Avsnitt
-
Guest Info:
Name: Bronwen Aker
Contact Information (N/A): https://br0nw3n.com/
Time Zone(s): Pacific, Central, Eastern
–Copy begins–
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences, and do not represent views of past, present, or future employers.
Recorded: https://youtube.com/live/guhM8v8Irmo?feature=share
Show Topic Summary: By harnessing AI, we can assist in being proactive in discovering evolving threats, safeguard sensitive data, analyze data, and create smarter defenses. This week, we’ll be joined by Bronwen Aker, who will share invaluable insights on creating a local AI tailored to your unique needs. Get ready to embrace innovation, transform your work life, and contribute to a safer digital world with the power of artificial intelligence! (heh, I wrote this with the help of AI…)
Questions and topics: (please feel free to update or make comments for clarifications)
Things that concern Bronwen about AI: (https://br0nw3n.com/2023/12/why-i-am-and-am-not-afraid-of-ai/)
Data Amplification: Generative AI models require vast amounts of data for training, leading to increased data collection and storage. This amplifies the risk of unauthorized access or data breaches, further compromising personal information.Data Inference: LLMs can deduce sensitive information even when not explicitly provided. They may inadvertently disclose private details by generating contextually relevant content, infringing on individuals’ privacy.
Deepfakes and Misinformation: Generative AI can generate convincing deepfake content, such as videos or audio recordings, which can be used maliciously to manipulate public perception or deceive individuals. (Elections, anyone?)
Bias and Discrimination: LLMs may inherit biases present in their training data, perpetuating discrimination and privacy violations when generating content that reflects societal biases.
Surveillance and Profiling: The utilization of LLMs for surveillance purposes, combined with big data analytics, can lead to extensive profiling of individuals, impacting their privacy and civil liberties.
Setting up a local LLM? CPU models vs. gpu models
pros/cons? Benefits?What can people do if they lack local resources?
Cloud instances? Ec2? Digital Ocean? Use a smaller model?https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
AI coding assets are hallucinating package names
5.2 percent of package suggestions from commercial models didn't exist, compared to 21.7 percent from open source or openly available models
Attackers can then create malicious packages matching the invented name, some are quite convincing with READMEs, fake github repos, even blog posts
An evolution of typosquatting named “slopsquating” by Seth Michael Larson of Python Software Foundation
Threat actor "_Iain" posted instructions and videos using AI for mass-generated fake packages from creation to exploitation
Additional information / pertinent LInks (Would you like to know more?):
https://www.reddit.com/r/machinelearningnews/s/HDHlwHtK7U
https://br0nw3n.com/2024/06/llms-and-prompt-engineering/ - Prompt Engineering talk
https://br0nw3n.com/wp-content/uploads/LLM-Prompt-Engineering-LayerOne-May-2024.pdf (slides)
Daniel Meissler ‘Fabric’ - https://github.com/danielmiessler/fabric
https://www.reddit.com/r/LocalLLaMA/comments/16y95hk/a_starter_guide_for_playing_with_your_own_local_ai/
Ollama tutorial (co-founder of ollama - Matt Williams): https://www.youtube.com/@technovangelist
https://mhtntimes.com/articles/altman-please-thanks-chatgpt
https://www.whiterabbitneo.com/ - AI for DevSecOps, Security
https://blogs.nvidia.com/blog/what-is-retrieval-augmented-generation/
https://www.youtube.com/watch?v=OuF3Q7jNAEc - neverending story using an LLM
https://science.nasa.gov/venus/venus-facts
Show points of Contact:
Amanda Berlin: https://www.linkedin.com/in/amandaberlin/
Brian Boettcher: https://www.linkedin.com/in/bboettcher96/
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
-
Saknas det avsnitt?
