the highest metric is like nobody gets a security breach. But that can't be the only one because maybe you'll have a lucky year and maybe you'll have an unlucky that's not the best one. What other metrics are you thinking of? KAT: That's the thing, there's a lot more that goes into not getting pwned than how aware of security people are. There's just way too many factors to that. But – [overtalk] CASEY: Yeah. I guess, I'm especially interested in the human ones, like how come – [overtalk] KAT: Oh, yeah. And I mean like – [overtalk] CASEY: The department allowed to do the things that would be effective, like incentivized and measured in a sense. KAT: Yeah, and I think a lot of security education metrics often have a bit of a longer tail, but I think about not – I don't really care so much about the click rates for internal phishing campaigns, because again, anyone can fall for a phish if it's crafted correctly enough. If it's subtle enough, or if just somebody's distracted, or having a bad day, which we never have. It's not like there's a pandemic, or anything. But for things that are sort of numbers wise, I think about how much are people engaging with security teams not just in terms of reporting suspicious emails, but how often are they reporting ones that aren't a phishing simulation? How much are they working with security teams when they're building new features and what's the impact of that baseline level before there's, I don't know, formal process for security reviews, code reviews, threat modeling stuff in place? What does that story look like over time for the product and for product security? So I think there's quite a bit of narrative data involved in security education metrics. JOHN: Yeah. I mean you could look at inbound interests, like how often are you consulted out of the blue by another team, or even of the materials you've produced, what's the engagement rates on that? I think that's a lower quality one, but I think inbound interest would be fantastic. CASEY: Yeah. KAT: Yeah, exactly. I was thinking to some degree about well, what kinds of vulnerabilities are you shipping in your code? Because I think there's never 100% secure code. But I think if you catch some of the low-hanging fruits earlier on, then sometimes you get an interesting picture of like, okay, security is being infused into the SDLC at all of these various Swiss cheese checkpoints. So think about that to some degree and that's often more of a process thing than a purely an education thing, but getting an education is an enhancer to all of these other parts of the security programs. JOHN: So in the topics for the show that you had suggested to us, one of the things that stood out to me was something you called dietary accessibility. So can you tell me a little bit more about what that means? KAT: So earlier in this year, in the middle of all of this pandemic ridiculousness, I got diagnosed with celiac disease. Fortunately, I guess, if there was a time to be diagnosed with that, it's I'm working remotely and nobody's going out to eat really. Oh, I should back up. I think a lot of people know what it is, but just in case, it's an autoimmune disorder where my body attacks itself when I eat gluten. I've described it in the past as my body thinks that gluten is a nation state adversary named fancy beer. [laughter] Ding, one more for the pun counter. I don't know how many we're up to now. [laughs] CASEY: I have a random story about a diet I had to do for a while for my health. I have irritable bowel syndrome in my family and that means we have to follow over really strict diet called the low FODMAP diet. If your tummy hurts a lot, it's something you might look into because it's underdiagnosed. That meant I couldn't have wheat, but not because I had celiac disease; I was not allergic to the protein in wheat flour. I was intolerant to the starch and wheat flour. So it would bother me a lot. People said, “Do you have celiac, or?” And I was like, “No, but I cannot have wheat because the doctor told me so, but no, it's not an allergy.” I don't know, my logical brain did not like that question. [laughter] That was an invalid question. No, it's not a preference. I prefer to eat bread, but I cannot, or it hurts my body according to my doctor. KAT: [chuckles] So you can't have the starch and I can't have the protein. So together, we can just – [overtalk] CASEY: Separate it! KAT: Split all of the wheat molecules in the world and eat that. [laughs] CASEY: That's fair. I literally made gluten-free bread with gluten. [laughs] I got all the gluten-free starches and then the gluten from the wheat and I didn't have the starch in the wheat and it did not upset my stomach. KAT: Oh man. JOHN: Yeah. I've got a dairy sensitivity, but it's not lactose. It's casein so it's the protein in the dairy. CASEY: Protein, uh huh. KAT: Oh, interesting. CASEY: I apologize on behalf of all the Casey. [laughter] Casey in. KAT: Who let Casey in? CASEY: Ding! KAT: Ding! No, but it's made me think a lot about as I was – first of all, it's just I didn't fully appreciate until I was going through it firsthand, the amount of cognitive overload that just goes into living with it every day. [laughs] Speaking of constant state of hypervigilance, it took a while for that to make it through – I don't know, me to operationalize to my new life that's going to be my reality for the [laughs] rest of my life now because it was just like, “Oh, can I eat this? Can I eat that?” All of that. Something that at least helped ease me out of this initial overwhelm and grieving period was tying some of the stuff that I was dealing with back to how would I do this in my – how would I approach this if this were a security education and security awareness kind of thing? CASEY: Oh, yeah. KAT: Because it's a new concept and it's a thing that is unfamiliar and not everyone is an expert in it. so I'm like, “How would I treat myself as the person who's not an expert in it yet?” I, again, tried to get myself back to some of those same concepts of okay, let's not get stuck in thud mode, let's think about what are some of the actual facts versus what's scaremongering. I don't need to know how much my risk of colon cancer is increased, because that's not how helpful for me to actually be able to go about my day. I need to know what are the gluten-free brands of chips? That's critical infrastructure. CASEY: I love this parallel. This is so cool. KAT: And so I thought about to – I've mentioned earlier, decision fatigue as a security issue. I thought about how can I reduce the decision fatigue and not get stuck just reading all the labels on foods and stuff? What are the shortcuts I can take? Some of those were like okay, let me learn to recognize the labels of what the labels mean of a certified gluten-free logo and also just eat a lot of things that would never have touch gluten to begin with, like plain and raw meat, plain potatoes, plain vegetables, things like that. So just anything to take the cognitive load down a little bit, because it was never going to be zero. It's interesting. Sometimes, I don't know, I have tons of different interests and I've always interested in people's perspective outside of security. A lot of that stuff influences the way I think about security, but sometimes the way I think about security also ends up influencing other stuff in my life, so. CASEY: Yeah. I think that's brilliant. Use – [overtalk] KAT: And interesting to connect with those. CASEY: The patterns and you're comfortable with, and apply them. KAT: Exactly. CASEY: A lot of really cool ideas come from technology. KAT: Yeah, and go for harm reduction, not nothing because we don't live in a gluten-free world. It's like I can try to make myself as safe as possible, but at some point, my gut may suffer a data breach and [laughs] when I do, should be blameless and just work on getting myself recovered and trying – [overtalk] JOHN: Yeah. I mean, thinking about it as a threat model. There's this gluten out there and some of it's obvious, some of it's not obvious. What am I putting in place so that I get that 95th percentile, or whatever it is that you can think of it that way? I like that. KAT: Exactly. It's an interesting tie to threat modeling how the same people – even if people have the same thing that they can't eat, they may still have a different threat model. They may, like how we both had to avoid wheat, but for different reasons and with different side effects, if we eat it and things like that. CASEY: I love these parallels. I imagine you went into some of these in that talk at DisInfoSec. Is that right? KAT: Yeah. A little bit. So DisInfoSec, it's a virtual conference in its second year of existence, specifically highlighting disabled speakers in the InfoSec community run by Kim Crawley, who's a blogger for Hack the Box. There was a really interesting lineup of talks this year. Some people, I think about half of them touched on neurodiversity and various aspects of security through lenses of being autistic and ADHD, which is really cool. For mine, I focused on those of us who have disability-related dietary restrictions and how that affects our life in the tech workplace, where compared to a lot of other places I've worked, there's a lot of free food on the company dime hanging around and there's a lot of use of food as a way to build connection and build community. CASEY: Yeah, and a lot of stuff, a lot of people can't eat. I'm with you, uh huh. KAT: Yeah. I just took stock of all of the times that I would take people up for lunch interviews, go out to dinner with colleagues when they're in town, all of these things. Like snacks in the office. Just there not being a bathroom on the same floor as me for multiple jobs where I worked. [laughs] Things like that. So I really wanted to – the thing that I wanted to highlight in that talk in general was systemic level accommodations to be made for people with be they celiac IBS, food allergies, diabetes rather than relying on people individually requesting accommodations. This universal design model where you've got to make sure that your workplace is by default set up to accommodate people with a wide range of disabilities including dietary needs and a lot of times it doesn't come down to even feeding them. It comes down to making sure their health insurance is good, making sure people can work remotely, making sure that – [overtalk] CASEY: Higher levels of Swiss cheese on that. They are various levels. KAT: Yeah, the levels of Swiss cheese. A lot of stuff cascades from lunch interviews, making sure that if you do them at all, that you're really flexible about them. JOHN: Yeah. I can definitely relate to the being able to work from home, which I've done for the last decade, or more, has been huge for being able to have a solid control of my diet. Because it's really easy to have all the right things around for lunch rather than oh, I've only got half an hour, I can run out to the sub shop and I'll just deal with the consequences. Because that's what's nearby versus, or trying to bring food into the office and keep it in the fridge, or the free – that's a whole mess. So just like you said, good health insurance, working from home, these are things that allow for all sorts of different disabilities to be taken care of so well that you don't – that's the base, that's table stakes to formatting kind of inclusion. KAT: Exactly, exactly. CASEY: Yeah. KAT: Exactly. Yeah, and I think what sometimes gets missed is that even there are other things that I need to – the ability to just sometimes lay down, the ability to be close to a bathroom, and things that are not food related, but definitely are my reality. [laughs] CASEY: And companies went out, too. By accommodating you, they get all of your expertise and skills and puns. In exchange for flexibility, they get puns. KAT: [laughs] And I still make puns about gluten, wheat, rye, and barley even though I can I eat them anymore. That will never go away. CASEY: They just keep rising. KAT: Wheat for it. Wait for it. [laughter] CASEY: Ding! KAT: That's just my wry sense of humor. CASEY: All right. We're getting near end of time for today. This point, let's talk about reflections and plugs. JOHN: I can go first. I think the thing that's definitely sticking with me is thinking about the internal teams relating to other internal teams at a company as a marketing issue. Security is obviously one where you need to have that relationship with pretty much every team. But I'm thinking all sorts of all the way around development, DevOps, tech QA. Everyone can think this way and probably gain something from it as a what are we presenting to the rest of the company, what is our interface, and how do we bring more things to it such that people like working with our interface a lot so that we have great relationships with the rest of the team? I think I'm going to keep thinking about that for a while. CASEY: I'll share a reflection. I liked noticing that those phish emails can cause harm to people—they can feel bad and then make them less receptive. I've always been a fan of them overall. But thinking about that impact, I might have even been the one to say that, but it was still surprising to me when that came out of my mouth. Say, oh yeah, it hurts people in a way, too. We don't have to have that painful experience to teach people. It can be done in a safer environment. I wonder what else we can do for training of things like that to make it more positive and less negative. I'm going to be thinking on that. KAT: Yeah. And I wrote down AIDA. Awareness, Interest, Desire, and Action. Did I get that right? CASEY: Yeah. KAT: I'm definitely going to look into that. I think that's a great model for education of all kinds. CASEY: Yeah. If you want to go even deeper, there's like 6 and 7 tier models on the Wikipedia page links to a bunch of them. That's just the most common. KAT: Awesome. CASEY: For plugs, I just want to plug some homework for you all. Everyone listening, there's this Unconscious Bias Training That Works article that I've mentioned twice now. I hope you get to read that. And I guess, the AIDA – It'll be in the show notes for sure. And then the Wikipedia page for AIDA marketing just so you have a spot to look it up, if you forget about it. Try to apply that to situations, that's your homework. KAT: I think something I plugged on Twitter quite a bit over the years and a lot when we were talking about the language that we use earlier, I'm a huge fan of the Responsible Communication Style Guide, which was put out by the Recompiler, which is a feminist activist hacker publication. So they've got guides on words to avoid, words to use instead for when talking about race, gender, class, health, disability status. It's written for a tech audience and I really like that as a resource for using inclusive language. JOHN: Yeah. It's great stuff. CASEY: I love it. All right, thanks so much for are coming on our show today, Kat. Special Guest: Kat Sweet.

