Rapid Threat Model Prototyping Process (S04E26)
Play episode · 47 min

On this episode, Chris and Robert are joined by Geoff Hill to talk about Rapid Threat Model Prototyping Process. You can find Geoff on Twitter @Tutamantic_Sec

The post Rapid Threat Model Prototyping Process (S04E26) appeared first on Security Journey Podcasts.

Defense in Depth
Defense in Depth
Allan Alford and David Spark
Leaked Secrets in Code Repositories
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/) Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this episode of Defense in Depth, you’ll learn: * Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out. * Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub. * Exposed credentials can appear in SIEMS as it's being exported from the developers' code. * There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility. * Scanning public code repositories should be your first step. You don't want to be adding code that has known issues. * Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills. * Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
29 min
The Cloudcast
The Cloudcast
Cloudcast Media
Confidential Computing
Vikas Bhatia (@vikascb, Head of Product, Azure Confidential Computing) and Ron Perez (@ronprz, Intel Fellow, Security Architecture) talk about the technologies and architecture behind Azure Confidential Computing *SHOW: *472 *SHOW SPONSOR LINKS:* * CloudAcademy -Build hands-on technical skills. Get measurable results.  * Get 50% of the monthly price of CloudAcademy by using code CLOUDCAST * Datadog Security Monitoring Homepage - Modern Monitoring and Analytics * Try Datadog yourself by starting a free, 14-day trial today. Listeners of this podcast will also receive a free Datadog T-shirt. * BMC Wants to Know if your business is on its A-Game * BMC Autonomous Digital Enterprise *CLOUD NEWS OF THE WEEK *- http://bit.ly/cloudcast-cnotw *PodCTL Podcast is Back (Enterprise Kubernetes) *- http://podctl.com *SHOW NOTES:* * Azure Confidential Computing * Intel and Microsoft Azure partnership page * Intel® SGX: Moving Beyond Encrypted Data to Encrypted Computing * Confidential Computing Consortium (website) *Topic 1 *- Welcome to the show. Before we dig into today’s discussion, can you give us a little bit about your background? *Topic 2 *- Defense in Depth is a strategy that has long been in place in Enterprise computing. We’ve seen previous approaches that connected the OS or Application with the Hardware (e.g. Intel TXT). How has this space evolved over the last few years, and what are some of the reasons why we need another level of depth? *Topic 3* - Let’s talk about the technology basics of Confidential Computing. What are the software elements (Application, OS, SDK) and what are the hardware elements?  *Topic 4 *-  What is the normal migration path for a company to move workloads into Confidential Computing environments? Is this primarily for new workloads, or does it apply to existing applications too?  *Topic 5 *- Azure has the ability to deliver either Confidential VMs, or recently added Confidential containers along with AKS. When does it make sense to be confidential in one part of the stack vs. other?  *Topic 6 *- What are some areas where you’re seeing the broader ecosystem (e.g. technology partners or end-user customers) beginning to expand out the functionality of Confidential Computing? *FEEDBACK?* * Email: show at thecloudcast dot net * Twitter: @thecloudcastnet
40 min
Cyber Work
Cyber Work
Infosec
Protecting sensitive information: Growing data, regulations and risks
The amount of data organizations hold has exploded — along with the risk it poses. Today’s guest is Very Good Security CEO and co-founder Mahmoud Abdelkader, who wants to solve the problem of sensitive data by removing it from the equation (by replacing it with decoy data). It’s an intriguing idea as having less worry about data security frees resources up to focus on other areas of cybersecurity. Mahmoud talks about the future of data security, how these new solutions do and don’t help with privacy regulations, and what cybersecurity professionals can do to prepare for a future where the amount of data continues to grow every year. – Get your free security awareness toolkit: http://infosecinstitute.com/ncsam2020  – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/ – View transcripts and additional episodes: https://www.infosecinstitute.com/podcast Mahmoud Abdelkader is the CEO and co-founder of Very Good Security. He was previously CTO and co-founder of Balanced Payments (exited to Stripe). Prior to that, Mahmoud designed automated product matching systems at Milo.com (acquired by eBay) and built high-frequency trading systems for Wachovia Securities, now a part of Wells Fargo. With experience ranging from Wall Street to early-stage startups, Mahmoud is passionate about democratizing data security. He started Very Good Security to make best-in-class security and compliance attainable for businesses of all sizes. *About Infosec* At Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online. Learn more at infosecinstitute.com.
