POPULARITY
Dreaming of becoming a penetration tester? Here's how to turn that dream into a job!Want to become a Penetration Tester but not sure where to start? This Podcast is your complete guide to launching a career in ethical hacking and offensive cybersecurity. Get insider tips on the skills you need, certifications to pursue (like CEH, OSCP, and more), and what hiring managers look for in penetration testers.Our experts share their real-world experiences, challenges, and proven strategies to help you break into the field with confidence. Whether you're a beginner or switching from another IT role, this roadmap is tailored just for you!
In this conversation, Mike Lisi shares his journey into the cybersecurity field, detailing his early interest in computers, the challenges he faced while obtaining his OSCP certification, and his transition into consulting. He discusses the importance of understanding client needs incybersecurity assessments and his leadership role in the Red Team Village. Mike also elaborates on the NCAE Cyber Games and the design of Capture The Flag (CTF) challenges, providing insights into effective content development for cybersecurity education. The conversation concludes with Mike sharing unique experiences from cybersecurity events and his thoughts on future engagements.TIMESTAMPS:00:00 - Introduction to Cybersecurity Journey03:23 - The Path to OSCP Certification06:13 - Transitioning to Consulting in Cybersecurity09:14 - Understanding Client Needs in Cybersecurity11:56 - Leadership in Red Team Village14:32 - NCAE Cyber Games and CTF Design17:26 - Creating Effective CTF Challenges20:04 Resources for Aspiring CTF Participants22:57 Content Development for Cybersecurity Education25:49 Unique Experiences in Cybersecurity Events28:25 Closing Thoughts and Future Engagements SYMLINKS:[Maltek Solutions Website] - https://malteksolutions.com/A cybersecurity consulting firm specializing in offensive security services, penetration testing, and risk assessments, founded by Mike Lisi.[Mike Lisi LinkedIn] - https://www.linkedin.com/in/mikelisi/Mike Lisi's official LinkedIn profile, where he shares insights on cybersecurity, offensive security consulting, and industry trends.[Red Team Village (RTV) Website] - https://redteamvillage.ioA nonprofit organization dedicated to providing educational experiences in offensive security. RTV organizes workshops, talks, and training opportunities, primarily at DEF CON and other cybersecurity conferences.[Red Team Village Discord] - https://discord.com/invite/redteamvillageThe official Red Team Village Discord server where members can connect, discuss offensive security topics, and stay updated on upcoming events and volunteer opportunities.[Red Team Village X (Twitter)]- https://twitter.com/redteamvillage_RTV's official social media account for announcements, event updates, and cybersecurity-related discussions.[MetaCTF Website] - https://metactf.comA platform offering cybersecurity competitions and Capture The Flag (CTF) events designed to help participants develop their cybersecurity skills through hands-on challenges.[CTF Time Website] - https://ctftime.orgA website that tracks cybersecurity Capture The Flag (CTF) competitions worldwide, providing schedules, rankings, and resources for both beginners and experienced competitors.[Hack The Box Website] - https://www.hackthebox.comA cybersecurity training platform offering hands-on, gamified hacking labs and challenges to develop penetration testing skills.[TryHackMe Website] - https://tryhackme.comAn interactive cybersecurity learning platform that provides guided tutorials and virtual labs for security professionals and beginners.CONNECT WITH US www.barcodesecurity.com Become a Sponsor Follow us on LinkedIn Tweet us at @BarCodeSecurity Email us at info@barcodesecurity.com
Are you passionate about ethical hacking and cybersecurity? Want to break into the exciting world of Red Teaming and Penetration Testing? In this episode of the InfosecTrain podcast, our experts guide you through everything you need to know to start and grow a career in these advanced cybersecurity domains.
Schande! Schande! Schande! Wir läuten die Schandglocke nachdem das Cyber Safety Review Board (CSRB) der CISA seinen Bericht zum Exchange Online Breach aus dem letzten Jahr veröffentlich hat. Des Weiteren sprechen wir über die SSH Backdoor in den XZ Utils, über die Nachwirkungen des Brandes bei OVH im Jahr 2021, warum OSCP tot ist und warum CES gerne mal in einen Timeout läuft. Viel Spaß mit der neuen Folge!
We are happy to welcome Dorota back to the podcast all the way from Poland! She shares with us what she has been up to since being episode 186. She has been working on her OSCP exam and shares her experience on that. She has had a very busy 2023 with being a Keynote Speaker, CEFCYS Cyber Woman Hope 2023 Award winner, and TCNM 40 under 40 in Cyber 2023. She speaks to the global need and recognition for qualified cybersecurity professionals. She talks to us about the AI classes she took at Accenture and the importance to learn how to use that tool and learn how adversaries will be using that so we can better protect ourselves. Connect with Dorota: https://www.linkedin.com/in/dorota-kozlowska/ Visit Accenture: https://www.accenture.com/us-en Visit Shortarms website: https://www.shortarmsolutions.com/ You can follow us at: Linked In: https://www.linkedin.com/company/shortarmsolutions YouTube: https://www.youtube.com/@shortarmsolutions Twitter/X: https://twitter.com/ShortArmSAS
We are happy to welcome Dorota back to the podcast all the way from Poland! She shares with us what she has been up to since being episode 186. She has been working on her OSCP exam and shares her experience on that. She has had a very busy 2023 with being a Keynote Speaker, CEFCYS Cyber Woman Hope 2023 Award winner, and TCNM 40 under 40 in Cyber 2023. She speaks to the global need and recognition for qualified cybersecurity professionals. She talks to us about the AI classes she took at Accenture and the importance to learn how to use that tool and learn how adversaries will be using that so we can better protect ourselves. Connect with Dorota: https://www.linkedin.com/in/dorota-kozlowska/ Visit Accenture: https://www.accenture.com/us-en Visit Shortarms website: https://www.shortarmsolutions.com/ You can follow us at: Linked In: https://www.linkedin.com/company/shortarmsolutions YouTube: https://www.youtube.com/@shortarmsolutions Twitter/X: https://twitter.com/ShortArmSAS
