BrakeSec Education Podcast

Show Topic Summary (less than 300 words) Insider threat still exists, Lynsey Wolf talks with us about HR's role in insider threat, how prevalent investigations are in the post-pandemic work from home environment. Questions and potential sub-topics (5 minimum): What is the difference between insider threat and insider risk? Motivators of insider threat (not much different than espionage,IMO -bryan) (MICE: Money, Ideology, Compromise, and Ego.) https://thestack.technology/pentagon-leaks-insider-threat-sysadmin/ 75% of all insider threats are being kicked off by HR departments. In short, it's proactive. "How did HR figure that out?" How are investigations normally initiated? What tools are they implementing to check users or predicting a disgruntled employee?" UEBA? CASB? Employee surveys that are 'anonymous'? Someone who reported others and it was dismissed? What if HR 'gets it wrong' or 'it's a hunt to find people no into 'groupthink' or 'not a culture fit'? https://www.cbsnews.com/news/french-worker-fired-for-not-being-fun-at-work-wins-lawsuit-cubik-responds/ How can organizations be mindful of how and what data is collected to mitigate risk without affecting employee trust? And who watches the watchers to ensure data is handled responsibly? Are there any privacy guidelines companies need to understand before they implement such a system? (GDPR? CCPA? Privacy notices? Consent to monitoring on login? https://securiti.ai/blog/hr-employee-data-protection/ ) Are companies causing the thing they are protecting against? (making an insider threat because they've become repressive?) (hoping there's an 'everything in moderation idea here… finding the happy medium between responsible 'observability' and 'surveillance') Lots of 'insider threat' tools, including from EDR companies. Do companies do a good job of explaining to employees why you need EDR? Quiet Quitting - latest term for companies to use to describe "employee has a side gig". How does this figure into insider threat? Is it assumed that people only have one 'thing' they do, or did the lack of a commute give people more time during the pandemic to diversify? Solutions for employees? Separate their work and private/side gig? Learn what their contract states to keep conflicts of interest or your current/past employer from taking your cool side project/start-up idea away from you? Solutions for companies? Additional information / pertinent Links (would you like to know more?): (contact info for people to reach out later): https://www.cisa.gov/detecting-and-identifying-insider-threats https://venturebeat.com/data-infrastructure/how-observability-has-changed-in-recent-years-and-whats-coming-next/ https://ccdcoe.org/library/publications/insider-threat-detection-study/ https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454627.pdf (insider threat ontology) https://www.intelligentcio.com/apac/2022/08/01/survey-reveals-organizations-see-malicious-insiders-as-a-route-for-ransomware/ https://www.helpnetsecurity.com/2022/04/08/organizations-insider-threats-issue/ https://www.fortinet.com/resources/cyberglossary/what-is-ueba https://www.gartner.com/en/information-technology/glossary/cloud-access-security-brokers-casbs https://thecyberwire.com/glossary/mice https://qohash.com/the-high-price-of-trust-the-true-cost-of-insider-threats/ https://abc7chicago.com/classified-documents-jack-teixeira-air-national-guard-arrest/13126206/ (Air National Guardsman accused in military records leak makes 1st court appearance - story still developing as of 16 April 2023) https://www.theverge.com/2020/8/4/21354906/anthony-levandowski-waymo-uber-lawsuit-sentence-18-months-prison-lawsuit Show Points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec Youtube: https://youtube.com/c/BDSPodcast

Show Topic Summary (less than 300 words) 3CX supply chain attack, Mark Russinovich and Sysinternals, ransomware notifications from CISA, and emotional intelligence Youtube VOD: https://www.youtube.com/watch?v=afZHiBUr-2g Questions and potential topics (5 minimum): https://www.straitstimes.com/tech/downloading-a-cracked-version-of-fifa-23-or-hogwarts-legacy-for-free-it-s-probably-malware https://leadershipfreak.blog/2023/03/27/the-7-powers-of-questions/ https://securityintelligence.com/articles/is-it-time-to-hide-your-work-emails/ https://www.lollydaskal.com/leadership/what-remote-leaders-do-differently-to-be-successful/ https://www.lollydaskal.com/leadership/the-role-of-emotional-intelligence-in-leadership-why-it-matters/ https://www.cybersecuritydive.com/news/3cx-mandiant-investigate-supply-chain-attack/646543/ https://www.bleepingcomputer.com/news/security/openai-chatgpt-payment-data-leak-caused-by-open-source-bug/ https://www.cybersecuritydive.com/news/cisa-pre-ransomware-notification/646041/ https://www.sentinelone.com/labs/the-life-and-times-of-sysinternals-how-one-developer-changed-the-face-of-malware-analysis/ Additional information / pertinent Links (would you like to know more?): https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/ https://www.orangecyberdefense.com/global/blog/research/3cx-voip-app-supply-chain-compromise https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ https://www.linkedin.com/feed/update/urn:li:activity:7047156405715300352/ Sigma Rule - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_malware_3cx_compromise_susp_children.yml https://en.wikipedia.org/wiki/Information_Sharing_and_Analysis_Center https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program https://www.fda.gov/media/166614/download https://www.amazon.com/Windows-Internals-Part-architecture-management/dp/0735684189 https://medium.com/@martin-thissen/llama-alpaca-chatgpt-on-your-local-computer-tutorial-17adda704c23 Show Points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec Youtube: https://www.youtube.com/c/BDSPodcast Email: bds.podcast@gmail.com

