[RERELEASE] What is the perception of information security - part 1

In the second episode of the refreshed edition of the Exploring Information Security (EIS) podcast (wow, that's a mouthful), I talk with Chris Maddalena about the perception of information security.

Chris recently gave a talk on FUD at BSides Detroit and CircleCityCon this past Summer, prompting me to explore the topic of information security perception with him. I think perception is something very important to the infosec community, especially, now that it is becoming more relevant in the public eye.

In part one of this two part series we talk about perception

  • What is the perception of infosec in business?

  • How do we change the perception of security?

  • We start getting into where security fits in an organization

[RERELEASE] What is a SIEM?

In this most excellent edition of the Exploring Information Security podcast, I talk with Derek Thomas a senior information security analyst specializing in log management and SIEM on the topic of: "What is a SIEM?"

Derek (@dth0m) has a lot of experience with SIEM and can be found on Linkedin participating in discussions on the technology. I had the opportunity to hang out with Derek at DerbyCon in 2015 and I came away impressed with his knowledge of SIEM. He seemed to be very passionate about the subject and that showed in this interview.

In this episode, we discuss:

  • How to pronounce SIEM

  • What is a SIEM

  • How to use a SIEM

  • The biggest challenge using a SIEM

  • How to tune the SIEM

  • Use cases, use cases, use cases.

More Resources:

[RERELEASE] What is threat modeling?

Originally posted August 13, 2014.

In the fifth edition of the Exploring Information Security (EIS) podcast, I talk with J Wolfgang Goerlich, Vice President of Vio Point, about threat modeling.

Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec (@MiSec) projects and events. 

In this interview Wolfgang covers:

  • What is threat modeling?

  • What needs to be done to threat model

  • Who should perform the threat modeling

  • Resources that can be used to build an effective threat model

  • The life cycle of a threat model

[RERELEASE] What is cryptography?

Originally posted July 30, 2014.

In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.

Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.

In the interview Justin talks about

  • What cryptography is

  • Why everyone should care about cryptography

  • What some of it's applications are

  • How someone would get started in cryptography and what are some of the skills needed

[RERELEASE] What is a Chief Information Security Officer (CISO)

Originally July 9, 2015.

In the third edition of the Exploring Information Security (EIS) podcast my infosec cohort Adam Twitty and I talk to the Wh1t3 Rabbit, Rafal Los, about what exactly a Chief Information Security Officer, otherwise known as CISO, is.

Rafal Los (@Wh1t3Rabbit) is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog.  I would highly recommend both if you're in the infosec field or looking to get into it.

In the interview Rafal talks about:

  • What a CISO is

  • What role does a CISO fill in an organization

  • Who skills are needed to be an effective CISO

  • The different types of CISOs

[RERELEASE] How to make time for a home lab

In this timely episode of the Exploring Information Security podcast, Chris Maddalena and I continue our home lab series by answering a listener's question on how to find time for a home lab.

Chris (@cmaddalena) and I were asked the question on Twitter, "How do you make time for a home lab?" We answered the question on Twitter, but also decided the question was a good topic for an EIS episode. Home labs are great for advancing a career or breaking into information security. To find the time for them requires making them a priority. It's also good to have a purpose. The time I spend with a home lab is often sporadic and coincides with research on a given area.

In this episode we discuss:

  • Making a home lab a priority

  • Use cases for a home lab

  • Ideas for fitting a home lab into a busy schedule

More resource:

[RERELEASE] What is application security?

In this tenacious edition of the Exploring Information Security podcast, I talk with Frank Catucci of Qualys as we answer the questions: "What is application security?"

Frank (@en0fmc) has a lot of experience with application security. His current role is the director for web application security and product management at Qualys.  He's also the chapter leader for OWASP Columbia, SC. He lives and breathes application security.

In this episode we discuss:

  • What is applications security?

  • Why is application security important?

  • Where application security should be integrated

  • Resources for getting into application security

[RERELEASE] How Macs get Malware

In this installed episode of the Exploring Information Security podcast, Wes Widner joins me to discuss how Macs get malware.

Wes (@kai5263499) spoke about this topic at BSides Hunstville this year. I was fascinated by it and decided to invite Wes on. Mac malware is a bit of an interest for Wes. He's done a lot of research on it. His talk walks through the history of malware on Macs. For Apple fan boys, Macs are still one of the more safer options in the personal computer market. That is changing though. Macs because of their increased market share are getting targeted more and more. We discuss some pretty nifty tools that will help with fending off that nasty malware. Little Snitch is one of those tools. Some malware actively avoids the application. Tune in for some more useful information.

In this episode we discuss:

  • How Macs get malware

  • What got Wes into Mac malware

  • The history of Mac malware

  • What people can do to protect against Mac Malware

More resources:

[RERELEASE] Why communication in infosec is important - Part 2

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

  • How important is it for the company to take security seriously

  • How would someone get started improving communication?