-
Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec or Youtube: https://youtube.com/c/BDSPodcast
join the Discord: https://bit.ly/brakesecDiscord
https://arxiv.org/abs/2302.14172 - EPSS whitepaper
https://www.linkedin.com/posts/jayjacobs1_epss-threatintel-vulnerabiltymanagement-activity-7308146548767404032-RubN
https://www.first.org/epss/
https://events.zoom.us/ev/AmoNH3baC7HVqDlDmgUtd2uCmTCMwJXfkR8mG6I5OxzbW01nhRMQ~AoEYQz5ROK4ybE4iX9b0PL-1utz4z0nbyrTjT4lskH_08_zfesR_Q_rNlA - BHIS training with Bronwen Aker on 03 April 2025
Music:
Music provided by Chillhop Music: https://chillhop.ffm.to/creatorcred
"Flex" by Jeremy Blake Courtesy of Youtube media library -
Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec
Join the Discord! https://bit.ly/brakesecDiscord
Questions and topics: (please feel free to update or make comments for clarifications) * https://techoreon.com/http-flaw-in-apple-passwords-left-iphones-vulnerable/ * https://darkmarc.substack.com/p/attackers-dont-need-exploits-when * https://www.techzine.eu/news/security/129713/the-browser-is-riddled-with-bugs-2025-may-squash-them/ * https://medium.com/@vanvleet/compound-probability-you-dont-need-100-coverage-to-win-a2e650da21a4 (interesting article on quantifying attack risk by your coverage in MITRE) * https://www.promptfoo.dev/blog/agent-security/ * https://www.socvel.com/quiz/ - 20March2025 edition! * https://secureannex.com/blog/buying-browser-extensions/ - interesting article about browser extensions * https://gist.github.com/c0m4r/45e15fc1ec13c544393feafca30e74de?permalink_comment_id=5298117#gistcomment-5298117 * https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/ * https://arealsociety.substack.com/p/you-can-just-take-things-cyber-letters?r=99bhj - oh boy, cyber ‘letters of marque’
Additional information / pertinent LInks (Would you like to know more?):
* VanVleet detection engineering podcast appearance: https://www.youtube.com/watch?v=5DAQkvOyqME * https://medium.com/@vanvleet/technique-analysis-and-modeling-ffef1f0a595a * https://github.com/prodaft/cradle/ * https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/ * https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor
Show points of Contact: Amanda Berlin: https://www.linkedin.com/in/amandaberlin/ Brian Boettcher: https://www.linkedin.com/in/bboettcher96/ Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@BrakeSecEd Twitch Channel: https://twitch.tv/brakesec
Music:
Music provided by Chillhop Music: https://chillhop.ffm.to/creatorcred
"Flex" by Jeremy Blake Courtesy of Youtube media library -
Youtube VOD: https://www.youtube.com/watch?v=zu_smyQGvG4
https://lcamtuf.substack.com/p/how-security-teams-fail
https://cyberintel.substack.com/p/doge-exposes-once-secret-government
https://x.com/SteamDB/status/1889610974484705314 – supply chain issues can crop up anywhere… are you blocking people from steam and popular software downloads online?
https://www.landh.tech/blog/20250211-hack-supply-chain-for-50k/
https://medium.com/@cyberengage.org/rethinking-incident-response-from-picerl-to-dair-7b153a76e044
https://www.youtube.com/watch?v=3HRkKznJoZA
-
Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec
Join the Discord! https://discord.gg/brakesec
#youtube VOD (in 1440p): https://www.youtube.com/watch?v=axQWGyd79NM
Questions and topics:
Bsides Vancouver discussion
Semgrep Community and Academy
Building communities
What are ‘secure guardrails’
Reducing barriers between security and developers
How to sell security to devs: “hey, if you want to see us less, buy/use this?”
“Security is your barrier, but we have goals that we can’t reach without your help.”
https://wehackpurple.com/devsecops-worst-practices-artificial-gates/
How are you seeing things like AI being used to help with DevOps or is it just making things more complicated? Not just helping write code, but infrastructure Ops, software inventories, code repo hygiene, etc?