Have you ever wondered how one might stumble into a career in IT and security? Join us as we sit down with Duane and Patrick, two seasoned IT and security experts, who share their unconventional journey into the field. From a high school fascination with radio and electronics to leading classrooms at Microsoft, Duane's journey is as compelling as it is unexpected. Patrick's path is equally captivating, starting from a love for video games to becoming a seasoned cybersecurity instructor. The conversation doesn't stop at career paths. We dive deep into the gritty realities of cybersecurity, discussing the ever-present threat of breaches and the critical shortage of skilled professionals in the industry. We uncover the behind-the-scenes struggle with clients who overlook crucial precautions, and highlight the importance of addressing vulnerabilities rather than opting for quick-fix solutions. And of course, we couldn't leave out the influence and value of certifications like CISSP and OSCP. You're in for a treat as we venture into the intriguing parallels between martial arts and hacking, exploring tactics, strategies, and control. We discuss our personal hobbies, including hosting quantum computing podcasts and mentoring in robotics. Our guest Dwayne, a cryptography enthusiast, steals the spotlight with a tale of how his interest landed him on a no-fly list! As we wrap up, we navigate through the complex universe of quantum encryption and data security, and the implications of quantum resistance. From personal career journeys to future predictions in IT and security, this episode is a thrilling blend of technical discussions, personal stories, and a dash of humor. Tune in for an enlightening and engaging discussion.LinkedIn: https://www.linkedin.com/in/duanelaflotte/https://www.linkedin.com/in/patrick-hynds-968142/Company Site: Pulsar SecurityPodcast: Security This WeekSupport the showAffiliate Links:NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902 Follow the Podcast on Social Media!Instagram: https://www.instagram.com/secunfpodcast/Twitter: https://twitter.com/SecUnfPodcastPatreon: https://www.patreon.com/SecurityUnfilteredPodcastYouTube: https://www.youtube.com/@securityunfilteredpodcastTikTok: Not today China! Not today
US most breached country last quarter OpenAI blames DDoS attacks for ongoing ChatGPT outages Clop exploits SysAid vulnerability Thanks to today's episode sponsor, OffSec And now a word from our sponsor. OffSec (formerly Offensive Security), the cyber training company behind the well-known OSCP certification and Kali Linux distro, is hosting a virtual summit for CISOs and Cybersecurity leaders called Evolve on November 15th. During the event, you'll learn how to attract and assess top talent, how to craft positioning for budget conversations, why CISOs make great board members, and more. Hear from forward-thinking infosec leaders from companies like CISCO, Amazon, and Salesforce. Save your seat and equip yourself with actionable takeaways to help shape the future of your organization's security. Register now at offsec.com/evolve For the stories behind the headlines, head to CISOseries.com.
Link to blog post This week's Cyber Security Headlines – Week in Review is hosted by Sean Kelly with guest Howard Holton, CTO, GigaOm Thanks to today's episode sponsor, OffSec OffSec (formerly Offensive Security), the cyber training company behind the well-known OSCP certification and Kali Linux distro, is hosting a virtual summit for CISOs and Cybersecurity leaders called Evolve on November 15th. During the event, you'll learn how to attract and assess top talent, how to craft positioning for budget conversations, why CISOs make great board members, and more. Hear from forward-thinking infosec leaders from companies like CISCO, Amazon, and Salesforce. Save your seat and equip yourself with actionable takeaways to help shape the future of your organization's security. Register now at offsec.com/evolve All links and the video of this episode can be found on CISO Series.com
US launches “Shields Ready” campaign Microsoft and Meta announced AI imagery rules App Defense Alliance moves under the Linux Foundation Thanks to today's episode sponsor, OffSec And now a word from our sponsor. OffSec (formerly Offensive Security), the cyber training company behind the well-known OSCP certification and Kali Linux distro, is running a virtual summit for CISOs and Cybersecurity leaders called Evolve on November 15th. Attend Evolve and get insider insights from a former bank hacker. Discover strategies on stretching your security budget and get tips to attract the crème de la crème of talent. It's more than just an event – it's a masterclass helping you elevate your cybersecurity leadership game. Hear from forward-thinking cybersecurity leaders from companies like CISCO, Amazon, Salesforce and more. Register today and get the insights you need to help shape the future of your company's security. Sign up now at offsec.com/evolve
Singapore's Marina Bay Sands customer data stolen in cyberattack Atlassian bug escalated to 10.0 severity Fake Ledger Live app steals over $700,000 in crypto Thanks to today's episode sponsor, OffSec And now a word from our sponsor. OffSec (formerly Offensive Security), the cyber training company behind the well-known OSCP certification and Kali Linux distro, is hosting a virtual summit for CISOs and Cybersecurity leaders called Evolve on November 15th. During the event, you'll learn how to attract and assess top talent, how to craft positioning for budget conversations, why CISOs make great board members, and more. Hear from forward-thinking infosec leaders from companies like CISCO, Amazon, and Salesforce. Save your seat and equip yourself with actionable takeaways to help shape the future of your organization's security. Register now at offsec.com/evolve For the stories behind the headlines, visit CISOseries.com.
Android Dropper-as-a-Service Bypasses Google's Defenses Increase in zero-day exploits worries CISA Google Calendar as a C2 infrastructure Thanks to today's episode sponsor, OffSec And now a word from our sponsor. OffSec (formerly Offensive Security), the cyber training company behind the well-known OSCP certification and Kali Linux distro, is running a virtual summit for CISOs and Cybersecurity leaders called Evolve on November 15th. Attend Evolve and get insider insights from a former bank hacker. Discover strategies on stretching your security budget and get tips to attract the crème de la crème of talent. It's more than just an event – it's a masterclass helping you elevate your cybersecurity leadership game. Hear from forward-thinking cybersecurity leaders from companies like CISCO, Amazon, Salesforce and more. Register today and get the insights you need to help shape the future of your company's security. Sign up now at offsec.com/evolve For the stories behind the headlines, head to CISOseries.com.
Okta explains hack source and response timeline Looney Tunables now being exploited Lazarus Group uses KandyKorn against blockchain engineers Thanks to today's episode sponsor, OffSec And now a word from our sponsor. OffSec (formerly Offensive Security), the cyber training company behind the well-known OSCP certification and Kali Linux distro, is hosting a virtual summit for CISOs and Cybersecurity leaders called Evolve on November 15th. During the event, you'll learn how to attract and assess top talent, how to craft positioning for budget conversations, why CISOs make great board members, and more. Hear from forward-thinking infosec leaders from companies like CISCO, Amazon, and Salesforce. Save your seat and equip yourself with actionable takeaways to help shape the future of your organization's security. Register now at offsec.com/evolve For the stories behind the headlines, head to CISOseries.com.
