7 Minute Security
7 Minute Security
Nov 26, 2020
7MS #443: Cyber News - Thankful for Patches Edition
Play • 41 min

Happy Thanksgiving! While the turkey and pie settle in your belly, why not also digest some fantastic security news stories with our pal Gh0sthax?

Today's stories include:

  • It was another epic month of patching - both Threatpost and Krebs have great coverage of what you need to know.

  • We don't support software pirating, but it's interesting that we just got a demo of Cobalt Strike spun up, and now the source code was leaked.

  • Always download software updates from their source, not from not-so-trustworthy sources like random search results in Google and pop-up boxes.

  • As a follow up to a story from last month, ransomware was not to blame for the death of a woman in Germany.

Hacker Valley Studio
Hacker Valley Studio
Hacker Valley Media
Episode 114 - The Good, Bad, and Ugly of Threat Intelligence with Patrick Coughlin
In this episode of the Hacker Valley Studio podcast, hosts Ron and Chris interview Patrick Coughlin, Co-Founder and CEO of TruSTAR. Patrick began his career as a security analyst in Washington D.C. and the middle east. By working with government contractors, multinational corporations, and counter-terrorism units, Patrick learned that the biggest challenge that security analysts have is retrieving the needed information from disparate data sources. This discovery led Patrick to founding TruStar. Patrick’s focus is to help organizations automate the collection and curation of threat intelligence data. Patrick’s analytical prowess originated from working at Booz Allen Hamilton where he learned a fundamental skill that all cybersecurity analysts should have - how to put together a slide deck. This skill helped Patrick articulate the importance of threat intelligence to leaders in the government and private sector. As the episode progresses, Patrick details the differences between threat intelligence requirements for national security and enterprise. For enterprise threat intelligence programs, the goal is to accelerate automation of detection and rarely attribution. Patrick also mentions automation is only as effective as the data is cleaned, normalized, and prioritized. What about the good, bad, and ugly of threat intelligence? Patrick describes that an organization can thrive by leveraging internal intelligence. This can be overlooked when organizations are fixated on buying threat data feeds and subscribing to ISAC feeds. Most enterprise organizations have a detection and response stack that is constantly providing information about threats relevant to their organization - which serves as great threat intelligence data. Chris and Ron ask Patrick about the science vs art aspects of cybersecurity and threat intelligence. Patrick describes that there is room for both art and science in threat intelligence. While new concepts are being discovered, there is art in finding the needle in the haystack. However, at some point, intuition can be described into steps that a machine can repeat. For example, after years of analytical practice an analyst can describe how and why they are tagging threat intelligence related data in such a way that can be repeated by other analysts or automation. This episode covers an abundance of tactics and techniques for threat intelligence analysts. Patrick describes the best place to begin automating threat intelligence is detection. An analyst can ask the question, “How do I get sources of known bad indicators into my detection stack so that I could drive high fidelity detections?”. As false positives decrease, your mean time to detection (MTTD) and resolution (MTTR) decrease which makes your threat intelligence and security operation team members more effective. 0:00 - Intro 1:53 - This episode features Patrick Coughlin, Co-Founder and CEO of TruSTAR 2:30 - Patrick’s background and start as a security analyst 5:19 - How to automate threat intelligence while reducing analyst fatigue 7:05 - How Patrick cultivated his analyst prowess 8:43 - Articulating threat intelligence to government and enterprise organizations 11:09 - Can a threat intelligence program be automated? 17:21 - Patrick’s experience of “good” and “bad” threat intelligence programs 20:31 - Logic vs Intuition in threat intelligence 27:04 - Artificial Intelligence and Machine Learning to make threat intelligence decisions 28:42 - Where to start when automating threat intelligence 30:02 - How to stay in touch with Patrick Coughlin Links: Connect with Patrick Coughlin on LinkedIn Link to Patrick’s company TruSTAR Learn more about Hacker Valley Studio. Support Hacker Valley Studio on Patreon. Follow Hacker Valley Studio on Twitter. Follow hosts Ron Eddings and Chris Cochran on Twitter. Learn more about our sponsor ByteChek. Take our FREE course for building threat intelligence programs by visiting www.hackervalley.com/easy
31 min
Cyber Work
Cyber Work