OWASP PNW https://www.appsecpnw.org/
Alice and Bob coming next year!Additional information / pertinent LInks (Would you like to know more?):
shehackpurple.ca
Semgrep (https://semgrep.dev/)
https://aliceandboblearn.com/
https://academy.semgrep.dev/ (free training)
Netflix ‘paved roads’: https://netflixtechblog.com/how-we-build-code-at-netflix-c5d9bd727f15
https://en.wikipedia.org/wiki/Nudge_theory
https://www.perforce.com/blog/qac/what-is-linting
https://www.youtube.com/watch?v=FSPTiw8gSEU
https://techhq.com/2024/02/air-canada-refund-for-customer-who-used-chatbot/
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@BrakeSecEd
Twitch Channel: https://twitch.tv/brakesec -
Youtube VOD: https://youtu.be/G3PxZFmDyj4
#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis
Questions and topics:1. The background to the topic, why is it something that interests you?
How do you convince developers to take your course?2. What do you think the root cause of the gap is?
3. Who is causing the gaps? (‘go fast’ culture, overzealous security, GRC requirements, basically everyone?)
4. Where do gaps begin? Is it the ‘need’ to ‘move fast’?
5. What can devs do to involve security in their process? Sprint planning? SCA tools?
6. How have you seen this go wrong at organizations?
7. How important is it to have security early in the product development process?
8. What sort of challenges do you think mainstream security people face in AppSec scenarios?
9. How does Product Security differ from Application Security? (what if the product is an application?)
10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?
11.. How do you suggest a security team approach AppSec/ProdSec?
Leadership buy-in
Effective/valuable processes
Tools should achieve a goal12. SBOM - NTIA is asking for it, How to get dev teams to care.
13. Key takeaways?
Additional information / pertinent LInks (Would you like to know more?):
BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218https://www.walkme.com/blog/leadership-buy-in/
https://www.bouncesecurity.com/
https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example
https://www.cisa.gov/sbom
SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd
https://semgrep.dev/
https://www.linkedin.com/in/joshcgrossman
https://owasp.org/www-project-application-security-verification-standard/
https://github.com/OWASP/ASVS/tree/master/5.0
https://owasp.org/www-project-cyclonedx/
https://joshcgrossman.com/
PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg
Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210
https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544
ASVS website: https://owasp.org/asvs
Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec -
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences and do not represent views of past, present, or future employers.
Recorded: 08 Apr 2024
Youtube VOD: https://www.youtube.com/watch?v=K8qApvsFtqw
Show Topic Summary:
If you want to get in the mind of a board member, I submit to you my discussion with Mary Gardner we did last night on #brakesec #education. Join Mary and I as we discuss the functions of a board, messaging to various levels of leadership and teams, and what it takes to make that leap to being a CISO.
And when you're done, and you need someone to help your org get more mature, contact the team at GoldiKnox.
#cybersecurity #informationsecurity #ciso #leadership #GRCQuestions and topics:
https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity
“Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. “
They obviously have different priorities, so what brings everyone to the table to discuss? Are they even worried about security?
Tactical goals vs. org goals and aligning them
What are boards most worried about these days?
Staying relevant in the face of AI?
What tech will protext them from the newest threats?
GRC is forced security, security is completely optional, Compliance requires some sort of security
Additional information / pertinent LInks (Would you like to know more?):
Research organizations (gartner, forrester, etc)
https://goldiknox.com/
https://www.linkedin.com/pulse/board-needs-help-planning-cybersecurity-start-here-daniel-briley-k7xzc
https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations
https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Discord: https://discord.gg/brakesec
-
Full Youtube VOD: https://www.youtube.com/watch?v=uX7odQTBkyQ
Questions and topics:
Let’s talk about Mindful Business Podcast
What’s the topics you cover?
Topic #1: discuss your experiences when you were a new leader.
What worked? What didn't? What would you have done differently?
Do you emulate your manager's style? What have been your go-to management resources?
What is a good piece of advice that you’ve been given or that you impart to others that relates to leadership?
Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc)
Topic #3: What are bare minimums for building ‘secure’ Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates
Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security?
