Defense in Depth
Defense in Depth
Jan 21, 2021
Building a Security Team
Play • 32 min

All links and images for this episode can be found on CISO Series

You're a new CISO at a new org given a headcount of ten to build a cybersecurity team. What's your strategy to build that team?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest JJ Agha (@jaysquaredx2), CISO, Compass.

Thanks to our podcast sponsor, Imperva

Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now.

In this episode

  • The importance of assessments and gap analyses
  • Why you need to leveraging your network
  • Educating and empowering teams
  • Introspection and self-awareness as a leader

 

7 Minute Security
7 Minute Security
Brian Johnson
7MS #456: Certified Red Team Professional - Part 4
Hello friends! Today, Joe (Gh0sthax) and I complete our series on CRTP - Certified Red Team Professional - a really awesome pentesting training and exam based squarely on Microsoft tools and tradecraft. Specifically, Joe and I talk about: * We don't think the training/exam is for beginners, despite how its advertised * Both the lab PDF and PowerPoint have their own quirks - which may ultimately be teaching us not to be copy-and-paste jockeys, and instead build our own study guides and cheat sheets * Don't let the training give you the idea that most pentests have a super fast escalation path to DA (ok yes sometimes they do, but usually we spend a LOT of hours working on escalation!) * Watch the walkthrough videos. We repeat: WATCH THE WALKTHROUGH VIDEOS! * Although not required, we highly recommend capturing all the flags laid out for you in the lab environment * Know how to privesc - using multiple tools/methods * It would be to your advantage to understand how to view/manipulate Active directory information in multiple ways * You start the exam with no tools. So how will you be ready to upload/download tools into the exam environment so you make the most of your exam time? * Tool X might give you wrong results - or none at all - in the lab. Do you have a backup tool Y and Z that can serve the same purpose? * You want to be very good at Kerberos ticket crafting! * Know all the mimikatz commands and switches and when to apply them
57 min
Brakeing Down Security Podcast
Brakeing Down Security Podcast
Bryan Brake, Amanda Berlin, Brian Boettcher
2021-007-News-Google asking for OSS to embrace standards, insider threat at Yandex, Vectr Discussion
Links to discussed items: Yandex Employee Caught Selling Access to Users' Email Inboxes (thehackernews.com) Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple | Threatpost Google pitches security standards for 'critical' open-source projects | SC Media (scmagazine.com) Google’s approach to secure software development and supply chain risk management | Google Cloud Blog https://vectr.io/ https://www.kitploit.com/2021/02/damn-vulnerable-graphql-application.html https://www.blumira.com/careers/?gh_jid=4000142004 sec evangelist @blumira Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
57 min
CISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Mike Johnson and David Spark
Would You Look at that Unrealistic Licensing Deal?
All links and images for this episode can be found on CISO Series https://cisoseries.com/would-you-look-at-that-unrealistic-licensing-deal/ CISOs know that salespeople want to make the best licensing deal they can possibly get. But unpredictability in the world of cybersecurity makes one-year licensing deals tough, and three-year licensing deals impossible. This episode is hosted by David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Mark Eggleston, (@meggleston) CISO, Health Partners Plans. This recording was recorded live in front of a virtual audience at the "SecTalks - Leading with grit in security" virtual conference brought to you by our sponsor, Cobalt. Thanks to our podcast sponsor, Cobalt Cobalt offers a faster more effective pentesting solution through its Pentest as a Service (PtaaS) platform. With it, you can schedule a pentest in as little as 24 hours for all kinds of assets. The platform also connects you with a global pool of pentesters called the Cobalt Core, whose skills can match what you need. And instead of sending you a huge PDF that raises more questions you can’t answer, they engage with your team throughout the pentest. Findings can land straight into Jira and GitHub, helping you fix vulnerabilities as soon as they’re discovered. Cobalt makes pentesting easy, quick to deploy, scalable, and simple to remediate. On this week's episode Why is everybody talking about this now? A redditor is struggling and overwhelmed! The person is in school studying, working, and loving cybersecurity, but has completely and utterly failed the foundations course and is on academic probation. The person told their story to the cybersecurity subreddit community, and the support came out in droves. We've seen this before. People hit a major wall professionally and they just reach out to the anonymous masses for support. The story hits a nerve and the community is eager to show encouragement. In fact, just this past week, the New York Times had an article about the unemployment subreddit offering advice and information to those struggling. We'll take a look at this tactic of reaching out for support and guidance through discussion boards. What do you think of this vendor marketing tactic? "Pro tip to vendors: don’t claim that you can’t do a one-year licensing deal. You might end up with a zero-year license deal", said Ian Amit, CSO, Cimpress on LinkedIn. We'll look at the art of negotiating a contract with a vendor: What is it ultimately you want? What are you willing to concede on and what must you have? And what are the situations that cause this to change? It's time to play, "What's Worse?!" Jason Dance of Greenwich Associates suggests two scenarios that others believe is security, but actually isn't. If you haven’t made this mistake, you’re not in security On Twitter, the CISO of Twitter, Rinki Sethi, said, "A career mistake I made, I rolled out a phishing testing program before the company was ready for it. The HR team said it was against the company culture and if I tried a trick like that again, I would be fired. Lesson - communication is important in #cybersecurity." Rinki asked for others' stories of failure. Let's explore a few. What Is It and Why Do I Care? For this week's game, the topic is vulnerability management. We look at four pitches from four different vendors. Contestants must first answer what "vulnerability management" is in 25 words or less, and secondly must explain what's unique about their vulnerability management solution. These are based on actual pitches - company names and individual identities are hidden. The winners will be revealed at the end.
38 min
More episodes
Search
Clear search
Close search
Google apps
Main menu