399 episodes

A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Brakeing Down Security Podcast Bryan Brake, Amanda Berlin, Brian Boettcher

    • News
    • 4.7 • 96 Ratings

A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

    2021-042- Fred Jennings, VDP, Vuln Equity, And 0day disclosure - p1

    2021-042- Fred Jennings, VDP, Vuln Equity, And 0day disclosure - p1

    https://twitter.com/Esquiring - Fred Jennings
    Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? (‘proper’ is different and dependent)
    This show was inspired by this Tweet thread from @k8em0 and @_MG_
    https://twitter.com/k8em0/status/1459715464691535877

    https://twitter.com/_MG_/status/1459718518346174465
     
    Legal Safe Harbor? Copy-left for security researchers…?
    What is a VEP? Not a new concept (2014)
    https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities
    Context: Was written when Heartbleed came out.
    About transparency, but within reason
    From the blogpost:
    “We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:
    How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
    Does the vulnerability, if left unpatched, impose significant risk?
    How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
    How likely is it that we would know if someone else was exploiting it?
    How badly do we need the intelligence we think we can get from exploiting the vulnerability?
    Are there other ways we can get it?
    Could we utilize the vulnerability for a short period of time before we disclose it?
    How likely is it that someone else will discover the vulnerability?
    Can the vulnerability be patched or otherwise mitigated?”
     
    Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process
     
    Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter
     
    Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat
    https://xenproject.org/developers/security-policy/  (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.
     
    0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/
     
    Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633
    https://twitter.com/JimSycurity/status/1459152870490574854
    Preferred patch 8.1.17, issued october 2020
     
    VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml
    “The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
    The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.
     
    In a perfect world, what does disclosure look like?
     
    Communication (easy, secure, detailed… pick 1)
    Separating wheat from chaff - ‘lol, i got root, pay me plz’
    Fear of NDAs and gag clauses
    Do people expect to be paid?
    Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?

    • 36 min
    Blumira Sponsor #3 - Emily Eubanks, more actionable events, incident response help, and more

    Blumira Sponsor #3 - Emily Eubanks, more actionable events, incident response help, and more

    Introduction
    Discuss IT turnover and actionable events
    Powershell logging and best practice
    Incident response assistance
    MFA best practices

    • 53 min
    0day disclosure, Randori, FBI email server pwnage

    0day disclosure, Randori, FBI email server pwnage

    introduction
    0day disclosure by Randori
    FBI LEEP system pwned

    • 36 min
    Sweden's parents rebel over poor App design, US government forcing patching of systems, and Vuln chaining

    Sweden's parents rebel over poor App design, US government forcing patching of systems, and Vuln chaining

    Sweden's parents make their own UI for a bad school app

    CISA is setting hard deadlines for patching

    Vuln chaining, why 3 CVSS 4 vulns cause more impact than 1 CVSS10

    Hacker's health art session report

    • 36 min
    Minimum Viable vendor security sheet, Federal logging requirements, and more!

    Minimum Viable vendor security sheet, Federal logging requirements, and more!

    intro
    Blumira interview recap
    Google/Salesforce/okta's miminum viable security checklist
    Ms. Berlin's painting with "Hacker's Health" November 5th
    fin

    • 55 min
    SPONSOR-Blumira's Nato Riley on Log Classification, Security Maturity,

    SPONSOR-Blumira's Nato Riley on Log Classification, Security Maturity,

    introduction

    logging challenges
    classify logs by importance
    what if your devices don't supply logs?
    finale

    • 44 min

Customer Reviews

4.7 out of 5
96 Ratings

96 Ratings

JoshCrist ,

Empowering, insightful and actionable! 🙌

Whether you’re well established as an innovator in infosec, or just getting started in the industry - this is a must-listen podcast for you! Bryan and the BDS team do an incredible job leading conversations that cover a huge breadth of topics related to the ins and outs of navigating the shifting landscape of data security - with leaders who’ve actually experienced success themselves. Highly recommend listening and subscribing!

The name iz already taken ,

Spelling

Braking*

bb7151 ,

Good team!

Topics are practical and varied. I also appreciate the fact that they are all involved in the security community which adds weight to their discussions.

Top Podcasts In News

You Might Also Like