Additional information / pertinent LInks (Would you like to know more?):
Twitter/Mastodon:
https://twitter.com/AccidentalCISO
https://infosec.exchange/@accidentalcisoThe Mindful Business Security Show:
https://www.mindfulsmbshow.com/
https://twitter.com/mindfulsmbshow
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
-
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information, and do not represent views of past, present, or future employers.
Recorded: 28 Jan 2024
Youtube VOD: https://youtube.com/live/uX7odQTBkyQ
Questions and topics:
Let’s talk about Mindful Business Podcast
What’s the topics you cover?
Topic #1: discuss your experiences when you were a new leader.
What worked? What didn't? What would you have done differently?
Do you emulate your manager's style? What have been your go-to management resources?
What is a good piece of advice that you’ve been given or that you impart to others that relates to leadership?
Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc)
Topic #3: What are bare minimums for building ‘secure’ Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates
Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security?
Additional information / pertinent LInks (Would you like to know more?):
Twitter/Mastodon:
https://twitter.com/AccidentalCISO
https://infosec.exchange/@accidentalcisoThe Mindful Business Security Show:
https://www.mindfulsmbshow.com/
https://twitter.com/mindfulsmbshow
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
-
It's our 10th anniversary and the first show of our 2024 season!
Amanda was on "7 minute security"
https://7minsec.com/projects/podcast
Check out the complete VOD at https://youtu.be/vbmEtkxhAMg
Explicit language warning
www.brakeingsecurity.com
https://twitch.tv/brakesec
https://bit.ly/brakesecyt
-
Youtube Video: https://youtu.be/IUDPlQaQg8M
https://forms.gle/rf145MoN7cskwMjf8
is the link to the survey. Your information (should you choose to identify yourself) will not be shared outside of the BrakeSec Team.Thank all of you for listening and for your input.
RSS feed for the audio podcast is at https://www.brakeingsecurity.com/rss
website: https://www.brakeingsecurity.com -
Show Topic Summary:
Ms. Berlin proposes a question of how to gather more headcount with metrics, we discuss the BLUFFS bluetooth vulnerability, and “Ranty Claus” talks about CISA’s remarks of putting the onus on device product makers to remove choice for customers and implement secure defaults.
#youtube VOD: https://www.youtube.com/watch?v=emcAzTx9z0c
Questions and topics:
https://cyberscoop.com/cisa-goldstein-secure-by-design/
https://hackaday.com/2023/12/02/update-on-the-bluffs-bluetooth-vulnerability/
Additional information / pertinent LInks (Would you like to know more?):
https://cyberscoop.com/jen-easterly-secure-by-design/
https://www.cisa.gov/resources-tools/resources/stop-passing-buck-cybersecurity
Examples of companies forcing changes https://www.bleepingcomputer.com/news/microsoft/microsoft-will-roll-out-mfa-enforcing-policies-for-admin-portal-access/
https://github.com/aya-rs/aya - eBPF implementation in Rust
https://ossfortress.io/
https://www.darkreading.com/endpoint-security/critical-logofail-bugs-secure-boot-bypass-millions-pcs
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social, https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Twitter: @brakesec
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec
-
Subscribe on Twitch using Amazon Prime and watch us live: https://twitch.tv/brakesec
Check out our VODs on Youtube: https://www.youtube.com/@BrakeSecEd
Join the BrakeSecEd discord: https://discord.gg/brakesecNews:
https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach
https://www.documentcloud.org/documents/24075435-bhi-notice
https://www.bleepingcomputer.com/news/security/us-energy-firm-shares-how-akira-ransomware-hacked-its-systems/
https://www.bleepingcomputer.com/news/security/ransomware-isnt-going-away-the-problem-is-only-getting-worse/
https://www.shacknews.com/article/137505/ransomware-group-capcom-2020-arrested
https://www.bleepingcomputer.com/news/security/flipper-zero-can-now-spam-android-windows-users-with-bluetooth-alerts/
https://www.nasdaq.com/articles/three-cybersecurity-sectors-that-resist-economic-downturns
-
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
Guest Bio: Nicole is the Chief Product Officer at Axio. Nicole has spent her career building awareness around the benefits of usable security and human-centered security as a way to increase company revenue and create a seamless user experience.