Join me as I interview my coworker Matt! We discuss how he went from a Master Mechanic to a Master Hacker, and employed as a Principal Security Analyst and even passing his OSCP in 3.5hrs on his first try! We have a bonus surprise with Matt's fave hacking YouTuber John Hammond!!
We talk to an OSINT professional about what he learned when he applied his daytime skills to a moonlighting hobby. On YouTube, Gary Ruddell shares 3-minute tips, geolocates scenes from movies and shares the OSINT discipline he learned from the U.K. military with hobbyists and practitioners just starting out.Key takeawaysApplying the intelligence cycleExecutive protection with social mediaGeolocation clues from the shortest frameAbout Gary RuddellGary Ruddell is a Cyber Threat Intelligence professional operating at the front lines of cyberspace by day. He is a veteran of the Royal Navy and Army Intelligence, and a holder of the coveted OSCP certification. Gary is a coffee-loving photographer, YouTuber and all round content creator.Find GaryGary Ruddell's websiteYouTubeLinkedIn
On this episode of The Cybersecurity Defenders Podcast, we chat with John Hammond, Principal Security Researcher at Huntress, about security research.John Hammond is a cybersecurity researcher, educator and content creator. As part of the Threat Operations team at Huntress, John spends his days making hackers earn their access and helping tell the story. Previously, as a Department of Defense Cyber Training Academy instructor, he taught the Cyber Threat Emulation course, educating both civilian and military members on offensive Python, PowerShell, other scripting languages and the adversarial mindset. He has developed training material and information security challenges for events such as PicoCTF and competitions at DEFCON US. John speaks at security conferences such as BsidesNoVA, to students at colleges such as the US Naval Academy, and other online events including the SANS Holiday Hack Challenge/KringleCon. He is an online YouTube personality showcasing programming tutorials, CTF video walkthroughs and other cyber security content. John currently holds the following certifications: Security+, CEH, LFS, eJPT, eCPPT, PNPT, PCAP, OSWP, OSCP, OSCE, OSWE, OSEP, and OSED (OSCE(3)).The Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.
Guest: Daniel Okoro, Co-Founder Cyril-Margaret FoundationOn LinkedIn | https://www.linkedin.com/in/daniel-okoro-17892228Host: Frankie ThomasOn ITSPmagazine
Guest: Tyler Ramsbey, Associate Penetration Tester at Rhino Security Labs [@RhinoSecurity]On Twitter | https://twitter.com/Tyler_RamsbeyOn LinkedIn | https://www.linkedin.com/in/tyler-ramsbey-86221643/On YouTube | https://www.youtube.com/@TylerRamsbeyHost: Frankie ThomasOn ITSPmagazine
Guest: Jason Watt, Director of BladeRunnersOn Twitter | https://twitter.com/J3rgsOn LinkedIn | https://www.linkedin.com/in/jcwatt0/Host: Frankie ThomasOn ITSPmagazine
What does it take to develop an attacker's mindset from a defender's perspective? Join us as we talk to Bryan, a hacker-turned-blue-teamer, about his fascinating journey in IT security and how his experience shaped his unique perspective on cybersecurity. From his background in desktop engineering to his curiosity-driven dive into the world of cybersecurity, Bryan shares insights on the importance of maintaining a healthy work-life balance and the crucial role curiosity plays in this ever-evolving field.Discover the significance of manual security testing and the human factor in cybersecurity, as we discuss with Bryan how experience, training, and curiosity create a strong foundation for effective penetration testing. Certifications like the OSCP and CEH can help further hone those skills, but how valuable are these certifications compared to other resources? We explore the impact of increased access to security training and resources on the cybersecurity landscape.Lastly, we learn about Bryan's journey to prepare for the OSCP certification exam and the strategies he employed to successfully complete it. Balancing certifications with real-world experience is essential, and we delve into the need for more calculated approaches to certifications in order to benefit one's career. Don't miss this insightful conversation with Bryan, as he shares valuable advice for aspiring cybersecurity professionals and how to connect with him online for further information.Support the showAffiliate Links:NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902 Follow the Podcast on Social Media!Instagram: https://www.instagram.com/secunfpodcast/Twitter: https://twitter.com/SecUnfPodcastPatreon: https://www.patreon.com/SecurityUnfilteredPodcastYouTube: https://www.youtube.com/@securityunfilteredpodcastTikTok: Not today China! Not today
Jane Lo, Singapore Correspondent speaks with Dagmawi Mulugeta, Threat researcher with Netskope Threat Labs.Dagmawi has his OSCP and has previously worked at Cyrisk (a subsidiary of 4A Security), Sift Security (acquired by Netskope), and ECFMG as a researcher, security engineer, and developer. He has innate interests in public CTFs, exploit development, and abuse of cloud apps. He has his MSc in Cybersecurity from Drexel University.In this interview, Dagmawi shared the behavioural insights found for employees preparing to leave, and how these indicators could enable organizations to protect their data more effectively.He noted the concern that many organisations have with “flight risk” users – that is, employees that are getting ready to leave – taking corporate data with them.A common question to address this concern, is how to efficiently identify such risks - without sifting through hundreds of alerts and spending hundreds of man-hours.Dagmawi shared how they approached this problem by analysing anonymized data of over 4 million users from more than 200 different organizations worldwide., and some interesting key revelations: (i) 15% of leavers used personal cloud apps (e.g. Google drive, Gmail) to take data with them (ii) 2% were violating corporate policy (exfiltrating sensitive corporate information) (iii) majority of the data movement happens 50 days before leaving.Dagmawi highlighted how they identified three key signals to filter out alerts with potential flight risks:a) volume – identifying whether the data being moved is anomalous for the individual in the organisationb) nature of data – whether the data being moved is sensitivec) direction – whether the cloud application is outside of the organisation's management (e.g. google drive).Wrapping up, Dagmawi recommended that encoding the three signals into the detection systems could help reduce the size for reviews by 43x – that is, for every 50 alerts, the signals could help to filter out the 1 or 2 concerning ones.Recorded 11th May 2023, 3.30pm, Black Hat Asia 2023, Singapore Marina Bay Sands.#bhasia#mysecuritytv #insiderthreat