In this episode of AppSec Builders, Jb is joined by Security Architect, Sarah Young, to discuss Cloud Security, its evolution, and its increased presence within Cloud Vendor solutions and platforms. About Sarah: Linkedin:https://www.linkedin.com/in/m1splacedsoul/ ( )https://www.linkedin.com/in/sarahyo16/ (https://www.linkedin.com/in/sarahyo16/) Twitter: https://twitter.com/_sarahyo (https://twitter.com/_sarahyo) Sarah Young is a security architect based in Melbourne, Australia who has previously worked in New Zealand and Europe and has a wealth of experience in technology working across a range of industry sectors. With a background in network and infrastructure engineering, Sarah brings deep technical knowledge to her work. She also has a penchant for cloud native technologies. Sarah is an experienced public speaker and has presented on a range of IT security and technology topics at industry events both nationally and internationally (BSides Las Vegas, The Diana Initiative, Kiwicon, PyCon AU, Container Camp AU/London, BSides Ottawa, BSides Perth, DevSecCon Boston, CHCon, KubeCon, BSides San Francisco). She is an active supporter of both local and international security and cloud native communities.   Resources: https://www.cncf.io/ (Cloud Native Computing Foundation) Transcript [00:00:02] Welcome to AppSec Builders, the podcast for Practitioners Building Modern AppSec hosted by Jb Aviat. Jb Aviat: [00:00:14] Welcome to this episode of AppSec Builders, I'm Jb Aviat and today I'm thankful to welcome Sarah Young, who is a senior program manager in Azure security. Sarah, you're very prolific in this security space which conferences, the Azure security podcast your also CNCF - Cloud Native Computing Foundation Ambassador. Sarah, I'd love to hear more about this. Sarah Young: [00:00:38] Thanks! And thank you for having me. Yeah! So many things I could say. So, yeah, I worked for Microsoft. So of course, every day I work with Azure and do Azure security as one would expect. But I've been working in security for oh. Like specifically focusing on security for the last eight or nine years now. Before I joined Microsoft, I worked with other clouds and so I got a fair bit of experience there. But with regards to CNCF I am, as you said, an ambassador and although I'm certainly not a developer, I certainly find the security aspect of cloud native stuff really, really interesting. And that's what I enjoy talking to people about. Jb Aviat: [00:01:20] Alright. And so one thing you seem to be prolific about is Kubernetes and Kubernetes is definitely something that has gone through an amazing popularity over the past years and also got a lot of security exposure because it's notoriously a complex and difficult to use in the secure way. Do you have any specific thought about that? Sarah Young: [00:01:42] Yeah, the of specifics we could go into here and I guess watching Kubernetes over the past two or three years has been really interesting because obviously there are new releases and every time there's a new release, there are updates and improvements made to it. Obviously, I focused more on that for me. I'm more interested in the security side of it. But it's really interesting if you go from the early days of Kubernetes through to now, how much it's improved. I mean, what are we on now? I think we're on twenty, twenty one or something like that. I forget the exact version. We're up to for releases at the moment. But if you go back to the early days or two, three years ago, there was some major, major security holes and Kubernetes. So there were things I mean, it didn't support RBAC or role based access control. So if you don't have roads, access control, you literally can't give people permissions, like everyone just has everything, which is a security person's nightmare. So it's been really good to actually see how it's developed over the years and how the community have addressed those things. Sarah...