35 min
David Bombal
David Bombal
David Bombal
#204: David Bombal: Never Use TFTP Or FTP!
Both TFTP and FTP are insecure protocols. Everything is sent in clear text - including all usernames and passwords. Don't use them. Get the full Wireshark course for $9: bit.ly/wireshark9 Need help? Join my Discord: discord.com/invite/usKSyzb Free Wireshark and Ethical Hacking Course: Video #7. Watch the entire series here: bit.ly/wiresharkhacking Menu Overview: 0:00 Start Capture: 0:48 Ping test: 1:00 Copy files using TFTP: 1:40 Filter for TFTP: 2:27 Follow UDP stream: 2:45 FTP intro: 3:53 Upload a file using FTP: 4:16 Filter for FTP: 4:35 Follow TCP stream: 4:47 Download TFTP pcapng file here: bit.ly/311IjXc Download FTP pcapng file here: bit.ly/3iUlz1A Don't use TFTP or FTP! It sends everything in clear text. That means that someone can capture everything you send on the network - including usernames and passwords. In this course I'm going to show you how to capture packets from a network, how to capture passwords, replay voice conversations, view routing protocol updates and many more options. Do you know network protocols? Do you know how to hack? Want to learn wireshark and have some fun with Ethical hacking? This is the course for you: Learn Wireshark practically. Wireshark pcapng files provided so you can practice while you learn! There is so much to learn in this course: - Capture Telnet, FTP, TFTP, HTTP passwords. - Replay VoIP conversations. - Capture routing protocol (OSPF) authentication passwords. - Troubleshoot network issues. - Free software. - Free downloadable pcapng files. - Answer quiz questions. The course is very practical. You can practice while you learn! Learn how to analyze and interpret network protocols and leverage Wireshark for what it was originally intended: Deep Packet Inspection and network analysis. Protocols we capture and discuss in this course include: - Telnet - FTP - TFTP - HTTP - VoIP - OSPF - EIGRP - DNS - ICMP
7 min
CISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Mike Johnson and David Spark
Can a Robot Be Concerned About Your Privacy?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/can-a-robot-be-concerned-about-your-privacy/) I want AI to be efficient, but I also want my space. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Rebecca Weekly (@rebeccalipon), senior director of hyperscale strategy and execution, senior principal engineer, Intel. Thanks to this week's podcast sponsor, Intel. Intel’s new suite of security features in the upcoming Xeon Scalable platform improves data confidentiality and integrity in a world that increasingly relies on it. Features like Intel SGX further enable confidential computing scenarios — crucial for organizations in regulated industries to meet growing security requirements and protect sensitive data. On this week's episode Why is everybody talking about this now "The lack of women in cybersecurity leaves the online world at greater risk," stated Naomi Schalit of The Conversation. Mollie Chard of Capgemini shared the article that generated a lot of conversation. Naomi hit many issues we've discussed before like diversity offers different viewpoints, which is critical for building a cybersecurity program. I would like to focus on the dynamic of the security team. I've been in testosterone-fueled environments and things change dramatically when just one woman enters the room. And it changes even more when there are more women. What is that dynamic, why is it valuable, and what's the danger of the all-male environment? Well that didn’t work out the way we expected At the end of every show I ask our guests, "Are you hiring?" And prior to COVID, almost everyone said desperately, "YES, we're hiring." That has changed dramatically for the worse since COVID started. Emma Brighton has a story on InfoSecurity Magazine about the real shortage that's happening. Problems she points to are the need to secure more communications channels, security people being offloaded to do IT support, and the competition for skilled talent. What is COVID doing to our security environment and our staff? What's Worse?! Everyone in the loop or out of the loop? Please, Enough. No, More. Today's topic is security on the chipset. We have never talked about this on the show, but now we've got someone from Intel and it seemed appropriate now would be the time to do just that. What have we heard enough about chip-level security, and what would we like to hear a lot more? Are we having communication issues Will the fight to maintain privacy always be in conflict? The people who collect data always want more information so they can get greater insights. Outside of regulations, they have no incentive to maintain privacy. As we're collecting more and more information automatically and artificial intelligence systems are making decisions for us, can AI systems be made privacy aware while still being effective at gaining insights? What would that even look like?
34 min
More episodes
Search
Clear search
Close search
Google apps
Main menu