What we can learn from unusual journeys into infosec - Part 1

In this expeditious edition of the Exploring Information Security podcast, Stuart Peck Director of Cyber Security Strategy at ZeroDayLab (@ZeroDayLab) joins me to discuss unusual journeys into infosec.

Stu (@cybersecstu) is a Co-Founder of The Many Hats Club, which is a massive Discord community and podcast. Earlier this year, Stu started sharing Unusual Journeys. I love this series because it highlights that there is no true path into infosec. He’s had 18 series so far and each story is fascinating.

In this episode we discuss:

  • What started Unusual Journeys

  • How Stu got into infosec

  • What we can learn from these stories

Why communication in infosec is important - Part 2

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

  • How important is it for the company to take security seriously

  • How would someone get started improving communication?

  • Why we have a communication problem in infosec

  • Where should people start

More resources:

Why communication in infosec is important - Part 1

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team at Tenable. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

  • What Claire’s experience is with communication and infosec

  • What’s ahead for communication in infosec

  • Why do people do what they do?

  • What questions to ask

More resources:

A conversation with Justin Seitz

In this brand new edition of the Exploring Information Security podcast, I have a conversation with Justin Seitz (@jms_dot_py).

When I have guests hop on the podcast, I usually try to break the ice a little and get them warmed up for the episode. Often times these can turn into some really good conversation about the infosec field. I'd like to start capturing those conversation and release them (with the person's permission), because there are some really great insights.

I've released this episode early to the people on my newsletter (check below to get in on the fun). I wanted to get feedback and also give people who sign-up some bonus content, which is something I hope to do more.

In this episode we discuss:

  • My unique role working with other departments
  • Report writing and dealing with awful reports
  • Similarities between the developer boom and the security boom

Why container security is important - Part 2

In this shipped edition of the Exploring Information Security podcast, Wes Widner joins me to discuss container security.

Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.

In this episode we discuss:

  • What are some of the other security considerations?7
  • Who should secure containers?

More Resources:

Why container security is important - Part 1

In this shipped edition of the Exploring Information Security podcast, Wes Widner joins me to discuss container security.

Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.

In this episode we discuss:

  • What are containers?
  • What are the different kind of containers?
  • What is Wes' experience with containers?
  • What are the big security concerns?

More Resources:

What is Hunchly?

In this screenshot edition of the Exploring Information Security podcast, Justin Seitz joins me to discuss Hunchly.

Justin (@jms_dot_py) is the creator of Hunchly. I got to know Hunchly at SANS SEC487 OSINT training earlier this year. It's a fantastic tool that takes screenshot as the web is browsed. This is very useful for investigations involving OSINT. I'm also finding it useful for incident response, particularly for clicking on phishing pages. I sometimes forget to take screenshots as I'm investigating a phishing page. Having Hunchly means, I don't have to worry about taking screenshots. I then use the screenshots for reports and training. It's a really useful tool.

In this episode we discuss:

  • What is Hunchly?
  • How did Hunchly come about?
  • Who should use Hunchly?
  • What is the cost of Hunchly?

More resources:

How to make a Burp extension

In this crafting episode of the Exploring Information Security podcast, Paul Johnston Customer Champion at Portswigger joins me to discuss how to make a Burp extension.

Paul (@paulpaj) wrote a blog post on how to make a successful burp extension and get it published in the Burp Store. A lot of the recommendations in the article are from Paul's experience handling extension submissions for the Burp Store.

In this episode we discuss:

  • What is the process for extension approval?
  • What is Burp Suite?
  • How does someone make an extension?

How to handle CFP rejection(s)

In this refused episode of the Exploring Information Security podcast, Michael Kavka joins me to discuss how to handle call for presentation rejections.

Michael (@SiliconShecky) wrote a blog post on his site at the beginning of the year titled, It is CFP season... So what. In the article he hit on rejections and I thought it'd make for a great podcast topic. More recently, he wrote a blog post on the, Anatomy of a Rejected CFP. The article walks through his rejected CFP for DerbyCon.

In this episode we discuss:

  • What is Michael's experience in submitting CFPs
  • Why a CFP is rejected
  • What are the different types of cons?
  • How to handle a CFP rejection letter

More resources:

How to create a phishing email - Part 2

In this expedition edition of the Exploring Information Security podcast, Chris Maddalena a senior security consultant joins me to discuss how to create a phishing email.

Chris (@cmaddalena) joins me to discuss crafting a phishing email. This is something I've recently explored at work. Having little to no experience actually crafting a phish, I decided I'd go to someone who does this on a regular basis. Check out Chris' ODIN tool for automating intelligence gathering, asset discovery, and reporting.

In this episode we discuss:

  • What are the technical steps to creating a phish
  • What needs to be consider from a technical standpoint
  • What is GoPhish and GoReporter
  • How important is timing

Other resources:

How to create a phishing email - Part 1

In this expedition edition of the Exploring Information Security podcast, Chris Maddalena a senior security consultant joins me to discuss how to create a phishing email.

Chris (@cmaddalena) joins me to discuss crafting a phishing email. This is something I've recently explored at work. Having little to no experience actually crafting a phish, I decided I'd go to someone who does this on a regular basis. Check out Chris' ODIN tool for automating intelligence gathering, asset discovery, and reporting.

In this episode we discuss:

  • What you need to consider before creating a phish.
  • Where to get phishing ideas.
  • Where to get phishing templates.
  • What happened when accounting sent out an email.