Now that you're getting serious about your career, you're interested in cybersecurity and cybersecurity certifications. You know that the future will be about information technology (IT) and its development. That's why you're curious about how to get educated and even certified. If you're ready to look into cybersecurity training, you've come to the right place. In this video, we've outlined several different kinds you can look into. After all, the cybersecurity industry is a vast and growing one. In 2020 alone, the global market was worth over $156 billion in revenue. We talk about cyber security certifications such as CompTIA Security + certifications , The Certified Information Systems Security Professional certifications, Ethical Hacker certifications, Cloud Security Professional certifications, and The Offensive Security Certified Professional certifications. We do a breakdown of what each entails and why you might want to look into going that route for your career. Check out this episode today for what you need to know about cyber security certifications, and for more info, head here:https://cybersecurity.intercoast.edu/the-different-types-of-cyber-security-certifications-and-their-significance/Greetings, dear listeners. Please be informed that the material was first published as a video on YouTube. If you choose, you can follow our YouTube channel to access the video or subscribe here for the podcast edition. Thank you, and enjoy your listening experience.Check our certificate training programs HERECheck our Degrees HEREFollow us:FacebookTwitterInstagramYouTubeLinkedIn
If you want to become a Pentester in 2023, then you should get your OSCP - this is what a lot of experts I interview recommend. The Official OSCP course (PEN-200: Penetration Testing with Kali Linux) recently got updated. I interview Jeremy Miller from OffSec about the changes. Disclaimer: I was NOT paid for this interview. I wanted to make this video because it affects many of you watching and I would have done it without receiving anything from OffSec. However, they did give me access to Learn One for one year so I could see the course content. This has helped me prepare for the interview. Hopefully I'll be able to make more content covering what is in the PEN 200 course in future :) // Documentation // Changes: https://www.offsec.com/offsec/pen-200... Course: https://www.offsec.com/courses/pen-200/ // Offsec // Twitter: https://twitter.com/offsectraining Website: https://www.offsec.com/ LinkedIn: https://www.linkedin.com/company/offs... // Jeremy's SOCIAL // Twitter: https://twitter.com/JeremyHarbinger LinkedIn: https://www.linkedin.com/in/jeremy-mi... Website: https://jeremyharbinger.com/ // David's SOCIAL // Discord: https://discord.gg/davidbombal Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 00:00 - Coming up 00:28 - Intro 00:31 - Updated OffSec PEN-200 course for 2023 // What's changing? 05:22 - Hacking is not easy as it seems 07:46 - Preparing for the real world 10:19 - Pre-requisites for the course 14:15 - Jeremy's background // Journey to pentesting 21:13 - Approach with an open mind 22:41 - Learning models & challenges 28:10 - Feedback loop 30:16 - Buffer overflow explained 32:34 - What has been removed & added // PEN-200 updated 37:30 - What is "pedagogy"? // Changing ways to teach and learn 40:38 - The PEN-200 course and the OSCP exam 44:11 - Old and new OS available in PEN-200 course 46:04 - Things are changing but not everything 48:24 - OffSec subscriptions and contents 49:43 - Pros vs. Cons // Helping students understand 52:14 - Final words & conclusion oscp pen-200 offsec offensive sercurity pentest pentester hack hacker hacking ethical hacking ethical hacker course ethical hacker Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #hacker #pentester #oscp
Heath Adams, aka "The Cyber Mentor," is the Founder and CEO of TCM Security, an ethical hacking and cybersecurity consulting company. Heath is a CISSP and has received numerous credentials including QSA, PNPT, OSCP, Security+, Network+, and A+. And, while he enjoys ethical hacking Heath also loves to teach. His courses have been taken by over 170,000 people on multiple platforms including Udemy, YouTube, Twitch, and INE. In this episode of the Secure Talk Podcast, Heath talks about how he got his start in ethical hacking, what are the essential skills needed to become an ethical hacker, how he developed his online courses. Heath gives advice to those who wish to either learn more about ethical hacking or seek a career as an ethical hacker or penetration tester. He also shares some tips for business owners and consumers on how to improve their cybersecurity posture. TCM Security https://academy.tcm-sec.com/ Heath on Social Media: LinkedIn - https://linkedin.com/in/heathadams Twitter - https://twitter.com/thecybermentor YouTube - https://www.youtube.com/c/thecybermentor Twitch - https://twitch.tv/thecybermentor The Secure Talk Cybersecurity Podcast https://securetalkpodcast.com/
This is your path to becoming a Pentester in 2023. The best courses and best cert. Big thanks to Rana for answering so many of your questions! Thanks for the cool Solar Generator Jackery! Official Jackery website:: https://bit.ly/3XWNjqO Amazon Store: https://amzn.to/3IMSq8r // Rana's courses // Free Web Hacking Course: / ranakhalil101 50% OFF Web Security Academy Course Code: DavidBombal500FF Academy: https://academy.ranakhalil.com/ 8 hour SQL Injection playlist: • SQL Injection | C... // Previous video // Broken Access Control: • Free Web Hacking ... // Rana's OSCP journey // https://rana-khalil.gitbook.io/hack-t... // Book Rana Recommended // Web Application's Hacker's handbook 2nd Ed by Dafydd Stuttard: US Link: https://amzn.to/3J90wZa UK Link: https://amzn.to/3J7H2UT // TCM-Security Course Discounts and Affiliate Links // Get 25% off courses and 10% off PNPT with coupon code: BOMBAL2023 Practical Ethical Hacking: https://davidbombal.wiki/tcmpeh Windows Privilege Escalation for Beginners: https://davidbombal.wiki/tcmwpe Linux Privilege Escalation for Beginners: https://davidbombal.wiki/tcmlpe Open-Source Intelligence (OSINT) Fundamentals: https://davidbombal.wiki/tcmosint The External Pentest Playbook: https://davidbombal.wiki/tcmepp Movement, Pivoting, and Persistence: https://davidbombal.wiki/tcmmpp Python 101 for Hackers: https://davidbombal.wiki/tcmpython Linux 101: https://davidbombal.wiki/tcmlinux Practical Malware Analysis & Triage: https://davidbombal.wiki/tcmmalware Mobile Application Penetration Testing: https://davidbombal.wiki/tcmmobile Python 201 for Hackers: https://davidbombal.wiki/tcmpython201 Practical Web Application Security & Testing: https://davidbombal.wiki/tcmweb Practical Windows Forensics: https://davidbombal.wiki/tcmwinforensics GRC Analyst Master Class: https://davidbombal.wiki/tcmgrc // TCM-Security Certifications // https://certifications.tcm-sec.com/?r... If you are current/former military, students, teachers, and first line responders (doctors, nurses, EMTs, etc.) you can get 20% off TCM certifications. Email support@tcm-sec.com for that discount if you qualify. // Tib3rius courses // - Windows Privilege Escalation: https://www.udemy.com/course/windows-... - Linux Privilege Escalation (Tib3rius): https://www.udemy.com/course/linux-pr... // IPsec // Recommended YouTube channel: / @ippsec // Rana's SOCIAL // Twitter: https://twitter.com/rana__khalil Academy: https://academy.ranakhalil.com/ Youtube Channel: / ranakhalil101 Medium Blog: https://ranakhalil101.medium.com/ Rana Intigriti Interview: • Hacker Heroes #5 ... // David's SOCIAL // Discord: https://discord.gg/davidbombal Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com pentest pentester hack hacker hacking ethical hacking tcm security web web hacking web hacking course web hacking tutorial xss owasp owasp top 10 cross site scripting portswigger kali linux install kali linux 2022 ethical hacker course ethical hacker Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #hacker #pentester #hack
Today's guest is Steve Walbroehl, Chief Technology Officer / Chief Security Officer and cofounder of Halborn. Halborn is a blockchain cybersecurity firm that aims to secure the blockchain and protect users against data and monetary. Operating across the software development lifecycle, Halborn provides a suite of products and services designed to identify and close vulnerabilities in Web3 applications, helping to create the security standards that the market lacks. The company serves a diverse global client base spanning Layer 1 blockchains, infrastructure providers, financial institutions, and application and game developers. Halborn was founded in 2019 and is based in Miami, Florida. Steve has over 15 years of experience in cybersecurity, he is an expert, trainer, and technical leader in penetration testing, ethical hacking, web application, and cloud security, infrastructure security, vulnerability scanning and detection, IT compliance, and risk mitigation. He's worked with Fortune 500 companies spanning the Financial, Insurance, Mortgage, Technology, Utilities, Hospitality, and Blockchain industries. He holds several information technology and security certifications, including CISSP, CEH, CRISC, OSCP, OSWP, CISM, GWAPT, GAWN, AWS Solutions Architect Associate, CCNA, and Six Sigma. We begin our conversation by discussing the differences between traditional and crypto cybersecurity. Steve explains why security is the most important sector of industry, the crypto. We discuss why being a security specialist in crypto is very stressful. We discuss the connection between regulation and cybersecurity. We stress that regulation can foster decentralization and provide better user protection guidelines. Steve shares how the internet regulation during the early days of the internet could provide a blueprint for how to foster proper regulation and compliance in crypto. Our next conversation topic centered around the systemic risks that developed in DeFi due to greed. We discuss how greed fueled flawed protocol design spurring the wrong incentives resulted in the collapse of various centralized institutions. Steve expresses his concern about proof-of-stake as a centralizing force. Steve shares a story where he explains the systemic risks that can come from cross-chain liquidity, similar to the 2008 financial crisis. We transition our conversation to focus on the security risks in crypto. Steve explains the full spectrum of vulnerabilities that are present in crypto. We discuss how these vulnerabilities can be exploited and why a particular type of protocol is targeted more routinely than others. Steve explains that security in crypto requires taking into account technical vulnerabilities and socio-economic incentives to properly assess a project's vulnerabilities. Our next conversation topic centered around Halborn. Steve shares that one of the requirements to work as a security engineer at Halborn is to hack their way in. We discuss how coding and security testing is both an art and a science. We discuss the security of SHA-256 and why Bitcoin was a cryptography marvel. Our conversation transitions to focus on Seraph, the world's first blockchain security notary platform powered by Halborn. Steve explains how Seraph can help provide a security framework and guardrails for projects looking to standardized security practices. Our final discussion topic centered around the connection between adoption and security. Steve explains how increased security will lead to increased adoption of DeFi. Please enjoy my conversation with Steve Walbroehl.
Hacking websites is perhaps often underestimated yet is super interesting with all its potential for command injections and cross site scripting attacks. Tib3rius from White Oak Security discusses his experience as a web application security pen tester, his OSCP certification, and how he's giving back to the community with his Twitch, Youtube, and tools he's made available on GitHub.
Welcome to 2023 y'all. Let's get into the new year by looking at some news you need to know. A major FAA system went down and caused an outage for all of Florida. How secure is the FAA, and what about other airport safety systems? Surely, no misconfigurations there. Right? Links to study guides for OSCP cert via Reddit, pretty cool huh? A hospital was hit with ransomware then the bad guys gave the key away for free. What does that reveal about the business model for those threat actors? The best example of how "useful" GDPR is, via a hack. Lol. Those points and more on this one!