Youtube VOD Link: https://youtube.com/live/tFaAB9an47g
Questions and topics: Usable security: is it an oxymoron?
What determines if the security is ‘usable’ or no? We sacrifice security for a better UX, what can be done to alleviate that? Or is it some sort of sliding scale in “poor UX, amazing security or awesome UX, poor security” Examples of poor UX for ‘people’: MFA, and password managers.
SEC updates and ‘material events’ and how that would affect security, IR, and other company reporting functions.
Also, additional documentation (Regulation S-K Item 106) https://www.linkedin.com/posts/nicole-sundin-5225a1149_sec-adopts-rules-on-cybersecurity-risk-management-activity-7090065804083290112-ISD8
Are companies ready to talk about their cybersecurity? Can the SEC say “you’re not doing enough?”
What is ‘enough’?
Are we heading toward yet another audit needed for public companies, similar to SOX?
When does an 8-K get publicly disclosed?
Materiality is based on a “reasonable investor”?
So, you don’t need to announce that until you’re certain, and it’s based on what you can collect? Cyber Risk Management and some good examples of how to set up a proper cyber risk organization
Additional Links:
https://csrc.nist.gov/CSRC/media/Projects/usable-cybersecurity/images-media/Is%20Usable%20Security%20an%20Oxymoron.pdf
http://web.mit.edu/Saltzer/www/publications/protection/Basic.html
https://www.sec.gov/news/press-release/2023-139
https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922
https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/sec-final-cybersecurity-disclosure-rules.html
https://www.nasa.gov/centers/ames/research/technology-onepagers/hc-computing.html
https://securityscorecard.com/blog/what-is-cyber-security-performance-management/
-
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
Guest Bio: John is the CEO of Aronetics. An avid climber and runner, John has spoken at many conferences about topics like ZeroTrust, BIOS/UEFI security, communication security, and malware. Aronetics is a technology-enabled service provider.
Youtube VOD: https://youtube.com/live/5dIVTwVZLAU
Linkedin VOD: https://www.linkedin.com/video/live/urn:li:ugcPost:7101738254823030784
Show Topic Summary:
John joins us to discuss “letters of Marque” in an effort for hackers to ‘hack back’... the overreliance on automation, and communication siloes. We also talk about what a ‘junior position’ in infosec looks like with AI doing all the “Level 1 SOC Analyst” type roles normally given to someone fresh to the security industry.
Questions and topics:
Is infosec over reliant on automation? Automation comes with its own challenges.
Documentation woes
Automation is usually found in userland
Aronetics’ Thor provides defense and counter-offense tamper-proof technology digitally tied to
Letter of Marque - good idea, or geopolitical disaster waiting to happen?
Siloes and communication -best ways to overcome those in an org and outside?How do we overcome siloing?
Overcoming security challenges?Identity management - 2FA is everywhere, there’s already ways around 2FA, so what now? 3FA? Biometrics? Make everyone carry around physical tokens that we can lose?