    Anatomy is to physiology as geography is to history; it describes the theatre of events.  -- Jean Fernel; Legendary French physician   Those who cannot remember the past are condemned to repeat it  -- George Santayana; The Life of Reason: The Phases of Human Progress, 1905   Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones  -- Donald Rumsfeld; US Secretary of Defense, 2002   The World Economic Forum considered a Massive incident of data fraud/theft the FOURTH biggest risk facing THE WORLD for 2019, behind major natural disasters and ahead of man-made environmental damage including massive oil-spills or massive ration leaks.   2020 said… hold my beer.   Just last week, the Wisconsin Republican Party was attacked by bad actors and suffered the theft of $2,300,000.00 in payments that were due various vendors to their organization. How did the bad guys get in? The most basic, tried and true way of ingress: email phishing. Was the motivation to damage national and state-wide election campaigns? Was it to sew more discord in an already tumultuous election season? Was it TWO POINT THREE MILLION DOLLARS? Do we even care?   What cannot be disputed is that bad guys came into their system with bad intent and left with a lot of other peoples’ money.   When is a breach a breach? When is it a data leak? When is it simply a server left exposed? On this edition of InSecurity, Matt Stephenson talks with veteran Incident Response Consultants John Wood and Ryan Chapman about what happens once the bad guys break in and what the good guys can and must do when dealing with the results of a cyber-attack. Plus: PORT 3389! Dig it…     About John Wood     John Wood is Technical Director for BlackBerry’s (Previously Cylance) Incident Response practice. He leads teams of Incident Responders in large-scale and small-scale breaches across a variety of industries. John is responsible for evaluating and improving the tools and methodologies used by the practice and ensuring quality control across all engagements.   Prior to joining Cylance, John retired as an FBI special Agent after 23 years. During his time in the FBI, John served in six field offices where he was a computer forensic examiner and cybercrime investigator. He was involved in several high-profile cases to include being the lead forensic examiner on the Edward Snowden espionage case, the Ardit Ferizi terrorism case, the “Russian voter hacking”, and several Advanced Persistent Threat (APT) cases. He was also a SWAT operator, a bomb tech, a firearms instructor, and has also testified as an expert witness in the United States Southern District of Texas, The Eastern District of Missouri, The Eastern District of Virginia, and The Northern District of Florida.     About Ryan Chapman     Ryan Chapman (@rj_chap) is Principle Forensics Consultant at BlackBerry. An Information Security professional with over 18 years of experience in the IT realm, Ryan sees the security industry as an ever-evolving creature where nothing is stale and there is always something new to learn. He has worked in SOC and CIRT roles that handled incidents from inception all the way through remediation. Reviewing log traffic; researching domains and IPs; hunting through log aggregation utilities; sifting through PCAPs; analyzing malware; and performing host and network forensics are all things his passions. One of Ryan’s primary interests is the exciting world of reverse engineering. Malware has become pervasive, so he relishes the ability to dissect, understand, and protect against evolving threats. He is always on the lookout for the new tricks that malware authors use to circumvent security appliances. Ryan has presented at DefCon, SANS Summits, BSides Las Vegas and San Francisco, CactusCon, Splunk.conf and Splunk Live!     About Matt Stephenson     Insecurity Podcast host Matt Stephenson (@packmatt73) leads the Broadcast Media team at BlackBerry, which puts me in front of crowds, cameras, and microphones all over the world. I am the regular host of the InSecurity podcast and video series at events around the globe.   I have spent the last 10 years in the world of Data Protection and Cybersecurity. Since 2016, I have been with Cylance (now BlackBerry) extolling the virtues of Artificial Intelligence and Machine Learning and how, when applied to network security, can wrong-foot the bad guys. Prior to the COVID shutdown, I was on the road over 100 days a year doing live malware demonstrations for audiences from San Diego to DC to London to Abu Dhabi to Singapore to Sydney. One of the funniest things I've ever been a part of was blowing up a live instance of NotPetya 6 hours after the news broke... in Washington DC... directly across the street from FBI HQ... as soon as we activated it a parade of police cars with sirens blaring roared past the building we were in. I'm pretty they weren't there for us, but you never know...   Every week on the InSecurity Podcast, I get to interview interesting people doing interesting things all over the world of cybersecurity and the extended world of hacking. Sometimes, that means hacking elections or the coffee supply chain... other times that means social manipulation or the sovereign wealth fund of a national economy.   InSecurity is about talking with the people who build, manage or wreck the systems that we have put in place to make the world go round...   Can’t get enough of Insecurity? You can find us at Spotify, Apple Podcasts and ThreatVector as well as GooglePlay, Gaana, Himalaya, I Heart Radio and wherever you get your podcasts!   Make sure you Subscribe, Rate and Review!