Infosec
Cybersecurity careers: Risk management, privacy and healthcare security
Learn about different cybersecurity roles and career paths in this wide-ranging conversation with today’s guest Tyler Cohen Wood. Tyler discusses working as a senior intelligence officer for the Defense Intelligence Agency (DIA), overseeing cyber risk for AT&T and writing her book Catching the Catfishers. We talk about online privacy, implementing complex cybersecurity systems, healthcare security shortcomings in the age of COVID — and her blue-haired, pre-cyber years working in the record industry! 0:00 - Intro 2:20 - Getting into IT & security 4:20 - Digital forensics & incident response 6:18 - Moving up the cybersecurity ladder 9:40 - Working with complex systems 12:57 - Director of Cyber Risk at AT&T 15:37 - Becoming a cybersecurity consultant 22:30 - Sharing too much personal info 26:20 - Work from home privacy & security 33:18 - Cybersecurity career tips 37:33 - Cybersecurity hiring & diversity 39:51 - Healthcare privacy & HIPAA changes 48:53 - Future career plans 50:15 - Outro We’re also excited to share a new, hands-on training series called Cyber Work Applied. Every week, expert Infosec instructors and industry practitioners teach you a new cybersecurity skill and show you how that skill applies to real-world scenarios. You’ll learn how to carry out different cyberattacks, practice using common cybersecurity tools, follow along with walkthroughs of how major breaches occurred and more. And it's free! Click the link below to get started. – Learn cybersecurity with our FREE Cyber Work Applied training series: https://www.infosecinstitute.com/learn/ – View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast Tyler Cohen Wood is a cyber-authority with 18+ years of highly technical experience. As a cyber intelligence and national security expert, as well as three-time author and public speaker, Tyler is relied on for her wealth of knowledge and unique insights. She served with the DIA as a senior intelligence officer where she developed highly technical cyber solutions and made recommendations to significantly develop and change critical cyber policies and directives, which affected current and future intelligence community programs. She has helped the White House, DoD, federal law enforcement and the intel community thwart many cyberthreats to the U.S. She is the author of the book Catching the Catfishers.  About Infosec Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. It’s our mission to equip all organizations and individuals with the know-how and confidence to outsmart cybercrime. Learn more at infosecinstitute.com.
51 min
CISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Mike Johnson and David Spark
Click This Link to Fail a Phishing Test
All links and images for this episode can be found on CISO Series (https://cisoseries.com/click-this-link-to-fail-a-phishing-test/) Our phishing tests are designed to make you feel bad about yourself for clicking a link. We're starting to realize these tests are revealing how insensitive we are towards our employees. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Yaron Levi, (@0xL3v1) former CISO, Blue Cross Blue Shield of Kansas City. Thanks to this week’s podcast sponsor, Stackrox StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle. Is this a cybersecurity disinformation campaign? On reddit, an explosive discussion formed around a ComputerWeekly.com article by Saj Huq of Plexal about the importance of making disinformation a security issue. The problem though has primarily fallen into the hands of social media companies mostly because that's where disinformation spreads. While we've seen disinformation being used as a political tool, for businesses, it can tarnish your corporate brand, consumer trust, and ultimately the value of your product. It's also used in phishing campaigns. Breaches are compromising your data. Disinformation is questioning the validity and value of data without even stealing it. How do you combat that? Are we having communication issues? We're recording this episode shortly after GoDaddy sent its infamous phishing test email that promised employees a $650 bonus check. Those who clicked on the email were rewarded with additional security training. It took the entire Internet to point out how insensitive this was, GoDaddy's response was "We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized." They argued that while it may be insensitive, these types of well-timed phishing emails do happen. A lot of people do not like phishing tests and Yaron has proven that if creative enough, anyone can fall for a phish. How can the company and security be more sensitive to employees, respect them, while also letting them know they may receive a malicious email just like this? "What's Worse?!" An international What's Worse conundrum. How do you go about discovering new security solutions? Julia Wool, Evolve Security