Blog post: https://www.aronetics.com/post-quantum-cryptography/
What do we need to protect against? Nation states with quantum computers? Rubber hose cryptography?Crime thrives in areas of low visibility. https://www.aronetics.com/unknown/
https://www.aronetics.com/inside-the-breach/ (threat detection - the crime thrives in low vis areas)
Show points of Contact:
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec
Amanda Berlin: @[email protected] (Mastodon) @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social
-
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
Buy here: https://subscription.packtpub.com/book/security/9781801076715
Amazon Link: https://packt.link/megan
Youtube VOD: https://www.youtube.com/watch?v=p1_jQa9OQ2w
Show Topic Summary:
Megan Roddie is currently working as a Senior Security Engineer at IBM. Along with her work at IBM, she works with the SANS Institute as a co-author of FOR509, presents regularly at security conferences, and serves as CFO of Mental Health Hackers. Megan has two Master's degrees, one in Digital Forensics and the other in Information Security Engineering, along with many industry certifications in a wide range of specialties. When Megan is not fighting cybercrime, she is an active competitor in Muay Thai/Kickboxing. She is a co-author of “Practical Threat Detection Engineering” from Packt publishing, on sale now in print and e-book. Buy here: https://subscription.packtpub.com/book/security/9781801076715
https://packt.link/megan ← Amazon redirect link that publisher uses if you want something easier on the notes
Questions and topics:
Of the 3 models, which do you find you use more and why? (PoP, ATT&CK, kill chain)
What kind of orgs have ‘detection engineering’ teams? What roles are involved here, and can other teams (like IR) be involved or share a reverse role there?
Lab setup requires an agent… any agent for ingestion or something specific?
How does Fleet or data ingestion work for Iot/Embedded device testing? Anything you suggest?
How important is it to normalize your log output for ingestion? (app, web, server all tell the story)
Additional information / pertinent LInks (Would you like to know more?):
Unified Kill Chain: https://www.unifiedkillchain.com/
ATT&CK: https://attack.mitre.org/
D3FEND matrix BrakeSec show from 2021: https://brakeingsecurity.com/2021-023-d3fend-framework-dll-injection-types-more-solarwinds-infections
Pyramid of Pain: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
https://www.securitymagazine.com/articles/98486-435-million-the-average-cost-of-a-data-breach
https://medium.com/@gary.j.katz (per Megan, ‘it’s basically Chapter 11 of the book’)
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social, Twitter, bluesky
Brakesec Website: https://www.brakeingsecurity.com
Twitter: @brakesec
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec
-
Check out our sponsor (BLUMIRA) at https://blumira.com/brake
youtube channel link: https://youtube.com/c/BDSPodcast
Full video on our youtube Channel! https://www.youtube.com/watch?v=BkBeLuM_urk
https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/
https://www.darkreading.com/remote-workforce/hacker-infected-foiled-by-own-infostealerhttps://therecord.media/cisa-warnings-adobe-microsoft-citrix-vulnerabilities
https://www.itsecurityguru.org/2023/07/18/millions-of-keyboard-walk-patterns-found-in-compromised-passwords/
https://therecord.media/airline-customer-support-phone-number-fraud-google
https://twitter.com/Shmuli/status/1680669938468499458
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
https://www.jdsupra.com/legalnews/tabletop-exercises-as-risk-mitigation-5278057/
https://www.darkreading.com/vulnerabilities-threats/linux-ransomware-poses-significant-threat-to-critical-infrastructure
https://bevyengine.org/ - Rust game engine
https://godotengine.org/ - a more mature Rust game enginehttps://flappybird.io/ - which I suck at, BTW
Intro/outro music:
"Flex" by Jeremy Blake
Courtesy of YouTube Music Library (used with proper permissions) -
BrakeSec Show Outline – No Guest
Show Topic Summary (less than 300 words)
Bsides Seattle and Bsides Austin
Youtube VOD: https://youtube.com/live/UGRaRSYj7kc
Questions and potential sub-topics (5 minimum):
Bsides Seattle update and Bsides Austin
Patching the unpatchable
https://en.wikipedia.org/wiki/Parkerian_Hexad
Power and influence (is power bad? Is influence?)