Aaron Hutson walks Brandon Evans through his journey from being an on-prem SysAdmin and cloud skeptic to a cloud security student, consultant, and educator who has worked on the Defense Information Systems Agency (DISA) Secure Cloud Computing Architecture initiative.Our Guest - Aaron HutsonAaron is a passionate advocate for cybersecurity, information technology and education. Aaron holds a Master of Science in Cybersecurity and numerous certifications, such as CISSP, AWS CSAP, GCIH, OSCP and many more. He has worn many hats and is backed by diverse professional experience across the IT, cybersecurity, and education fields. Aaron believes in the constant pursuit of knowledge to stay relevant and stay informed, and when he's not learning something new, he's sharing what he knows as an educator to help others understand the many intricacies in IT and cybersecurity.Sponsor's Note:Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs.Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security.Review and Download Cloud Security Resources: sans.org/cloud-security/Join our growing and diverse community of cloud security professionals on your platform of choice:Discord | Twitter | LinkedIn | YouTubeSPONSER NOTE: Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs. Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security. Review and Download Cloud Security Resources: sans.org/cloud-security/ Join our growing and diverse community of cloud security professionals on your platform of choice: Discord | Twitter | LinkedIn | YouTube
Sem sombra de dúvidas e inegavelmente, esta é a área que mais cresce no Brasil e no mundo. Decerto, o que abre um leque imenso de possibilidades de carreiras e certificações de segurança da informação. Vamos explorar as principais carreiras e certificações de segurança da informação, partindo das áreas gerenciais e falar das mais técnicas, como por exemplo, a OSCP, as de Programação Segura e Ethical Hacking. A partir dela, é possível traçar várias carreiras, como as de Continuidade de Negócio, LGPD, Segurança Cibernética, Governança. E como há muitas ramificações, como por exemplo, o Pentest, a Investigação Forense, a Recuperação de Desastre, entre outras, que a cada dia aparece, vamos abordar várias vertentes. Então, #partiu trocar uma ideia? Aguardamos todos vocês em mais um webcast do SecurityCast. SaveTheDate - 22/08/2022 19:00 (UTC -3) https://t.me/SecCastOficial Fonte das matérias e notícias: - Roadmap de certificações em Segurança 1 - https://danieldonda.com/roteiro-de-certificacao-de-seguranca-2022/ - Roadmap de certificações em Segurança 2 - https://pauljerimy.com/security-certification-roadmap/ - Vulnerabilidade no iOS - https://support.apple.com/en-us/HT213412 - Vulnerabilidade do Zoom em iOS - https://www.theguardian.com/technology/2022/aug/16/users-of-zoom-on-macs-told-to-update-app-as-company-issues-security-fix
TJ Null is probably most well known for his guide for the OSCP exam, but there is much more to TJ. In this episode he shares his story, and advice on getting started in pentesting._______________________GuestTJ NullCommunity Manager at Offensive Security [@offsectraining]On Twitter | https://twitter.com/TJ_Null______________________HostPhillip WylieOn ITSPmagazine
TJ Null is probably most well known for his guide for the OSCP exam, but there is much more to TJ. In this episode he shares his story, and advice on getting started in pentesting._______________________GuestTJ NullCommunity Manager at Offensive Security [@offsectraining]On Twitter | https://twitter.com/TJ_Null______________________HostPhillip WylieOn ITSPmagazine
A CISO's Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.security/the-mage-platform/ https://bishopfox.com/platform https://www.pentera.io/ https://www.youtube.com/watch?v=g3yROAs-oAc **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand. What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What's changing on this going forward First of all, let's talk about what a pentest is NOT. It is not a simple vulnerability scan. That's something you can do yourself with any number of publicly available tools. However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest. Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte? Now let's start with providing a definition of a penetration test. According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system. It's really designed to show weaknesses in a system that can be exploited. Let's think of things we want to test. It can be a website, an API, a mobile application, an endpoint, a firewall, etc. There's really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm. You need to focus on high likelihood and impact because professional penetration tests are not cheap. Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it's not unheard of to go up to $100,000. As a CISO you need to be able to defend this expenditure of resources. So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year. My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest. Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better. He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies." Please do not confuse a penetration test with a Red Team exercise. A red team exercise just wants to accomplish an objective like steal data from an application. A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate. It's a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities. Now, is a pentest about finding ALL vulnerabilities? I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like. Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided. There really is a “good enough” standard of risk, and that is called “acceptable risk.” So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate. Let's take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them. The first question you should consider is do you want an internal or an external penetration test. Well, the classic answer of "it depends" is appropriate. If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test. In this case your company would be expected to document a pentest performed by an external provider. Now if your company has a website that is selling direct to a consumer, then chances are you don't have the same level of requirement for an external pentest. So, you may be able to just perform an internal penetration test performed by your company's employees. I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20. The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting. What is the priority of pentesting, you may ask? #18 of 18 -- dead last. Now, that doesn't mean pentests are not valuable, or not useful, or even not important. What it does mean is that pentests come at the end of building your security framework and implementing controls. Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should. That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort. Think of a pentest as a final exam if you will. Otherwise, it's an expensive way to populate your security to-do list. OK let's say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor. Remember this, a penetration test is only as good as the conductor of the penetration test. Cyber is a very unregulated industry which means it can be tricky to know who is qualified. Compare this to the medical industry. If you go to a hospital, you will generally get referred to a Medical Doctor or Physician. This is usually someone who has a degree such as a MD or DO which proves their competency. They will also have a license from the state to practice medicine legally. Contrast this to the cyber security industry. There is no requirement for a degree to practice Cyber in the workforce. Also, there is no license issued by the state to practice cyber or develop software applications. Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test. There's a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP. We strongly recommend anyone performing an actual penetration test have an OSCP. This certification is difficult to pass. A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification. This is exactly what you want in a pentester, which is why we are big fans of this certification. This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test. Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification. It may mean your penetration tests cost more, but it's a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company. Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP. What companies should you look at? Usually, we see three types of penetration testing companies. Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2). This is expensive but it's easy to get them approved since most large companies already have contracts with at least one of these companies. The second type of company that we see are large penetration testing companies. Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing. They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies. Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client. Finally, there are boutique shops that specialize in particular areas. For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs. This is a more specialized skill and a bit harder to find so you have to find a relevant vendor. Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing. Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting. This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding. Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect. It's common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect. Don't let this happen to your company and review the labor and contract requirements in a recurring fashion. Alright, let's imagine you have a highly skilled vendor who meets these requirements. How should they perform a penetration test? Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google. Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes. It's a great read so please take a look. Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment. Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual. These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out. They can also standardize the documentation of findings. Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding. This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks. If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future? The answer is automation. Now we have had automated vulnerability management tools for decades. But please don't think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test. A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan. As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling. Examples of this include Bishop Fox's Cosmos, Pentera's Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling. Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams. This means that companies can perform more tests on more applications. The other major advantage with these tools is repeatability. Usually, a penetration test is a point in time assessment. For example, once a year you schedule a penetration test on your application. That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test. So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors. Here's one final tip. Don't rely on a single penetration testing company. Remember we discussed that a penetration testing company is only as good as the tester and the toolbox. So, try changing out the company who tests the same application each year. For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year. You can alternate which company scans which application. Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024. Every penetration tester looks for something different and they will bring different skills to the test. If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk. It allows you to know if a penetration testing vendor's pricing is out of the norm. You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices. And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report. Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey. As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show. This is your host, G. Mark Hardy, and until next time, stay safe.