In this episode of the Cybrary Podcast we sit down with Cindy Jones, the SR Product Security Specialist at Thermo Fisher and the President of BSides Las Vegas. CIndy explains how she got started with BSides and how the conferences come together.

This is your Shared Security Weekly Blaze for August 12th 2019 with your host, Tom Eston. In this week’s episode: My summary of last week’s BSides Las Vegas security conference, how a single text message to your iPhone could get you hacked, and how Stingray surveillance devices can still be used on new 5G networks. […] The post BSides Las Vegas, iMessage Exploit, 5G and Stingray Surveillance appeared first on The Shared Security Show.

Cheryl Biswas: Diversifying Cybersecuity     You better watch out Oh, what you wish for It better be worth it So much to die for Hey, so glad you could make it Yeah, now you've really made it Hey, there's only us left now  --Hole – 1997, Celebrity Skin What if I told that… compared to men, higher percentages of women cybersecurity professionals are reaching some of the most sought after positions in security. Among the security workforce, the population of women in key spots is surging… Chief Technology Officer 7% of women vs 2% of men Vice President of IT 9% vs 5% IT Director 18% vs 14% C-level / Executive 28% vs 19%   Women in cybersecurity are generally more educated and younger than their male colleagues. 44% of men in cybersecurity hold a post-graduate degree compared to 52% of women. Also, nearly half of women cybersecurity professionals surveyed are millennials – 45% compared to 33% of men. By contrast, Generation X men make up a bigger percentage of the workforce (44%) than women (25%)   Now… what if I told you that the gender pay gap hasn't moved at all. Women still make less than men. according to the 2018 (ISC)2report, women make $5,000 less than men in security management positions.   It is this environment that spurred a group of women to create The Diana Initiative.   In this week’s episode of InSecurity, Matt Stephenson chats with Cheryl Biswas on why the time was right to co-create The Diana Initiative. Now, 4 years later, Diana has a new home and is key part of that stretch of August where the cybersecurity world convenes in Las Vegas to figure out how to save the world. Their mission is to encourage diversity and support women who want to pursue careers in information security, promote diverse and supportive workplaces, and help change workplace cultures.      About The Diana Initiative   It was the summer of 2015. Hackers from around the world had gathered in Las Vegas, NV for DEF CON 23. In the cafeteria tucked away in the basement of Bally’s and Paris, 9 women found themselves chatting and laughing about their experiences in the field of Information Security. They were all passionate about their challenging roles in the male-dominated field and began exchanging strategies for success in their challenging environments. It was then and there that they accepted their new mission: to create a conference for all those who identify as women/non binaries, and to help them meet the challenges that come with being a woman in Information Security with resilience, strength and determination. The first event in 2016 began with a morning speaking track and an afternoon of lockpicking and badge soldering in a small suite at Bally’s, bringing attendees together in a collaborative, comfortable setting. Interest and attendance showed that demand for a woman-focused InfoSec conference existed. In 2017, The Diana Initiative was formed and the conference expanded to cover almost 2 days – with speakers on the evening of the first day, as well as the entire second day. There was also a hands-on opportunity for learning about lockpicking, a Career village, and fun contests. During the summer of 2018, The Diana Initiative conference soared in popularity. But with this incredible growth and popularity, the space still couldn’t meet the demand, as attendees were continuously turned away due to over capacity of all the suites. For more information, make sure to follow them at @DianaInitiativeand keep up with them on LinkedIN and Facebook.   About Cheryl Biswas Cheryl Biswas’s (@3ncr1pt3d) fascination with computers started with those blinking machines on the original Star Trek, and the realization that, if she could learn to work those things, then she could boldly go  – anywhere!  But Cheryl didn’t learn math like everyone else and found herself struggling. She mistakenly believed a few key people who convinced her that she couldn’t learn computers, so she didn’t take programming or comp sci. They were wrong, though. Curiosity and passion led Cheryl to technology through the back door and she taught herself computers. Currently, Cheryl is a Threat Intel analyst on a cybersecurity team, researching, analysing, and communicating her discoveries to the team and to clients to keep them safe. GRC, privacy, APTs, best practices, evolving threats – the learning never stops. Cheryl is an active writer and speaker about threats to less-known but critical systems like ICS SCADA and Mainframes, Shadow IT and Big Data.  You may have seen her present at some of the most important security conferences including BSides Las Vegas and Toronto, DEFCON, ShmooCon and SecTor.   About Matt Stephenson Insecurity Podcast host Matt Stephenson (@packmatt73) leads the Security Technology team at Cylance, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecurity podcast and host of CylanceTV   Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Matt to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come   Every week on the InSecurity Podcast, Matt interviews leading authorities in the security industry to gain an expert perspective on topics including risk management, security control friction, compliance issues, and building a culture of security. Each episode provides relevant insights for security practitioners and business leaders working to improve their organization’s security posture and bottom line.   Can’t get enough of Insecurity? You can find us at ThreatVector InSecurity Podcasts, iTunes/Apple Podcasts and GooglePlay as well as Spotify, Stitcher, SoundCloud, I Heart Radio and wherever you get your podcasts!   Make sure you Subscribe, Rate and Review!