What is OSINT ORCS YOGA?

In this battlefield edition of the Exploring Information Security podcast, Micah Hoffman joins me to discuss OSINT ORCS YOGA.

Micah (@WebBreacher), is a SANS Instructor and author of the SEC487 OSINT course. He recently had his second class in Denver, Colorado (more dates here). During that class he found people asking about how to navigate the waters of OSINT resources. His solution was to start the OSINT Resource Classification System (ORCS). It's a call for the OSINT community to standardize on how resources are categorized. YOGA or Your OSINT Graphical Analyzer is meant to be a visual aid for people looking to navigate the streets of OSINT resources.

In this episode we discuss:

  • How SANS SEC487 is coming along
  • What is YOGA?
  • What is ORCS?
  • Why is ORCS YOGA important?

How to implement GDPR - Part 2

In this 2k-like edition of the Exploring Information Security podcast, Stuart Scott AWS Content Lead at Cloud Academy and George Gerchow Chief Security Officer at Sumologic join me to discuss how to implement GDPR.

Stuart (@Stuart_A_Scott) and George (@georgegerchow) both have contributed content to CloudAcademy on GDPR. Stuart has a nine hour course on using AWS Compliance Enabling Services. George has a done a webinar and written an article on the topic. Both are well spoken and highly informed on the topic. They provide a lot of good direction for anyone looking to account for GDPR in their organization (pro tip: everyone should be looking into this).

In this episode we discuss:

  • How to implement GDPR in AWS
  • What are subject data rights?
  • How other regulations are impacted
  • What's ahead for GDPR

More resources:

 

How to implement GDPR - Part 1

In this 2k-like edition of the Exploring Information Security podcast, Stuart Scott AWS Content Lead at Cloud Academy and George Gerchow Chief Security Officer at Sumologic join me to discuss how to implement GDPR.

Stuart (@Stuart_A_Scott) and George (@georgegerchow) both have contributed content to CloudAcademy on GDPR. Stuart has a nine hour course on using AWS Compliance Enabling Services. George has a done a webinar and written an article on the topic. Both are well spoken and highly informed on the topic. They provide a lot of good direction for anyone looking to account for GDPR in their organization (pro tip: everyone should be looking into this).

In this episode we discuss:

  • Why am I getting all these privacy update emails?
  • What is GDPR?
  • How to implement GDPR?
  • What are Data Processing Addendum's

More resources:

How to crack passwords

In this crackerjack edition of the Exploring Information Security podcast, Sean Peterson of Parameter Security joins me to discuss password cracking.

Sean (@SeanThePeterson), is one of the most passionate infosec people you don't know. He recently did a talk at ShowMeCon on how to crack passwords. It was his first ever talk and pretty damn good. Sean joined me to give me his insights into password cracking.

In this episode we discuss:

  • What type of hardware is needed for password cracking
  • What type of attacks are used for password cracking
  • How to crack passwords
  • What's ahead for password cracking

What is the General Data Protection Regulation (GDPR)

In this European edition of the Exploring Information Security podcast, Cliff Smith of Parameter Security joins me to discuss General Data Protection Regulation (GDPR).

Cliff (@BismthSalamandr), recently gave a talk at ShowMeCon on GDPR and why everyone should care. It's a really good talk and a great primer if you haven't dug into GDPR, yet (you should). Cliff is a recovering lawyer, so he's providing a different angle than your normal security professional.

In this episode we discuss:

  • What is GDPR?
  • Why it could change
  • Why it's important
  • Who it impacts

How to talk to developers

In this chatty edition of the Exploring Information Security podcast, AppSec Nerd Tanya Janca joins me to discuss how to talk to developers.

Tanya (@shehackspurple), is a former developer turned security person. She speaks regularly at conferences around the globe. The topics often focus on working with developers to improve security, which is something I believe in. She's a project lead for OWASP DevSlop.

In this episode we discuss:

  • Why working with the developers is important
  • How to talk to developers
  • What are the benefits of working with developers?
  • What are the top recommendations for talking to developers

ShowMeCon 2018 Live

In this panelist episode of the Exploring Information Security podcast, the first ever podcast panel at ShowMeCon 2018!

Amanda Berlin (@InfoSystir), Wik (@jaimefilson), David Cybuck (@dpcybuck), April Wright (@aprilwright), and Dave Chronister (@bagomojo) join me on the live EIS panel at ShowMeCon, June 7, 2018. This is the first panel I've ever done for the podcast. It went so well, I hope to do more in the future. We cover a variety of topics and have a few laughs.

YouTube version

In this episode we discuss:

  • What's coming back in vogue
  • What to do with master ID
  • What our thoughts are on new password policies from NIST
  • How to handle best practices

How to achieve security awareness through social engineering - Part 2

In this ranty edition of the Exploring Information Security podcast, Jayson E. Street joins me to discuss how to achieve security awareness through social engineering.

Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.

In this episode we discuss:

  • How to communicate with executives
  • Why we need to empower users
  • What happens when Jayson plays video games
  • Why shock value is important

How to achieve security awareness through social engineering - Part 1

In this ranty edition of the Exploring Information Security podcast, Jayson E. Street joins me to discuss how to achieve security awareness through social engineering.

Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.

In this episode we discuss:

  • Why security awareness is important
  • What our own experience is with training people
  • What's in the training
  • How to talk to communicate effecitvely