Episode466

From Paul's Security Weekly
Jump to: navigation, search


Paul's Security Weekly - Episode 466 - 6:00PM

This week we interview Wade Baker from ThreatConnect, listener feedback will include career advice and open source vs. commercial security tools and in security news this week Google kills passwords on Android, steps for evaluating security vendors, APT strikes 6 month old Flash vulnerability, all that and more so stay tuned

Episode Audio

Recorded May 26, 2016

Interview: Wade Baker from ThreatConnect

Wade Baker is the Vice President, Strategy and Risk Analytics at ThreatConnect. He believes improving information security starts with improving security information. In keeping with this belief, he’s working to complete his doctoral thesis, “Toward a Decision Support System for Managing Information Risk in Supply Chains”.

Previously, he served as Director of Cybersecurity Strategy and Research at Verizon Security Solutions where he led the overall direction of security services, technology capabilities, intelligence operations, and research programs. Baker spearheaded Verizon’s annual Data Breach Investigations Report (DBIR), the Vocabulary for Event Recording and Incident Sharing (VERIS), and the VERIS Community Database.

Wade holds a B.S. and M.S. from the University of Southern Mississippi, and a PhD from Virginia Tech.

  1. How did you get your start in information security?
  2. What is the most valuable information for security practioners in the Verizon DBIR?
  3. Some say the Verizon DBIR is not a complete picture, only pulling data from Verizon customers, how do we make the most of the limited data set or is this not a huge deal?
  4. The DBIR once published how breaches were discovered, do you know or care to theorize why have they stopped this?
  5. What is Threat Intelligence?
    1. A list of bad IP addresses?
    2. Events happening on other people's networks?
    3. Specific behavior of malware?
    4. Where the bad guys are?
    5. Who the bad guys are?
    6. Details on vulnerabilities that have yet to be announced?
  6. Anonymous: So the value of the threat intelligence is both slight and fleeting - although it can be expensive! In other words threat intelligence is similar to American beer.
  7. Anonymous: Most threat intelligence is a threat to our intelligence
  8. Why does threat intelligence get such a bad rap?
  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Listener Feedback

This is not a technical segment.

Topic #1

One thing that I think would be really interesting and informative would be to talk about any free/open source products/solutions in the space and how they compare to the commercial products.

I know when I am learning about a new type of product that I haven't used before, I often experiment with it in a lab environment first, with little budget. This helps me become familiar with the class of tools and evaluate if it would be useful to pursue a more formal solution and get budget and buy something from a vendor (though sometimes we continue with the open source stuff).

Topic #2

My name’s Lauren, and the reason I began subscribing was because I’m currently pursing my master’s in cyber security. I’m transitioning from being strategic cyber threat analyst (knowledge on actors tools, intrusion sets, targets they go after, etc.), to a more technical career in the InfoSec (learn/understand coding, network building/hardening, pen testing, etc). Long story short— I don’t have a mentor in the field I’m trying to pursue so I thought I’d reach out to my fav podcast crew for advice and maybe get an answer:

I was wondering if you all have any advice for recent graduates what jobs are great experience builders (as in what are some entry level positions recent grads should be shooting for)? Also any recommendations on skills an InfoSec person really needs to acquire/practice besides just a degree to help land your first job AND be successful at it?

Security News - 7:00PM-8:00PM

Paul's Stories

  1. Jeremiah Grossman: 7 Tips to Get the Absolute Best Price from Security Vendors = The smartest sentence in this article is in the last paragraph, where Holger Schulze states: At the end of the day, he says, it’s about employing the right people who understand the technology and know how to protect the company’s data. Surveys, such as this one, need to come with a giant grain of salt. Its a small sampling, and some of the percentages mean nothing. Not to mention people's answers are warped when taking a survey, "Oh my security is great compared to the cloud" so they just check boxes that have no real meaning in reality.
  2. Apple hires crypto-wizard Jon Callas to beef up security - Apple says this: Callas will not be the only security expert being hired by Apple, with several more people currently being courted. It seems Apple is making a major effort to further increase the security and privacy of its systems after a series of bruising encounters with the US government. but then declines any comment on hiring Callas. While you can hire security people, there is a lot more to security than just having the talent. Building trust in the security of a product requires a good amount of transparency, something that Apple has never had or liked...
  3. APT Groups Finding Success with Patched Microsoft Flaw - Curious why organizations would not just patch this, or better yet convert to Google Docs or Office 365. Okay, I do know. First, patches break things and people spend a huge amount of time finding the vulnerabilities, testing the patch, then deploying the patch. Moving to the cloud is so scary, as I have to host my data on someone elses's environment. What's worse? Losing your data to an "APT Phishing" campaign, or risk losing it to a cloud provider who dropped the ball on security? Its like choosing between Coors lite and miller light....
  4. Google To Kill Passwords On Android - Something tells me this sounds good at first, but then disaster will strike: Factors such as typing speed, vocal inflexions, facial recognition and proximity to familiar Bluetooth devices and Wi-Fi hotspots would be used to calculate the score. Games and basic tools would be run even if only a low trust score was achieved, while more sensitive apps such as banking and webmail would need the biometric and location-based data to line up and provide a high score.
  5. Pastejack Attack Turns Your Clipboard Into A Threat - Ayrey notes that the attack can be used to exploit Vim as well Vim? Noooooooooo...
  6. Microsoft Bans Common Passwords That Appear In Breach Lists - Common sense has struck!
  7. "Anonymous Ops Trending
  8. Looking for Trouble
  9. When domain names attack: the WPAD name collision vulnerability
  10. Elders way better at password security than millennials
  11. Inside the world's second worst exploit toolkit
  12. 5 Reasons Enterprises Still Worry About Cloud Security

Larry's Stories

  1. - TSA failing at cyber security - I am Larry’s shocked prefrontal cortex...
  2. - Smart meter security through Security - "Smart-meter vendor says that if we know how their system works, the terrorists will win"
  3. Fabrication time attacks - Holy fsck. using analog circuits in ICs to deliver "backdoors", including changing the chemical makeup of pins to integrate the attacks... I don't even know what to trust anymore. How many people in the world could identify this type of attack?

Joff's Stories

Jack's Stories

  1. How to untrust the BlueCoat CA issued by Symantec because Symantec gave BlueCoat a CA?!?
  2. DEATH TO PASSWORDS or something like that, as Google says they'll do away with passwords for Android
  3. By an amazing coincidence, Jon Callas rejoins Apple or maybe it isn't a coincidence
  4. Deep thoughts from Cormac Herley on the unfalsifiability of security claims. Maybe a bit too deep for me.
  5. You can never trust hardware again. Ever. Brilliant research into chip (in)security.
  6. A locked door beats the best alarm a good post from Chris Wysopal with his take on the state of security.
  7. A surprisingly balanced take on privacy and lawful surveillance from ENISA and Europol

Kevin's Stories

Michael's (Santa) Stories