This weeks’ Technado featured two great interviews. First, Justin and Peter talk to Matt Carroll from Google’s Flutter team about the innovate app-development platform. Then, Don joins to interview an old friend, ThreatQuotient’s Jonathan Couch to hear what they’ve been up to since we last spoke at BSides Las Vegas. And, as always, the three look at the top tech news from the week.

This weeks’ Technado featured two great interviews. First, Justin and Peter talk to Matt Carroll from Google’s Flutter team about the innovate app-development platform. Then, Don joins to interview an old friend, ThreatQuotient’s Jonathan Couch to hear what they’ve been up to since we last spoke at BSides Las Vegas. And, as always, the three look at the top tech news from the week.

This weeks’ Technado featured two great interviews. First, Justin and Peter talk to Matt Carroll from Google’s Flutter team about the innovate app-development platform. Then, Don joins to interview an old friend, ThreatQuotient’s Jonathan Couch to hear what they’ve been up to since we last spoke at BSides Las Vegas. And, as always, the three look at the top tech news from the week.

This weeks’ Technado featured two great interviews. First, Justin and Peter talk to Matt Carroll from Google’s Flutter team about the innovate app-development platform. Then, Don joins to interview an old friend, ThreatQuotient’s Jonathan Couch to hear what they’ve been up to since we last spoke at BSides Las Vegas. And, as always, the three look at the top tech news from the week.

This weeks’ Technado featured two great interviews. First, Justin and Peter talk to Matt Carroll from Google’s Flutter team about the innovate app-development platform. Then, Don joins to interview an old friend, ThreatQuotient’s Jonathan Couch to hear what they’ve been up to since we last spoke at BSides Las Vegas. And, as always, the three look at the top tech news from the week.

This weeks’ Technado featured two great interviews. First, Justin and Peter talk to Matt Carroll from Google’s Flutter team about the innovate app-development platform. Then, Don joins to interview an old friend, ThreatQuotient’s Jonathan Couch to hear what they’ve been up to since we last spoke at BSides Las Vegas. And, as always, the three look at the top tech news from the week.

Speaker Bio Rob Carson founder of Semper Sec. Rob knows how to simplify the problem and deliver solutions. His clients base includes: Fortune 200 Companies US Government Contractors State and Local Governments Fuel Retailers Software and hardware manufacturers His distinguished career includes service as a Marine Corps Infantry Officer, as well as leading roles in IT and Security. Before devoting his work fulltime to facilitating his client's success, He built highly successful information security programs for ISO 27001:2005/2013, PCI, HIPAA, NIST 800-171, GDPR. He also volunteers his time as the Chief Security Officer for BSIDES Las Vegas, a non-profit educational organization designed to advance the body of Information Security. Episode Highlights Matt reveals how much he made when he got out of the Marines Matt hilariously talks about the nuances he had to deal with when going to the private sector: Not saying "Sir" and "Madamn" Figuring out what to wear How being early is too early Quotes "I wasn't getting shot at... I was working in climate control, you know, so people be all stressed out and I was like 'Well no one's going to die'." "I like to call myself a lessons learned enthusiast." "The hardest job you'll ever get in infosec is that first step in." "A first sergeant told me your hobbies should reflect part of your career." "You can be outside the box, but you need to stay inside the room." Links Sempersec: https://sempersec.com/ Rob Carson's LinkedIN Profile: https://www.linkedin.com/in/robcarson1/

Rendition Infosec (https://www.renditioninfosec.com/) . Jake started his information security career doing classified work with the U.S. government and was awarded the National Security Agency (NSA) Exceptional Civilian Service Award, which is given to fewer than 20 people annually. He's been involved in high-profile public sector cases including the malware analysis for the 2015 cyber attack on the Ukraine power grid. He's also tackled a variety of cases in the private sector. Jake is a certified SANS instructor and co-author of FOR578: Cyber Threat Intelligence (https://www.sans.org/course/cyber-threat-intelligence) teaches a variety of other classes for SANS (SEC503, SEC504, SEC660, SEC760, FOR508, FOR526, FOR578, FOR610). Given his accomplishments, it should come as no surprise that Jake lives, sleeps, and breathes Infosec. He's a regular speaker at industry conferences including DC3, BSides (including BSides Las Vegas), DEFCON, Blackhat, Shmoocon, EnFuse, ISSA Summits, ISACA Summits, SANS Summits, and Distributech. He has also presented security topics to a number of Fortune 100 executives. Jake is also a two-time victor at the annual DC3 Digital Forensics Challenge. In this episode we discuss his passion for cyber security, changes in the industry, threat hunting vs. incident response, development of soft skills, AI and machine learning, holding back vulnerability disclosure, and so much more. Where you can find Jake: LinkedIn (https://www.linkedin.com/in/jacob-williams-77938a16/) Twitter (https://twitter.com/MalwareJake) Rendition InfoSec (https://www.renditioninfosec.com/) SANS (https://www.sans.org/instructors/jake-williams)