5. https://deliverypdf.ssrn.com/delivery.php?ID=357001027119125105074103081006094117005092014048001013007086030071009081068110103025024041103038045036033080107020112080097022024073029064061065125002071028013110008011045013116002084024000066075067001126004101003027004086091007025096080019022003104&EXT=pdf&INDEX=TRUE (A Theory of Creepy: Technology, Privacy and Shifting Social Norms)
(contact info for people to reach out later):
Additional information / pertinent Links (would you like to know more?):
(contact info for people to reach out later):
https://www.bleepingcomputer.com/news/security/microsoft-shares-guidance-to-detect-blacklotus-uefi-bootkit-attacks/
https://www.bleepingcomputer.com/news/security/malware-dev-claims-to-sell-new-blacklotus-windows-uefi-bootkit/
Show Points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake @[email protected]
Website: https://www.brakeingsecurity.com
Twitch: https://twitch.tv/brakesec
Youtube: https://www.youtube.com/c/BDSPodcastEmail: [email protected]
-
Show Topic Summary (less than 300 words)
Insider threat still exists, Lynsey Wolf talks with us about HR’s role in insider threat, how prevalent investigations are in the post-pandemic work from home environment.
Questions and potential sub-topics (5 minimum):
What is the difference between insider threat and insider risk?
Motivators of insider threat (not much different than espionage,IMO -bryan) (MICE: Money, Ideology, Compromise, and Ego.) https://thestack.technology/pentagon-leaks-insider-threat-sysadmin/
75% of all insider threats are being kicked off by HR departments. In short, it's proactive.
“How did HR figure that out?” How are investigations normally initiated? What tools are they implementing to check users or predicting a disgruntled employee?” UEBA? CASB? Employee surveys that are ‘anonymous’? Someone who reported others and it was dismissed? What if HR ‘gets it wrong’ or ‘it’s a hunt to find people no into ‘groupthink’ or ‘not a culture fit’? https://www.cbsnews.com/news/french-worker-fired-for-not-being-fun-at-work-wins-lawsuit-cubik-responds/
How can organizations be mindful of how and what data is collected to mitigate risk without affecting employee trust? And who watches the watchers to ensure data is handled responsibly? Are there any privacy guidelines companies need to understand before they implement such a system? (GDPR? CCPA? Privacy notices? Consent to monitoring on login? https://securiti.ai/blog/hr-employee-data-protection/ )
Are companies causing the thing they are protecting against? (making an insider threat because they’ve become repressive?) (hoping there’s an ‘everything in moderation idea here… finding the happy medium between responsible ‘observability’ and ‘surveillance’)
Lots of ‘insider threat’ tools, including from EDR companies. Do companies do a good job of explaining to employees why you need EDR?
Quiet Quitting - latest term for companies to use to describe “employee has a side gig”. How does this figure into insider threat? Is it assumed that people only have one ‘thing’ they do, or did the lack of a commute give people more time during the pandemic to diversify?
Solutions for employees? Separate their work and private/side gig? Learn what their contract states to keep conflicts of interest or your current/past employer from taking your cool side project/start-up idea away from you? Solutions for companies?
Additional information / pertinent Links (would you like to know more?):
(contact info for people to reach out later):
https://www.cisa.gov/detecting-and-identifying-insider-threats
https://venturebeat.com/data-infrastructure/how-observability-has-changed-in-recent-years-and-whats-coming-next/
https://ccdcoe.org/library/publications/insider-threat-detection-study/
https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454627.pdf (insider threat ontology)
https://www.intelligentcio.com/apac/2022/08/01/survey-reveals-organizations-see-malicious-insiders-as-a-route-for-ransomware/
https://www.helpnetsecurity.com/2022/04/08/organizations-insider-threats-issue/
https://www.fortinet.com/resources/cyberglossary/what-is-ueba
https://www.gartner.com/en/information-technology/glossary/cloud-access-security-brokers-casbs
https://thecyberwire.com/glossary/mice
https://qohash.com/the-high-price-of-trust-the-true-cost-of-insider-threats/
https://abc7chicago.com/classified-documents-jack-teixeira-air-national-guard-arrest/13126206/ (Air National Guardsman accused in military records leak makes 1st court appearance - story still developing as of 16 April 2023)
https://www.theverge.com/2020/8/4/21354906/anthony-levandowski-waymo-uber-lawsuit-sentence-18-months-prison-lawsuit
Show Points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake @[email protected]
Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec
Youtube: https://youtube.com/c/BDSPodcast
- Visa fler