said, "I just finished a Splunk course and wanted to explore other SIEM platforms and I am having a difficult time understanding how an enterprise should choose a vendor in this space. I couldn't imagine being the guy at an enterprise that has to consider all these different vendors that seem to be doing the same thing." Julia brings up a really good concern: If you were completely green, didn't have CISO connections, and were going to choose a SIEM for the first time how would you go about determining your needs and then researching and deciding? What sources would you use? And how do you limit this effort so you're not overwhelmed? There’s got to be a better way to handle this Brian Fanny, Orbita, asks, "Vendor scope can change over time within a project or the start of another and harder to control than the initial evaluations. They start off when non-critical requirements/needs eventually grow into handing assets of greater value and/or gaining access to more critical systems. How do you keep up with vendor/project scope creep from the security sidelines?"
33 min
Cyber Security Interviews
Cyber Security Interviews
Douglas A. Brush | Weekly Interviews w/ InfoSec Pros
#110 – Ryan Louie: Security Starts In the Mind
https://twitter.com/ryanlouie (Ryan K. Louie), MD, Ph.D. is a board-certified psychiatrist focusing on the mental health impact of cybersecurity, and the psychiatry of entrepreneurship. Ryan received his MD and Ph.D. degrees from the Stanford University School of Medicine and completed residency training in psychiatry at the University of Hawaii Department of Psychiatry. Ryan completed an internship with the Office of International Health and Biodefense at the US Department of State and was the recipient of a Fulbright Fellowship to Japan. Ryan has published academic articles in psychiatry and cell biology and is the inventor of the patented microtubule lumen-cast nanowire technology. In this episode, we discuss the stigmas of mental health, coping skills, the economic costs for not addressing mental health, neurodiversity, handling COVID-19 stress, removing job pressures in information security, and so much more! Where you can find Ryan: https://twitter.com/ryanlouie https://twitter.com/ryanlouie (LinkedIn) https://twitter.com/ryanlouie (Twitter) Episode Disclaimer: This podcast's information is not intended or implied as a substitute for professional medical advice, diagnosis, or treatment. We make no representation and assume no responsibility for the accuracy of the information contained in or available through this presentation. THIS IS NOT MEDICAL ADVICE. Please speak to your physician before embarking on any treatment plan. NEVER DISREGARD PROFESSIONAL MEDICAL ADVICE OR DELAY SEEKING MEDICAL TREATMENT BECAUSE OF SOMETHING YOU HEARD ON THIS PODCAST.
48 min
The Social-Engineer Podcast
The Social-Engineer Podcast
Social-Engineer, LLC
Ep. 138 – Security With Marcus Sailler of Capital Group
In this episode, Chris Hadnagy and Ryan MacDougall are joined by industry professional, Marcus Sailler to discuss his experience as the red team information security manager at Capital Group. Marcus shares some great tips on creating a successful security team and how you can prevent it from becoming the "No Police". They also go over the recent changes in the industry, including how big hacks have increased security awareness in the general public. 00:09 – Introduction to the new Security Awareness Series 01:28 – Introduction to Ryan MacDougall Phishing as a Service (PHaaS) Vishing as a Service (VaaS) Social-Engineer.com 02:32 – Introduction to Marcus Sailler 04:20 – How Marcus got into information security 06:08 – Recent changes in the infosec industry- How a big hack increases security awareness 12:09 – How a red team and security awareness team can collaborate to enhance security 14:25 – Introduction to Capital Group 16:17 – Coming up with relevant attacks for a global company 18:08 – How a security team can avoid becoming the “No Police” 21:39 – Why it’s better to build a blue team first 22:24 – The importance of attitude and ego for a red teamer 25:04 – How a red team benefits from partnership 26:53 – Emulate the bad guy, but remember to be good 29:18 – Steps corporations should implement now 30:58 – Some of Marcus’ most respected industry professionals Chris Hadnagy David McGuire Jason Frank Jeff Dimmock David Kennedy Amanda Berlin Ian Coldwater Rachel Tobac 34:47 – Marcus' book recommendations Sizing People Up: A Veteran FBI Agent's User Manual for Behavior Prediction The 5 Love Languages: The Secret to Love that Lasts 39:18 – Marcus' contact info LinkedIn Twitter 14:38 – Outro Social-Engineer.org Social-Engineer.com The Innocent Lives Foundation SEVillage: The Human Hacking Conference Human Hacking Book Website Human Hacking Book Amazon Clutch Chris on Twitter Social-Engineer on Twitter
44 min
More episodes
Search
Clear search
Close search
Google apps
Main menu