On this episode of the podcast we continue a conversation we started with Haben Girma, an advocate for equal rights for people with disabilities, regarding the value of tech accessibility. Melanie and Mark talk with her about common challenges and best practices when considering accessibility in technology design and development. Bottom line - we need one solution that works for all. Haben Girma The first Deafblind person to graduate from Harvard Law School, Haben Girma advocates for equal opportunities for people with disabilities. President Obama named her a White House Champion of Change, and Forbes recognized her in Forbes 30 Under 30. Haben travels the world consulting and public speaking, teaching clients the benefits of fully accessible products and services. Haben is a talented storyteller who helps people frame difference as an asset. She resisted society’s low expectations, choosing to create her own pioneering story. Because of her disability rights advocacy she has been honored by President Obama, President Clinton, and many others. Haben is also writing a memoir that will be published by Grand Central Publishing in 2019. Learn more at habengirma.com. Cool things of the week Istio reaches 1.0: ready for prod blog Google for Nigeria: Making the internet more useful for more people blog GCPPodcast Episode 17: The Cloud In Africa with Hiren Patel and Dale Humby podcast Access Google Cloud services, right from IntelliJ IDEA blog Interview Haben Girma’s website site Haben Girma’s presentation at NEXT video GCPPodcast Episode 100: Vint Cerf: past, present, and future of the internet podcast Web Content Accessibility Guidelines (WCAG) site Android Accessibility Guidelines site Apple Developer Accessibility Guidelines site Black in AI site Google Accessibility site San Francisco Lighthouse for the Blind site National Federation of the Blind site National Association of the Deaf site Question of the week How do I perform large scale mutations in BigQuery? blog and site Where can you find us next? Mark will be at Pax Dev and Pax West starting August 28th. In September, he’ll be at Tokyo NEXT. Melanie is at Def Con, Black Hat, and BSides Las Vegas. In September, she will be at Deep Learning Indaba.

Let’s talk container security! This week, Melanie and Mark learn all about the three main pillars of container security and more with our guest, Maya Kaczorowski. Maya Kaczorowski Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Prior to Google, she was an Engagement Manager at McKinsey & Company, working in IT security for large enterprises and before that, completed her Master’s in mathematics focusing on cryptography and game theory. She is bilingual in English and French. Cool things of the week What a week! 105 announcements from Google Cloud Next ‘18 blog Keynotes, Keynote Fireside Chats, & Spotlight Sessions: Google Cloud Next ‘18 videos All Sessions: Google Cloud Next ‘18 videos Sign up for NEXT ‘19 updates site GKE On-Prem site Edge TPU site Interview Def Con site Black Hat site BSides Las Vegas site Cloud KMS site Kubernetes site GCPPodcast Episode 46: Borg and Kubernetes with John Wilkes podcast Large-scale cluster management at Google with Borg research Open-sourcing gVisor, a sandboxed container runtime blog Kata Containers site Nabla Containers site Google Container Registry site GKE security overview doc KubeCon site Container security blog series blog GKE hardening guide doc Seccompsandbox wiki Docker seccomp profile site Using RBAC in Kubernetes blog Terraform site Helm site Google Container Registry: Getting Image Vulnerabilities doc Container security overview site GCPPodcast Episode 110: CPU Vulnerability Security with Matt Linton and Paul Turner podcast Question of the week How do I setup SSL termination on Kubernetes with Let’s Encrypt? GitHub: Tutorial for installing cert-manager to get HTTPS certificates from Let’s Encrypt site Ahmet Alp Balkan, DPE on Google Cloud Where can you find us next? Mark will be at Pax Dev and Pax West starting August 28th. Melanie will be at the 2018 Nuclear Innovation Bootcamp at Berkeley on August 6th.

On this episode of the podcast, Melanie and Mark talk with Emiliano (Emi) Martínez to learn more about how VirusTotal is helping to create a safer internet by providing tools and building a community for security researchers. Emiliano (Emi) Martínez Emiliano has been with VirusTotal for over 10 years. He has seen the business grow from a small startup in southern Spain into a Google X moonshot under the new Chronicle bet. He is a software engineer acting as the Tech Lead for VirusTotal. Throughout the past 10 years, not only has he been immersed in coding and architecting the platform, but he has also participated at all levels of the business: from bootstrapping the very first sales to working close with marketing and other teams in order to take the project to the next level. His main interests are IT security (more specifically malware) and designing products and services from scratch. VirusTotal and Chronicle are Hiring VirusTotal is part of Chronicle, and Chronicle is hiring! Come join our team experts to help build out the next generation of security intelligence solutions. We are looking for talent that is comfortable operating in an organization that is scaling quickly, that loves variety in their work and wants to get their hands dirty with all things cyber security, cloud computing, and machine learning. We are a dynamic organization that likes to run experiments so we are looking for colleagues that are excited about trying new things and offering a creative yet efficient, and client-centric approach to engineering solutions. You are scrappy and resourceful, creative and driven – and excited to share in the magic of working at Chronicle Cool things of the week BigQuery in June: a new data type, new data import formats, and finer cost controls blog Dataflow Stream Processing now supports Python blog Associate Cloud Engineer blog Six AI & ML Sessions to Attend at NEXT blog Interview VirusTotal site VirusTotal Use Cases site and videos VirusTotal Intelligence site VirusTotal Malware Hunting site VirusTotal Monitor site VirusTotal APIs site VirusTotal Community site VirusTotal Contact site Data Connectors San Jose on July 12, 2018 site Data Connectors Raleigh on July 26, 2018 site BSides Las Vegas on August 7-8, 2018 site If you are interested in a 1:1 meeting with VirusTotal, please email info@virustotal.com Google Cloud App Engine site Google Compute Engine site Google Cloud Kubernetes Engine site BigQuery site Google Cloud Data Studio site Google Cloud MemoryStore site Google Cloud SQL site G Suite site Question of the week This week’s question comes from Andrew Sheridan, with a special guest answer from Robert Kubis. What is the best practice for multi tenancy in Google Cloud Spanner, especially if customers are not of the same size and have unequal load? What DBAs need to know about Cloud Spanner, part 1: Keys and indexes blog Cloud Spanner - Choosing the Right Primary Keys video More questions about Spanner? Robert will be presenting on it at Cloud NEXT. Where can you find us next? We’ll both be at Cloud NEXT! Melanie will speak at CERN July 17th and PyCon Russia July 22nd