Episode 183 of the Unsecurity Podcast is now live! This week, Oscar and Brad discuss some training resources that you can use in your security program free of charge!News:Autopatch is now Availablehttps://thehackernews.com/2022/07/microsoft-windows-autopatch-is-now.html'Callback' Phishing Campaign Impersonates Security Firmshttps://threatpost.com/callback-phishing-security-firms/180182/Resources Discussed:Portswigger Web Security Academy https://portswigger.net/trainingXSS, Cross Site Request Forgery, SQL Injection, HTTP Request SmugglingBurp Suite Training - All free & high qualityHacktheBox, TryHackMe, OverTheWireOffensive Security - Metasploit Unleashed. Also currently doing free OSCP classes via Twitch. Monday and Friday at 12:00 PM EThttps://www.offensive-security.com/metasploit-unleashed/FRSecure CISSP mentorshiphttps://frsecure.com/cissp-mentor-program/Federal Virtual training Environmenthttps://fedvte.usalearning.gov/Free training for all Federa, State, Local, Tribal and Territorial government employees.Using ATT&CK for CTI Traininghttps://attack.mitre.org/resources/training/cti/Understand what ATT&CK is and how to use it to make defensive decisions.SANS Cheat Sheets!https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/PicoCTFhttps://picoctf.org/resources.htmlLearning Guides for General Skills, Crypto, Web Exploitation, Forensics, Binary Exploitation, ReversingInfosecinstitutehttps://resources.infosecinstitute.com/topic/13-cyber-security-training-courses-you-can-take-now-for-free/$300 AnnualCybraryhttps://www.cybrary.it/Some free courses or $60 a monthGive episode 183 a listen or watch and send any questions, comments, or feedback to unsecurity@protonmail.com. Don't forget to like and subscribe!
In this episode, host TJ Null sits down with DarkStar7471 aka Dark, our recent community moderator for the OffSec Community. Dark is currently a lead pentester at State Farm Insurance and has produced content for TryHackMe. He starts by sharing his journey before working for OffSec as well as what piqued his interest in the information security field. Then, Dark highlights why he decided to obtain his OSCP and how the knowledge he gained from the course benefits him in his career trajectory. He also shares some exciting projects he works on relevant to pentesting. Lastly, Dark shares advice he has for anyone working to become a pentester and hobbies he enjoys outside of infosec. Enjoy the episode!
In this week's episode, host Dr. Heather Monthie chats with FalconSpy, an Offensive Security Engineer at Oracle and Community Ambassador here at OffSec. FalconSpy covers topics such as how he got into cybersecurity, what attracted him to the field, and the biggest lesson he's learned in his career so far. Sharing his experience throughout his OSCP journey, he shares tips for anyone looking to pass the exam who are trying to balance other responsibilities. Then, he offers advice for cybersecurity managers on how to locate the best talent. FalconSpy explains how to make these positions more attractive to cybersecurity professionals. Lastly, he shares a current project he's working on that he's excited about as well as what he envisions as the ‘next big thing' in cybersecurity. Enjoy!
Christoff's professional career includes Unix and Linux administration, and software development, but his passion was hacking.Christoff shares how he pivoted from a system engineer during difficult COVID times. During his education journey to become a pentester he earned the OSCP certification. His networking skills paid off and helped him land a pentesting job._______________________GuestChristoff HumphriesAdversarial Analyst (Pentester) at CyberOne SecurityOn Twitter | https://twitter.com/sogonsecOn LinkedIn | https://www.linkedin.com/in/christoffhumphries/______________________HostPhillip WylieOn ITSPmagazine
Christoff's professional career includes Unix and Linux administration, and software development, but his passion was hacking.Christoff shares how he pivoted from a system engineer during difficult COVID times. During his education journey to become a pentester he earned the OSCP certification. His networking skills paid off and helped him land a pentesting job._______________________GuestChristoff HumphriesAdversarial Analyst (Pentester) at CyberOne SecurityOn Twitter | https://twitter.com/sogonsecOn LinkedIn | https://www.linkedin.com/in/christoffhumphries/______________________HostPhillip WylieOn ITSPmagazine
This week, hosts TJ Null and FalconSpy sit down with Mike Waxman, Security Engineer at LinkedIn. Mike was originally a TPM and is now a Security Engineer. He starts off by describing how he made the switch and shares some advice for those looking to change roles into security. And for those already in the field, he also gives tips on how to get that coveted promotion. Related to that, Mike discusses his mentoring experience and what kinds of knowledge he passes along to those new to the industry. Mike is currently working through his PEN-200 journey toward the OSCP and provides some key tips for those also pursuing the OSCP. He also shares a specific idea on how to best prepare for the exam. Finally, he shares some words of encouragement to those early in their career looking to make their mark. Enjoy!
Rana Khalil. Rana is a senior cybersecurity assessment analyst and has a really diverse professional background. She has spoken at many different conferences, including BSides, ISSA OS, Ottawa, and hack fest. She's recently received the OSCP, a coveted security certification out there in the community. She has definitely written up and done tons of write-ups on the OSCP and different hack-the-box write-ups. This episode will unravel how Rana discovered and journeyed through cryptography and pen testing despite attaining a computer science degree. LINKS: Linkedin: https://www.linkedin.com/in/ranakhalil1/?originalSubdomain=ca Intro Music: https://trash80.com/#/content/133/weeklybeats-2012-week5 Security and Privacy Framework: iapp.org Full Shownotes: https://www.gettingintoinfosec.com/ See omnystudio.com/listener for privacy information.
This week host TJ Null chats with Phillip Wylie, Tech Evangelist at cycognito. Phillip has been a pentester for several years and in the IT industry for even longer. He tells an interesting story of how he got into infosec and some of the resources he used to get started. TJ and Phillip also chat about the OSCP, the Try Harder mindset, and what they mean for Phillip. Our guest regularly shares knowledge, gives talks, blogs, and teaches, and, in this episode, dives into what drives him to pass on knowledge. He also gives some tips for those starting out in infosec on how to share their experience and possibly even get a job in the process. Besides this, Phillip shares one thing he'd like to see changed in the infosec community and how. Enjoy!
Hosts FalconSpy and TJ Null sit down with J3rryBl4nks, a member and Community Moderator on the OffSec Discord server. J3rryBl4nks is a Director of InfoSec for a small business organization. In this episode, he talks about how he got interested in the infosec field. He discusses why he thinks gaining knowledge through a degree or certifications is imperative in the infosec industry, along with a growth mindset. Then, he details his experience with PEN-200, including his take on the OSCP exam and tips to future students embarking on their PEN-200 journey. Additionally, J3rryBl4nks outlines what he looks for in a new hire regardless of their experience in the field. He then highlights his passion for password cracking and good rules to use with hashcat to optimize these results. Lastly, he shares his interest in both card and board games, video games, and his love of hiking and spending time with his family.
