CPradio
CPradio
Oct 1, 2020
[CPRadio] Instagram: The Problem With Open-Source
23 min

When Gal Elbaz came across a modest GIF parser sitting in a remote corner of GitHub, he wasn't exactly looking for trouble. But he found it. What was so troublesome about this parser in particular? It wasn't popular, it was created by some unknown programmer, and it didn't have any extraordinary qualities. Except it was familiar. Gal had seen this code before...

Defense in Depth
Defense in Depth
Allan Alford and David Spark
Data Protection and Visibility
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-protection-and-visibility/) Where is your data? Who's accessing it? You may know if you have an identity access management solution, but what happens when that data leaves your control. What do you do then? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Elliot Lewis (@elliotdlewis), CEO, Keyavi Data. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: * In general, all of security is based on detecting threats and stopping threats. When those two fail, and they do, what's your recourse to protect your data? * What if when your data leaves your control either accidentally or through a malicious breach, you were still able to see your data wherever it went and your data could communicate back to you its status, allowing you to control access to your data? * There are so many scenarios when data leaves you, it's impossible to protect for all scenarios. * Asset inventory is first step in the CIS 20. Just trying to get an asset inventory of equipment is difficult. An inventory of data is near impossible especially when you may be pumping out a terabyte of data a day. * Ideal situation is to protect data proactively, as it's being created. * The ultimate goal is to have visibility of your data in perpetuity, for the life of the data, and you can decide when to destroy it even when it's no longer within the confines of your greater network and ecosystem. * Governing your network, your applications, the rules, and the data is half the battle. * Data visibility also allows you to make informed decisions as a business and can provide the answers your legal team will need in case there's a breach. * You want the data protection and visibility schema to be platform and ecosystem independent. If data is taken out of the ecosystem, then the protection and visibility is moot. * A good precursor to this is digital rights management or DRM. They have figured out how to manage data from being copied and manipulated and they can place controls on it. The limiting factor though is it's platform dependent.
33 min
CISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Mike Johnson and David Spark
Why Is 'Pay the Ransom' In Next Year's Budget?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-is-pay-the-ransom-in-next-years-budget/) With 25 percent of ransomware victims paying the ransomware, have we waved the white flag to the attackers? Should we just budget for it? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Les McCollum (@doinmorewithles), managing vp, CISO, ICMA-RC. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode Why is everybody talking about this now Are culture fit and diversity mutually exclusive? Allan Alford, co-host of Defense in Depth podcast, brought up the conversation of needing diversity in all areas: age, gender, ethnicity, city vs. country, country of origin, military vs. civilian, college educated vs. self-taught, socioeconomic status, and disabilities. But at the same time, I'm thinking we NEVER see those types of groups hanging out together or getting along. So how do you create a culturally sane group among such a diverse group? People are tribal by nature and even if you're successful creating diversity on your team they're going to bond with people of similar types. Won't this introduce new problems? If you haven’t made this mistake you’re not in security At the end of the year when you look at your security budget, what are the costs you didn't expect or budget appropriately at the beginning of the year? On CSO Online, John Edwards has an article about seven overlooked cybersecurity costs that may bust your budget. He mentioned items such as staff acquisition and retention, incident response, third-party analysis, and replacement costs. What has been a surprise for you and has adjusting things for the next year helped, or is there always a surprise? Which is the one everyone should prepare for but they don't? More bad security advice Over a quarter of companies that fall victim to ransomware, pay the ransom, according to a study by Crowdstrike. In a discussion thread on reddit, user yourdigitalmind said they had a client who remarked, "WHEN we get hit, it will force us to start doing things right, but right now, it's cheaper'" So he's accepted being hit by ransomware is inevitable. That falls in line with Crowdstrike's study that found after a ransomware attack 75 percent of the victims do increase their security spend on tools and hiring. Humor for me a moment. Most of us do not want to pay the ransom, but sometimes you can't think of the greater good and you have to think of the survival of the business. Is this where I should put my marketing dollars? What types of vendor stories do you respond to? I bring this up because Mike O'Toole, president of PJA Advertising wrote a great piece about how to build a cybersecurity brand story. In the article, he offers up some really good advice such as "Position yourself against the category, not just your direct competitors," "Fear gets attention, but opportunity can drive purchase behavior," and "The strongest brand stories are about market change." Which advice most resonates with how you're pitched, and can you think of either a customer story or offering that you overheard that pushed you into exploring a vendor's solution?
34 min
Brakeing Down Security Podcast
Brakeing Down Security Podcast
Bryan Brake, Amanda Berlin, Brian Boettcher
2020-044-Marcello Salvati (@byt3bl33d3r), porchetta industries, supporting opensource tool creators, sponsorship model
https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? “As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.” Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where’s the chain broken at? Devs who expect help/support for their project? “Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr) What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is ‘meaningful’ contributions? What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati
29 min
The Social-Engineer Podcast
The Social-Engineer Podcast
Social-Engineer, LLC
Ep. 135 - Fear of video and snakes with Lisa Forte
In this episode, Chris Hadnagy and Maxie Reynolds are joined by social engineering and insider threats expert: Lisa Forte. Learn how Lisa went from fighting terrorists and real-life sea pirates to being an expert on cybercrime and social engineering. Discover how scammers are taking advantage of global uncertainty and understand how to protect yourself from attack. 00:00 – Introduction to Lisa Forte 02:38 – Lisa's path to a career in social engineering 05:27 – The psychology that terrorists use to recruit teenagers 07:52 – Lisa's experience with fighting cyber crime 08:43 – Why Lisa named her cyber security company “Red Goat” 10:23 – The world pandemic made hospitals and their supply chains vulnerable to attack 14:38 – Keep secure by realizing the value of the information you possess 15:41 - How Cyber Volunteers 19 is helping to save lives by making hospitals secure. (twitter) 21:25 – Ego suspension is a required skill for a good social engineer 25:47 – Find someone who gives you honest feedback 27:28 – How Chris deals with harsh criticism 30:27 – New documentary: “hacker:HUNTER Ha(ck)cine” (Part 1) (Part 2) 34:44 – Lisa's Vlog: “Rebooting” 35:44 – Lisa's and Chris’s experience with exposure therapy. 40:00 – How scammers take advantage of global uncertainty 42:37 – Law enforcement has a big disadvantage when fighting cyber crime 45:42: Lisa’s Contact info: LinkedIn Website Rebooting vlog with Chris Twitter 46:56 – Lisa's Book recommendation Prisoners Of Geography 50:20 – Outro Social-Engineer.com Social-Engineer.org The Human Hacking Conference The Innocent Lives Foundation Human Hacking Book Phishing As A Service® Trainings: Practical Open Source Intelligence For Everyday Social Engineers * 11-12 November 2020 - VIRTUAL Advanced Practical Social Engineering Training * 17-20 November, 2020 - VIRTUAL
53 min
More episodes
Search
Clear search
Close search
Google apps
Main menu