BrakeSec Education Podcast Bryan Brake, Amanda Berlin, and Brian Boettcher

Show Topic Summary:
Ms. Berlin proposes a question of how to gather more headcount with metrics, we discuss the BLUFFS bluetooth vulnerability, and “Ranty Claus” talks about CISA’s remarks of putting the onus on device product makers to remove choice for customers and implement secure defaults.
#youtube VOD: https://www.youtube.com/watch?v=emcAzTx9z0c 
Questions and topics:
https://cyberscoop.com/cisa-goldstein-secure-by-design/
https://hackaday.com/2023/12/02/update-on-the-bluffs-bluetooth-vulnerability/
Additional information / pertinent LInks (Would you like to know more?):
https://cyberscoop.com/jen-easterly-secure-by-design/


https://www.cisa.gov/resources-tools/resources/stop-passing-buck-cybersecurity 
Examples of companies forcing changes https://www.bleepingcomputer.com/news/microsoft/microsoft-will-roll-out-mfa-enforcing-policies-for-admin-portal-access/  
https://github.com/aya-rs/aya - eBPF implementation in Rust
https://ossfortress.io/  
https://www.darkreading.com/endpoint-security/critical-logofail-bugs-secure-boot-bypass-millions-pcs 



Show points of Contact:
Amanda Berlin: @infosystir @hackershealth 
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social, https://linkedin.com/in/brakeb 
Brakesec Website: https://www.brakeingsecurity.com
Twitter: @brakesec 
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec

Subscribe on Twitch using Amazon Prime and watch us live: https://twitch.tv/brakesec
Check out our VODs on Youtube: https://www.youtube.com/@BrakeSecEd 

Join the BrakeSecEd discord: https://discord.gg/brakesec 
 
News:
https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach
https://www.documentcloud.org/documents/24075435-bhi-notice
https://www.bleepingcomputer.com/news/security/us-energy-firm-shares-how-akira-ransomware-hacked-its-systems/
https://www.bleepingcomputer.com/news/security/ransomware-isnt-going-away-the-problem-is-only-getting-worse/
https://www.shacknews.com/article/137505/ransomware-group-capcom-2020-arrested
https://www.bleepingcomputer.com/news/security/flipper-zero-can-now-spam-android-windows-users-with-bluetooth-alerts/
https://www.nasdaq.com/articles/three-cybersecurity-sectors-that-resist-economic-downturns
 

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
 
Guest Bio: Nicole is the Chief Product Officer at Axio. Nicole has spent her career building awareness around the benefits of usable security and human-centered security as a way to increase company revenue and create a seamless user experience.
 Youtube VOD Link: https://youtube.com/live/tFaAB9an47g
 Questions and topics: Usable security: is it an oxymoron?
What determines if the security is ‘usable’ or no? We sacrifice security for a better UX, what can be done to alleviate that? Or is it some sort of sliding scale in “poor UX, amazing security or awesome UX, poor security” Examples of poor UX for ‘people’: MFA, and password managers.
SEC updates and ‘material events’ and how that would affect security, IR, and other company reporting functions. 
 
Also, additional documentation (Regulation S-K Item 106) https://www.linkedin.com/posts/nicole-sundin-5225a1149_sec-adopts-rules-on-cybersecurity-risk-management-activity-7090065804083290112-ISD8
Are companies ready to talk about their cybersecurity? Can the SEC say “you’re not doing enough?”
 What is ‘enough’?
Are we heading toward yet another audit needed for public companies, similar to SOX?
When does an 8-K get publicly disclosed?
Materiality is based on a “reasonable investor”?
So, you don’t need to announce that until you’re certain, and it’s based on what you can collect? Cyber Risk Management and some good examples of how to set up a proper cyber risk organization
Additional Links:
https://csrc.nist.gov/CSRC/media/Projects/usable-cybersecurity/images-media/Is%20Usable%20Security%20an%20Oxymoron.pdf
http://web.mit.edu/Saltzer/www/publications/protection/Basic.html
https://www.sec.gov/news/press-release/2023-139
https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922
https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/sec-final-cybersecurity-disclosure-rules.html
https://www.nasa.gov/centers/ames/research/technology-onepagers/hc-computing.html
 https://securityscorecard.com/blog/what-is-cyber-security-performance-management/
 

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
 
Guest Bio: John is the CEO of Aronetics. An avid climber and runner, John has spoken at many conferences about topics like ZeroTrust, BIOS/UEFI security, communication security, and malware. Aronetics is a technology-enabled service provider. 
 