Lessons learned in achieving OSCP and other lessons...
Hosts TJNull and FalconSpy catch up with Seth Art, Sr. Security Consultant at Bishop Fox, who also holds his OSCP. They discuss how Seth got into security and his varied background. He also reveals his favorite aspects of working for Bishop Fox, as well as what a junior pentester should know in order to join an offensive security-focused firm like Bishop Fox. They talk about Seth's OSCP journey and the challenges he overcame to earn his OSCP, including juggling parenting and studying. They then turn to cloud pentesting and Kubernetes security and Seth spills the details on interesting findings from his recent research. Specifically, they discuss potential vulnerabilities in Kubernetes and AWS. Finally, they chat about the crucial skills Seth recommends budding penetration testers develop. Enjoy the episode!
Rana discovered application security as a software developer which inspired her interest in web app pentesting.During her studies and journey to prepare for the OSCP certification, Rana started sharing what she learned in blogs and went on to create video learning content for aspiring pentesters and security professionals._______________________GuestRana KhalilOn Linkedin | https://www.linkedin.com/in/ranakhalil1/On Twitter | https://twitter.com/rana__khalilOn YouTube | https://www.youtube.com/channel/UCKaK-XPQAbznwIISC46b1oAOn Medium | https://ranakhalil101.medium.com/______________________HostPhillip WylieOn ITSPmagazine
Hear from Cybersecurity Meg, X-Force Cybersecurity Incident Responder for IBM and popular cybersecurity YouTuber, as she sits down with Harbinger and FalconSpy! They discuss a number of interesting topics, ranging from defense vs. offense and her CISSP journey to what inspired Meg to become a YouTube creator. They also discuss overcoming imposter syndrome and how to handle it as well as naysayers and gatekeepers. Hear about how to maintain mental health, specifically within the information security field, as well as ensuring work-life balance. Finally, learn what Meg has planned next, including earning her OSCP. Enjoy the episode! Meg on Twitter Meg on YouTube Meg's Discord community
Join myself (@shellsharks) and my guest Sukrit (@sukritdua) as we chat pentesting, training, craft beer and more! Note: I apologize in advance as Sukrit's audio was a little spotty. Enjoy! Show Notes Preshow Collective Arts Brewing: https://collectiveartsbrewing.com/us/ Quebec Maple Coke: https://www.coca-colacanada.ca/en/specialtysoda/quebec-maple/ Icewine: https://mywinecanada.com/wine/ice-wine Dragon Stout: https://www.ratebeer.com/Ratings/Beer/Beer-Ratings.asp?BeerID=749 Main Show Kali Linux: https://www.kali.org HackerOne: https://www.hackerone.com BugCrowd: https://www.bugcrowd.com SANS Cyber Security Blog: https://www.sans.org/blog/ PortSwigger Blog: https://portswigger.net/blog INE / eLearnSecurity: https://ine.com/pages/elearnsecurity-pricing Shellsharks: https://shellsharks.com Getting Into Information Security: https://shellsharks.com/getting-into-information-security Reddit Feedback: https://www.reddit.com/r/netsecstudents/comments/m0lbst/a_guide_for_those_looking_to_break_into_the/ PTP: https://elearnsecurity.com/blog/ptpv4-launch/ OSCP: https://www.offensive-security.com/pwk-oscp/ Try Harder: https://www.offensive-security.com/offsec/say-try-harder/ Web Application Hackers Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 Web Security Academy: https://portswigger.net/web-security Hacker101 CTF: https://www.hackerone.com/blog/Introducing-Hacker101-CTF OverTheWire: https://overthewire.org/wargames/ picoCTF: https://picoctf.org SANS Holiday Hack Challenge: https://holidayhackchallenge.com Cybrary: https://www.cybrary.it PentesterAcademy: https://www.pentesteracademy.com PentesterLab: https://pentesterlab.com eWPT: https://elearnsecurity.com/product/ewpt-certification/ eWPTX: https://elearnsecurity.com/product/ewptxv2-certification/ SANS SEC542: https://www.sans.org/cyber-security-courses/web-app-penetration-testing-ethical-hacking/ INE Plans: https://ine.com/pages/plans SANS Work Study Program: https://www.sans.org/work-study-program/ SANS Summits: https://www.sans.org/cyber-security-summit SAN SEC660: https://www.sans.org/cyber-security-courses/advanced-penetration-testing-exploits-ethical-hacking/ Stephen Sims: https://www.sans.org/profiles/stephen-sims/ aCloudGuru: https://acloudguru.com Pluralsight: https://www.pluralsight.com Linux Academy: https://login.linuxacademy.com Postshow Untappd: https://untappd.com Foursquare: https://foursquare.com Mike on Untappd: @beersharks Sukrit on Untappd: @AllPints Hill High Marketplace: http://www.hill-high.com untappdScraper: https://github.com/WebBreacher/untappdScraper Captains Log: https://shellsharks.com/captains-log
In this action-packed episode, hosts TJ Null and FalconSpy sit down with 0xdade. Here are some of topics they discuss: How 0xdade broke into InfoSec 0xdade's OSCP advice The importance of note taking and communication skills in InfoSec The most important quality of a pentester or red teamer 0xdade's project, Natlas - what it is and what it does Advice for those who want to develop and release their own tools for the community How 0xdade wound up writing and recording the hip-hop/rap song, “Red Team”
For our latest Humans of InfoSec podcast, we're excited to welcome Phillip Wylie on the show. Phillip has over 22 years of experience with the last 8 years spent as a pentester. Phillip has a passion for mentoring and education. His passion motivated him to start teaching and founding The Pwn School Project a monthly educational meetup focusing on cybersecurity and ethical hacking. Phillip teaches Ethical Hacking and Web Application Pentesting at Richland College in Dallas, TX. Phillip is a co-host for The Uncommon Journey podcast. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT.
The best ways to prepare for PWK/OSCP -- learn how from the experts! In this first episode of the all-new, official Offensive Security Podcast, hear first hand from experts TJ Null, FalconSpy and Jeremy (Harbinger) share some of the latest, greatest and even lesser-known ways to prepare for the Penetration Testing with Kali (PWK, PEN-200) course in preparation for getting your OSCP certification. Real, frank talk from OffSec experts and OffSec community leaders!