Chantal and Kenneth talk to Grant Ongers and Mike Davis about infosec and the local BSides conference in Cape Town. Grant and Mike are part of the organizing team behind BSides in Cape Town, and both love working in the infosec space. BSides here is based on, and supported by, the BSides conference in Las Vegas. BSides originated as a community event in Las Vegas and has been running for many years. It happens close to the popular Defcon conference. BSides CT is looking to be a great event, with some amazing hardware badges on offer and the opportunity for attendees to contribute to their Rite of Passage program and help a young budding infosec person visit Defcon & BSides LV. We also scratch the surface of infosec and it means for developers in our day-to-day work. We learned a lot, and this is only the beginning! Find and follow BSides Cape Town, Grant & Mike online: * http://www.bsidescapetown.co.za/ * https://twitter.com/BSidesCapeTown * https://twitter.com/rewtd * https://twitter.com/elasticninja Here are some resources mentioned in the show: * Defcon - https://defcon.org * BSides Las Vegas - https://www.bsideslv.org * 2016 BSides CT badges - https://hackaday.com/2017/05/22/zombie-badges-take-over-security-con/ * More on the badges - https://andrewmohawk.com/2017/05/16/bsides-cpt-badge-2016/ * Badges on GitHub - https://github.com/AndrewMohawk/BSidesBadge2016 * YubiKey - https://www.yubico.com/ * Universal 2nd Factor (U2F) - https://en.wikipedia.org/wiki/Universal_2nd_Factor * 0xC0FFEE - https://twitter.com/0xC0FFEE_CPT * 0xC0FFEE Meetup - https://www.meetup.com/0xC0FFEE-Cape-Town-Hacker-Meetup Thanks for listening! Stay in touch: * Website & newsletter - https://zadevchat.io * Socialize - https://twitter.com/zadevchat & http://facebook.com/ZADevChat/ * Suggestions and feedback - https://github.com/zadevchat/ping * Subscribe and rate in iTunes - http://bit.ly/zadevchat-itunes

Chris (@cmaddalena), Kyle (@chaoticflaws), and Daniel (@notdanielebbutt) join me at DEFCON to discuss various topics ranging from conferences like DEFCON, Blackhat, and BSides Las Vegas to bird feeders. We read a couple passages from the POC||GTFO bible available from no start press.

John Shier hosts the Chet Chat this week with special guest Ben Verschaeren from Sophos Australia. John and Ben share their insights on this year's BSides Las Vegas, Black Hat and DEF CON conferences. Topics covered include IoThacking, information sharing, machine learning, responsible disclosure and more.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3 Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics. We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required? We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow.  Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen.   RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2  #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast     Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/           show notes   what is the required amount of data required to properly train the algorithms   how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative)   Xoke Soru: "why are you trying to make skynet and kill us all?  Do you hate humanity?"   Who will ML replace? Who in security?   Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other.   Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)"   https://en.wikipedia.org/wiki/Artificial_neural_network   https://en.wikipedia.org/wiki/Machine_learning   https://en.wikipedia.org/wiki/Portal:Machine_learning   https://www.slideshare.net/allyslideshare/something-wicked-78511887   https://www.slideshare.net/allyslideshare/201209-a-million-mousetraps-using-big-data-and-little-loops-to-build-better-defenses   https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751   O’Reilly Conference 31 October   Mick douglas class Derbycon CTF Book club   Patreon slack

Chet and John record live from DEF CON and summarize all the great content they experienced at this year's Black Hat, DEF CON and BSides Las Vegas hacking conferences. Topics covered this week include Bluetooth man in the middle attacks, password standards, testing binaries for the liklihood of vulnerabilities, using DNS as a botnet detection scheme, hooking the kernel gone wrong and the overall state of hacking conferences in 2016.

SegInfocast #40 – Faça o download aqui. (42:56 min, 36 MB) Nesta nova edição do SegInfocast, apresentamos o áudio do Webinar #31 cujo tema foi o gerenciamento de eventos no Windows usando a pilha Elastic. O webinar foi apresentado por Rodrigo Montoro, instrutor da Clavis Segurança da Informação. Qual o objetivo deste novo webinar da Clavis Segurança da Informação? Em um sistema Windows existem milhares de eventos, que são divididos em 9 categorias e mais de 50 sub categorias. Os eventos registram diversas ações, como login/logoff, execução de comandos, modificações de arquivos/registros, filtros de pacotes entre outras. O Windows, por padrão, armazena esses eventos somente por um curto período de tempo (dependendo da configuração), o que dificulta ações complexas de monitoração e forense. No nosso dia a dia, usamos a pilha Elastic e scripts em Python para otimizar a agregação de dados e criação de alertas. Esse processo gera inteligência relevante para uso em análises históricas e telemetria de milhares de eventos diários, ajudando a atuar de forma proativa em caso de ataques. Nesse podcast, Rodrigo Montoro também explicou como configurar a sua política de auditoria no Windows e a pilha Elastic para processar e arquivar todas as informações, compartilhando algumas ideias para análise de dados. Sobre o instrutor Rodrigo Montoro é certificado LPI, RHCE e SnortCP com 15 anos de experiência em Open Source. Atualmente trabalha como pesquisador na Clavis e é sócio da Green Hat Segurança da Informação. Anteriormente trabalhou na Sucuri Security e Spiderlabs. Já palestrou em inúmeros eventos no Brasil (FISL, CONISLI, Latinoware, H2HC, BSides), EUA (Source Boston / Seattle, Toorcon, Bsides Las Vegas) e Canadá (SecTor). Possui 2 patentes na detecção de Malwares (PDF e cabeçalhos HTTP), resultados de suas pesquisas. Fundador e evangelista da comunidade Snort no Brasil desde 2003. Nas horas vagas faz triathlon e corrida em trilhas.