Youtube VOD: https://youtube.com/live/5dIVTwVZLAU
Linkedin VOD: https://www.linkedin.com/video/live/urn:li:ugcPost:7101738254823030784



Show Topic Summary:
 
John joins us to discuss “letters of Marque” in an effort for hackers to ‘hack back’... the overreliance on automation, and communication siloes. We also talk about what a ‘junior position’ in infosec looks like with AI doing all the “Level 1 SOC Analyst” type roles normally given to someone fresh to the security industry.
 
Questions and topics:
Is infosec over reliant on automation? Automation comes with its own challenges.
Documentation woes
Automation is usually found in userland
 
Aronetics’ Thor provides defense and counter-offense tamper-proof technology digitally tied to 
 
Letter of Marque - good idea, or geopolitical disaster waiting to happen?

Siloes and communication -best ways to overcome those in an org and outside?
How do we overcome siloing?
 
Overcoming security challenges?Identity management - 2FA is everywhere, there’s already ways around 2FA, so what now? 3FA? Biometrics? Make everyone carry around physical tokens that we can lose?
 
Blog post: https://www.aronetics.com/post-quantum-cryptography/
What do we need to protect against? Nation states with quantum computers? Rubber hose cryptography?
 
Crime thrives in areas of low visibility. https://www.aronetics.com/unknown/ 
 
https://www.aronetics.com/inside-the-breach/ (threat detection - the crime thrives in low vis areas)
 
Show points of Contact:
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec
Amanda Berlin: @infosystir@infosec.exchange (Mastodon) @hackershealth 
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
Buy here: https://subscription.packtpub.com/book/security/9781801076715
Amazon Link: https://packt.link/megan
Youtube VOD: https://www.youtube.com/watch?v=p1_jQa9OQ2w
 
Show Topic Summary:
Megan Roddie is currently working as a Senior Security Engineer at IBM. Along with her work at IBM, she works with the SANS Institute as a co-author of FOR509, presents regularly at security conferences, and serves as CFO of Mental Health Hackers. Megan has two Master's degrees, one in Digital Forensics and the other in Information Security Engineering, along with many industry certifications in a wide range of specialties. When Megan is not fighting cybercrime, she is an active competitor in Muay Thai/Kickboxing. She is a co-author of “Practical Threat Detection Engineering” from Packt publishing, on sale now in print and e-book. Buy here: https://subscription.packtpub.com/book/security/9781801076715
 
https://packt.link/megan ← Amazon redirect link that publisher uses if you want something easier on the notes
 
Questions and topics:
Of the 3 models, which do you find you use more and why? (PoP, ATT&CK, kill chain)
What kind of orgs have ‘detection engineering’ teams? What roles are involved here, and can other teams (like IR) be involved or share a reverse role there?
Lab setup requires an agent… any agent for ingestion or something specific? 
How does Fleet or data ingestion work for Iot/Embedded device testing? Anything you suggest?
How important is it to normalize your log output for ingestion? (app, web, server all tell the story)
Additional information / pertinent LInks (Would you like to know more?):
Unified Kill Chain: https://www.unifiedkillchain.com/
ATT&CK: https://attack.mitre.org/ 
D3FEND matrix BrakeSec show from 2021: https://brakeingsecurity.com/2021-023-d3fend-framework-dll-injection-types-more-solarwinds-infections 
Pyramid of Pain: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
https://www.securitymagazine.com/articles/98486-435-million-the-average-cost-of-a-data-breach 
https://medium.com/@gary.j.katz (per Megan, ‘it’s basically Chapter 11 of the book’)




Show points of Contact:
Amanda Berlin: @infosystir @hackershealth 
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social, Twitter, bluesky
Brakesec Website: https://www.brakeingsecurity.com
Twitter: @brakesec 
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec

Check out our sponsor (BLUMIRA) at https://blumira.com/brake
youtube channel link: https://youtube.com/c/BDSPodcast
Full video on our youtube Channel! https://www.youtube.com/watch?v=BkBeLuM_urk
https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/

https://www.darkreading.com/remote-workforce/hacker-infected-foiled-by-own-infostealer
https://therecord.media/cisa-warnings-adobe-microsoft-citrix-vulnerabilities
https://www.itsecurityguru.org/2023/07/18/millions-of-keyboard-walk-patterns-found-in-compromised-passwords/
https://therecord.media/airline-customer-support-phone-number-fraud-google
https://twitter.com/Shmuli/status/1680669938468499458
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
https://www.jdsupra.com/legalnews/tabletop-exercises-as-risk-mitigation-5278057/
https://www.darkreading.com/vulnerabilities-threats/linux-ransomware-poses-significant-threat-to-critical-infrastructure
https://bevyengine.org/  - Rust game engine
https://godotengine.org/ - a more mature Rust game engine
https://flappybird.io/ - which I suck at, BTW
Intro/outro music:
"Flex" by Jeremy Blake
Courtesy of YouTube Music Library (used with proper permissions)