Episode612

From Paul's Security Weekly
Jump to: navigation, search

Recorded July 18, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Patrick Laverty
    is a Pentester for Rapid7
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist,
    Tribe of Hackers, & InfoSec Curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.


  • Announcements

    • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand

    • So many of the big East Coast cybersecurity tradeshows take place in crowded cities like Boston and New York, where parking is a nightmare and will cost you an arm and a leg. However, this year's Compass Cybersecurity Symposium is being held at Twin River Casino in Lincoln, RI, just 15 minutes outside of Providence! The venue has plenty of free and easy parking. Speakers include social engineering expert Chris Hadnagy and Security Weekly podcast founder Paul Asadoorian. Use the discount code "SW2019" to save $20 on registration!

    • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to securityweekly.com/hackerhalted and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man's talk as well!

    • Have you been trying your hardest to get a ticket to DerbyCon FinishLine?! We know that tickets sold out almost immediately, as they do almost every year, and we have an exciting announcement: Security Weekly is giving away 7 tickets to DerbyCon! Here's what you need to do - subscribe to the Security Weekly YouTube channel and send an email to sam@securityweekly.com with either a written or video testimonial about what Security Weekly means to you! That's it, it's really that simple! First 7 people to complete this will receive a ticket to DerbyCon! You will also be invited to participate in our Security Weekly DerbyCon interview series that Sam and Mark will be running at the conference!


    Interview: Katie Nickels, MITRE - 6:00-6:30PM

    Katie Nickelsis the ATT&CK Threat Intelligence Lead at MITRE Corporation
    Katie Nickels is the ATT&CK Threat Intelligence Lead at The MITRE Corporation, where she focuses on sharing how ATT&CK is useful for moving toward a threat-informed defense. She is also a SANS instructor for FOR578: Cyber Threat Intelligence. Katie has worked in network defense, incident response, and cyber threat intelligence for nearly a decade. She hails from a liberal arts background with degrees from Smith College and Georgetown University, embracing the power of applying liberal arts prowess to cybersecurity. With more than a dozen publications to her name, Katie has shared her expertise with presentations at BSidesLV, the FIRST CTI Symposium, multiple SANS Summits, Sp4rkcon, and many other events. Katie is also a member of the SANS CTI Summit and Threat Hunting Summit Advisory Board. She was the 2018 recipient of the President's Award from the Women's Society of Cyberjutsu and serves as the Program Manager for the Cyberjutsu Girls Academy, which seeks to inspire young women to learn more about STEM.

    Segment Title/Topic:
    MITRE ATT&CK

    Segment Description:
    MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

    Segment Resources:
    attack.mitre.org


    Topic Segment: Security Roundtable 6:30 - 7:30PM

    In this segment, we're going to talk about various security topics, such as:

    • Vulnerability Management - Name three tips for a successful vulnerability management program. How has vulnerability management changed in recent years?
    • Patching - How can we motivate IT operations to apply patches more timely and consistently? Do we even need to rely on patches for security today? Can we just patch the critical ones?
    • Hunt Teaming - What can organizations do to discover breaches more quickly and consistently? What are the best and most effective ways to hunt?
    • Asset Management - How can organizations build and maintain an accurate inventory of software and systems?
    • System Hardening - How should organizations develop a standard for “secure” systems and how should the program be structured? How much do we rely on configuration standards and compliance versus developing our own standards?

    Security News - 7:30PM-8:30PM

    Paul's Stories

    1. Adoption rates of basic cloud security tools and practices still far too low - Help Net Security
    2. Is web crawling legal? - Towards Data Science
    3. Still not using HTTPS? Firefox is about to shame you
    4. Malicious Python packages found on PyPI - Help Net Security
    5. Hacked Bluetooth hair straighteners are too hot to handle
    6. Identity Theft on the Job Market - Schneier on Security
    7. 79% of US Consumers Fear Webcams Are Watching
    8. Over 800,000 Systems Still Vulnerable to BlueKeep Attacks | SecurityWeek.Com
    9. How Capture the Flag Competitions Strengthen the Cybersecurity Workforce
    10. Slack resets passwords for 1% of its users because of 2015 hack | ZDNet
    11. No, You Dont Need a Burner Phone at a Hacking Conference
    12. 8 Legit Tools and Utilities That Cybercriminals Commonly Misuse
    13. Open Source Hacking Tool Grows Up
    14. Best Practices for Branch Office Edge Security
    15. Alan Turing - the face of the new 50 note
    16. 18% of Enterprises Holding Back on Windows 10 Upgrade
    17. Mysterious hackers steal data of over 70% of Bulgarians
    18. Woman arrested at Apple store after inserting half-dozen stolen iPads inside her vagina

    Jeff's Stories

    1. John Paul Stevens and the U.S. Navy at War Remembering a fellow Cryppie who helped the U.S. turn the tide on the Japanese during World War II
    2. Slack Resets User Passwords After 2015 Data Breach
    3. Hacker Breached Sprint Customer Accounts Through Samsung Website
    4. Why 72% of people still recycle passwords Why 100% of Security Weekly hosts drink
    5. A.I. has a bias problem and that can be a big challenge in cybersecurity I'll bet some of us agree with this and some disagree. Why? Bias.
    6. Lenovo Confirms 36TB Data Leak Security Vulnerability "These vulnerabilities, if exploited, could have impacted the integrity, availability, and confidentiality of the systems," - I've got a few problems with this statement...
    7. Apple Is Sending Out Another Silent Update To Fix RingCentral Webcam Flaw Does Apple have a problem with worms?
    8. Zoom vulnerability reveals privacy issues for users Wait, don't we use Zoom?

    Patrick's Stories

    1. Why BlueKeep Hasn't Wreaked Havoc Yet
    2. 800k Systems Still Vulnerable to BlueKeep
    3. Billy Rios and Jonathan Butts created a Device that can literally kill people
    4. YAAS - Yet Another App Store - Kali NetHunter