Show Topic Summary (less than 300 words) Dish Network is still busted due to ransomware, your Pixel phone baseband RCE, Nothing runs like a Deere (away from OSS requests, anyway), and "Are we past DAST?" Questions and potential sub-topics (5 minimum): https://techcrunch.com/2023/03/15/dish-customers-kept-in-the-dark-as-ransomware-fallout-continues/ https://medium.com/@cmanojshrestha/hack-any-social-media-account-using-cookie-stealing-attack-a6cdc4caafc1 https://boringappsec.substack.com/p/edition-18-the-diminishing-returns https://www.theregister.com/2023/03/17/john_deere_sfc_gpl/ https://www.bleepingcomputer.com/news/security/alleged-breachforums-owner-pompompurin-arrested-on-cybercrime-charges/ (thanks D Mathews!) https://www.bleepingcomputer.com/news/security/microsoft-support-cracks-windows-for-customer-after-activation-fails/ https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html Additional information / pertinent Links (would you like to know more?): https://www.shopbiscoff.com/lotus-biscoff-xl-two-pack-case-bulk-size https://twitter.com/InfoSystir/status/1636847843683041280?s=20 Show Points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec Youtube: https://www.youtube.com/c/BDSPodcast Email: bds.podcast@gmail.com

Nickolas Means, VP of Engineering at SYM, discusses topics such as building a blameless culture during incidents, building a compliance program without impacting engineering velocity, cross-training dev and security teams, the challenges of shifting left in software development, the relationship between programming languages and security conferences, crafting secure applications, and the launch of sim, a platform for managing access to production systems.

BrakeSec Show Outline (all links valid as of 27 Jan 2023, subject to change) Is it scheduled? Yes || No|| Completed Date: 2023/01/26 Guest info Name and Title: John Aron, Founder/CEO of Aronetics Email: john@aronetics.com Time Zone (if other than Pacific): Eastern Standard Guest info Name and Title: Jerod Brennen Email: jerod@brennenconsulting.com Time Zone (if other than Pacific): EST Show Topic Summary (less than 300 words) Clear the fog of marketing truths and viable solutions that actually deter and defend adversarial action. Questions and potential sub-topics (5 minimum): Edge devices everywhere A paradigm culture shift is necessary How/What kind of culture shift is needed? In 2007, Steve Jobs unveiled the iPhone with no mention of how to keep it safe While DARPA that created GPS, shares a sorry - not sorry 4. Working from Home or the office, how can you guarantee security with travel between both? This type of computing isn't possible in government circles. 5. The New York Times 2019 Fall Special - So the internet didn't turn out the way we hoped. How can we restore sanity and normalcy to using a computer when there is a persistent threat everywhere? Who is under 'persistent threat'? 6. Jerod: decentralization of technologies and empowering makers and people Additional information / pertinent Links (would you like to know more?): Even Nobodies Have Fans Now. (For Better or Worse.) - The New York Times.pdf(local copy) (local copy defeats paywall) ) So the Internet Didn't Turn Out the Way We Hoped. Now What_ - The New York Times.pdf (local copy defeats paywall) https://identity.foundation/ https://www.scmp.com/news/china/science/article/3206384/chinese-scientists-claims-new-quantum-code-breaking-algorithm-raise-eyebrows-us https://www.amazon.com/Fourth-Turning-American-Prophecy-Rendezvous/dp/0767900464 https://www.investopedia.com/tech/what-dao/ https://www.jimcollins.com/books.html ("good to great", and "Built to Last" were called out) https://www.amazon.com/Tyranny-Twenty-Lessons-Twentieth-Century/dp/0804190119 John's Bsides San Diego slides: https://www.aronetics.com/wp-content/uploads/2023/01/Losing-Control-Aronetics-6-Oct-2022-FIN.pdf John's WiCys talk slides: Pending - Sidechannel (Fractional CISO organization) https://sidechannel.com/ (Jerod's organization) https://www.aronetics.com/ - (John's company) Show Points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec

Lots of Layoffs (meta, Microsoft, Amazon, Sophos, Alphabet, Google) talk about the future effects of that, did it affect security? Attack surface management is risk management, Breaches and the TSA no-fly list leaked, and more! Full youtube video: https://www.youtube.com/watch?v=1Dgq8FpnWPw Questions and/or potential sub-topics (5 minimum): Layoffs (fear, uncertainty, doubt), what it means for people, https://www.lollydaskal.com/leadership/5-warning-signs-you-are-being-led-by-a-weak-leader/ "No fly list leaked" https://www.vice.com/en/article/93a4p5/us-no-fly-list-leaks-after-being-left-in-an-unsecured-airline-server Attack Surface Management: https://flashpoint.io/blog/what-is-attack-surface-management/ https://www.bleepingcomputer.com/news/security/beware-hackers-now-use-onenote-attachments-to-spread-malware/ https://securityaffairs.com/141102/hacking/eof-cisco-routers-exposed-rce.html https://www.linkedin.com/posts/threatintelligence_threat-intel-cheat-sheet-by-cyber-threat-activity-7021035081184026624-3GWH? (issues with "step 0") Additional information / pertinent Links (would you like to know more?): https://www.sec.gov/ix?doc=/Archives/edgar/data/0001283699/000119312523010949/d641142d8k.htm - TMO's 8k filing https://www.bleepingcomputer.com/news/security/verizon-notifies-prepaid-customers-their-accounts-were-breached/ https://en.wikipedia.org/wiki/Maia_arson_crimew https://discord.gg/brakesec Show Points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec

topics What were the biggest stories of 2022? Any notable trends that you saw https://acut3.github.io/bug-bounty/2023/01/03/fetch-diversion.html (fetch Diversion) I got 5 million steps in 2022! Looking to jog/run 350 miles https://medium.com/@jdowde2/the-security-threat-of-and-in-file-path-strings-d75ee695eb3a (danger of , and .. in file paths Google's threat Horizon's report Additional information / pertinent Links (would you like to know more?): https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jan2023.pdf (google's Threat Horizons report) https://securityboulevard.com/2023/01/google-cybersecurity-action-team-threat-horizons-report-5-is-out/ https://medium.com/malware-buddy/6-useful-infographics-for-threat-intelligence-240d6aca333e https://www.vice.com/en/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps \youtube.c https://hbr.org/2016/09/excess-management-is-costing-the-us-3-trillion-per-year https://thenewstack.io/circleci-secrets-catastrophe/ https://www.nbc29.com/2023/01/06/twitter-leak-exposes-235-million-email-addresses-hack/ https://www.vice.com/en/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps Show Points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec

Full stream video on Youtube: https://youtu.be/i1xpAfNFCvY John's Youtube channel, to find more training/contact information: https://www.youtube.com/channel/UC3ctyx980M8jLa_cEiQveLQ https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration ADKAR model: https://www.prosci.com/methodology/adkar CCE framework: https://inl.gov/cce/ Dashboard (non-sponsored link): https://monday.com Diagrammming tool: https://figma.com https://www.sciencedirect.com/topics/computer-science/system-analysis Amazon book: https://www.amazon.com/Engineering-Safer-World-Systems-Thinking/dp/0262533693

Full stream video on Youtube: https://youtu.be/i1xpAfNFCvY John's Youtube channel, to find more training/contact information: https://www.youtube.com/channel/UC3ctyx980M8jLa_cEiQveLQ https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration ADKAR model: https://www.prosci.com/methodology/adkar CCE framework: https://inl.gov/cce/ Dashboard (non-sponsored link): https://monday.com Diagrammming tool: https://figma.com https://www.sciencedirect.com/topics/computer-science/system-analysis Amazon book: https://www.amazon.com/Engineering-Safer-World-Systems-Thinking/dp/0262533693

https://youtu.be/iW39Mugj4OM -Full stream video (interview starts at 28m22s) Broadcasted live on Twitch -- Watch live at https://www.twitch.tv/brakesec Seattle Community Network - https://seattlecommunitynetwork.org/ https://medium.com/seattle-community-network/ Check Bryan out on Mastodon! Mastodon