Paulo Sant’anna reencontra o especialista em Segurança da Informação Rodrigo Montoro (@spookerlabs), da área de Pesquisa, Desenvolvimento e Inovação da Clavis, para uma conversa sobre o Octopus. Quais foram as motivações para a criação do Octopus? Rodrigo comenta que uma situação comum em muitas empresas é o orçamento limitado para compra de soluções de segurança, estas com valores altamente elevados. Paralelo aos orçamentos apertados, os produtos de SIEM foram muitas vezes vendidos como “caixas mágicas”, no qual você plugaria ela na sua rede e teria relatórios alertandos para seus problemas de segurança, fraudes e atividades maliciosas, fazendo com que projetos onde foram investidos milhões sem resultado esperado. E para finalizar, sempre temos que pensar que conhecimento e experiência trarão resultados e não o produto em si. Octopus-Clavis-SIEM É mais um produto SIEM tradicional de mercado? O Octopus não é um produto de prateleira tradicional, mas sim uma solução que visa entregar inteligência na correlação de eventos e análise de ameaças. A empresa adquire o expertise da Clavis. A solução utiliza várias ferramentas open-source, como o ELK, tema do SegInfocast #25, o que torna possível até um entusiasta montar um Octopus próprio, se desejar. Quais as funcionalidades? O Octopus é um serviço, totalmente escalável e customizável. Ele também consegue extrair informações de diversas fontes para correlação de eventos sem cobrança adicional de conectores. E os benefícios? Trata-se de um serviço contínuo (24×7) e se beneficia da proteção ativa contra novas ameaças com a combinação de fontes diversas e proporciona aos clientes, visibilidade do ambiente através de dashboards. Se você quer saber mais detalhes sobre a solução, visite o site da Clavis! Rodrigo “Sp0oKeR” Montoro é certificado LPI, RHCE e SnortCP com 15 anos de experiência em Open Source. Atualmente trabalha como pesquisador na Clavis. Anteriormente trabalhou na Sucuri Security e Spiderlabs. Já palestrou em inúmeros eventos no Brasil (FISL, CONISLI, Latinoware, H2HC, BSides), EUA (Source Boston / Seattle, Toorcon, Bsides Las Vegas) e Canadá (SecTor). Possui 2 patentes na detecção de Malwares (PDF e cabeçalhos HTTP), resultados de suas pesquisas. Fundador e evangelista da comunidade Snort no Brasil desde 2003. Nas horas vagas faz triathlon e corrida em trilhas.

My first interaction with Tazz (@GRC_Ninja), was at CircleCityCon. I quickly became aware that if I got out of line at the conference Tazz was very likely to be the one to put me in my place. I also ran into her at DerbyCon where she kept people in line while waiting for talks to start. She also happens to be a speaker and this past year presented, "ZOMG Its OSINT Heaven" at BSides Las Vegas. Which is how I became aware that Tazz knew her stuff when it came to OSINT. She also writes about OSINT on her blog osint.fail. All of these interactions prompted me to have her on for a discussion on what is OSINT.

Paulo Sant’anna recebe o especialista em Segurança da Informação Rodrigo Montoro (@spookerlabs), da área de Pesquisa, Desenvolvimento e Inovação da Clavis, para bater um papo sobre análise de logs. Problemas no mercado brasileiro ligados à análise de logs O profissional da Clavis fala sobre as dificuldades encontradas no mercado atual como a alta do dólar, orçamentos limitados e falta de conhecimento em relação ao assunto (logs). Conselhos importantes para especialistas da área de TI ou gestores de um negócio Montoro (conhecido como “Sp0oKeR”) oferece dicas de extrema relevância para quem deseja alavancar seus negócios, com gastos enxugados e com melhor eficiência frente a má utilização das ferramentas disponíveis no mercado atual. Parada obrigatória para estudantes Ele ainda, com sua vasta experiência, comenta sobre as ferramentas “open source“, que muitas vezes não são aproveitadas por falta de conhecimento dos profissionais. Utilizando a pilha ELK Nesse podcast conversamos também sobre análise de logs utilizando a pilha ELK (Elasticsearch, Logstash, Kibana), com dicas de como escolher fontes de dados e o funcionamento do ELK. Rodrigo “Sp0oKeR” Montoro é certificado LPI, RHCE e SnortCP com 15 anos de experiência em Open Source. Atualmente trabalha como pesquisador na Clavis. Anteriormente trabalhou na Sucuri Security e Spiderlabs. Já palestrou em inúmeros eventos no Brasil (FISL, CONISLI, Latinoware, H2HC, BSides), EUA (Source Boston / Seattle, Toorcon, Bsides Las Vegas) e Canadá (SecTor). Possui 2 patentes na detecção de Malwares (PDF e cabeçalhos HTTP), resultados de suas pesquisas. Fundador e evangelista da comunidade Snort no Brasil desde 2003. Nas horas vagas faz triathlon e corrida em trilhas.

Extra special treat this week!  We do a continuation of our review of the Top 20 Security Controls, in which we do #14 and #15, which all of you will find very interesting.   But the real reason we are posting this today is the Call for Papers and Call for Mentors for the Bsides Las Vegas Proving Grounds! We invited Magen Wu (@tottenkoph) on to discuss. If you've ever asked yourself "I'd like to give a talk, but they'd never put me on"  NOW IS YOUR CHANCE! :) This is a great opportunity if you're a veteran speaker, or just want to give back to the community at large... You can mentor a n00b to help them create a topic, help them hone their paper, and be with them when they give the talk at Bsides Las Vegas in July.   Many thanks to @tottenkoph and @securitymoey. They need your help, both as a mentor and a mentee.  This is also an excellent networking opportunity. You get 1-on-1 access to an often influential mentor, someone in the infosec community, and your talk will be seen by several hundred people. hmmm.... maybe I should put one in :D   ----- SANS #14-10:  Ensure that the log collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). This includes ensuring that the log collection system can accommodate intermittent or restricted-bandwidth connectivity through the use of handshaking / flow control. ------     "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

In this episode what is the promise of automation, and where did we go wrong (or right?) the problems with 'volume' (of logging) and the loss of expressiveness a dive into 'exploratory based monitoring' how does log-based data analysis scale? baselines, and why 'anomaly detection' has failed us does machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM? does today's 'threat intelligence' provide value, and is it really useful? decrying the tools - and blaming the victims what is machine learning good at, and what won't it be great at? log everything!   Guest Alex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat intelligence feeds.He launched MLSec Project (https://www.mlsecproject.org) in 2013 to develop and provide practical implementations of machine learning algorithms to support the information security monitoring practice. The goal is to use algoritmic automation to fight the challenges that we currently face in trying to make sense of day-to-day usage of SIEM solutions.