  • Why we have a communication problem in infosec

  • Where should people start

More resources:

[RERELEASE] Why communication in infosec is important

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team at Tenable. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

  • What Claire’s experience is with communication and infosec

  • What’s ahead for communication in infosec

  • Why do people do what they do?

  • What questions to ask

More resources:

[RERELEASE] How to network in information security - part 2

In this edition of the Exploring Information Security podcast, I discuss with Johnny Xmas how to network in information security.

Johnny (@J0hnnyXm4s) is a penetration tester for Redlegg and an accomplished speaker at security conferences around the United States and Iceland. One of Johnny's more recent talks is titled "That's not my RJ45 Jack" which covers, among other topics, how to interact with people. I saw this talk in April when I went to BSides Nashville and it has a lot of good information that can be applied to networking with people in general.

In part two we discuss:

  • Resources for getting better at networking

  • Some of the challenges of learning to network

[RERELEASE] How to network in information security - part 1

In this edition of the Exploring Information Security podcast, I discuss with Johnny Xmas how to network in information security.

Johnny (@J0hnnyXm4s) is a penetration tester for Redlegg and an accomplished speaker at security conferences around the United States and Iceland. One of Johnny's more recent talks is titled "That's not my RJ45 Jack" which covers, among other topics, how to interact with people. I saw this talk in April when I went to BSides Nashville and it has a lot of good information that can be applied to networking with people in general.

In part one we discuss:

  • What is networking?

  • How can Twitter be leverage to strengthen and improve your network?

[RERELEASE] How to find vulnerabilites

In this susceptible edition of the Exploring Information Security podcast, Samy Kamkar joins me to discuss how to find vulnerabilities.

Samy (@samykamkar) shouldn't need too much of an introduction to most people. He's been in the news for hacking garage doors, credit cards, cars, and much much more. Samy likes to hack things and has a knack for finding vulnerabilities in everything from locked machines to wireless doorbells. His site has the full list of vulnerabilities as well as videos and press appearances. Which made him the perfect guess for talking about how to find vulnerabilities.

In this episode we discuss:

  • What got him started in looking for vulnerabilities

  • What is a vulnerability

  • What skills are necessary for finding vulnerabilities

  • How he decides his next project

  • The steps to finding vulnerabilities

  • What he does when he discovers a vulnerability

  • How long the process takes

[RERELEASE] What is data driven security?

In this statistically-inclined edition for the Exploring Information Security podcast, I talk with Bob Rudis co-author of Data Driven Security to answer the questions: "What is data driven security?"

I recently read Data Driven Security: Analysis, Visualization and Dashboards by Jay Jacobs (@jayjacobs) and Bob Rudis (@hrbrmstr). The book is easy to read and a very good introduction into the world of data and security. Both Jay and Bob were kind with their time when I had questions about exercises in the books. After reading the book I decided to have Bob on to talk more about data driven security. 

Bob Rudis is also a contributor to the Verizon DBIR and these projects below:

In this episode we discuss:

  • What is data driven security?

  • The benefits of data driven security

  • How it should be implemented

  • Where it can be applied

Bob also gave me a long list of resources for those looking to get into data-driven security:

[RERELEASE] What is a CISSP?

In this certifiably awesome episode of the Exploring Information Security podcast, I explore what a Certified Information Systems Security Professional with Javvad Malik.

Javvad Malik (@J4vv4d) doesn't need much introduction. He's done a video on the benefits of being a CISSP. He's also done a music video with his Host Unknown crew on the CISSP. There's also The CISSP companion handbook he wrote. which has a collection of stories and experiences dealing with the 10 domains of the CISSP. Check out his website at j4vv4d.com and his YouTube channel.

In this episode we discuss:

  • What is a CISSP?

  • What is the value of having a CISSP?

  • Who should get the CISSP?

  • The nuances of the certification test (pay attention to the questions)

More resources:

[RERELEASE] How to deal with the "experience required" paradox

In this exciting edition of the Exploring Information Security (EIS) podcast, I talk with Jerry Bell about overcoming the "experience required" requirement on infosec job postings.

Jerry recently had a blog post on his site (malicious link) titled, "Dealing With The Experience Required Paradox For Those Entering Information Security." It is a wonderful article with actionable items on what people can do to overcome that stipulation on job postings. Jerry is also a co-host for the Defensive Security podcast.

In this episode we talk about:

  • Activities that can be done to overcome "experience required"

  • Who is does this requirement apply

  • Our own personal experiences and suggestions for overcoming the paradox

[RERELEASE] How to ZAP your websites

Originally posted on September 11, 2014.

In the seventh edition of the Exploring Information Security (EIS) podcast, I talk with Zed Attack Proxy (ZAP) creator and project lead Simon Bennetts.

Simon is the project lead for ZAP an OWASP Open Web Application Security Project. He has a developer background and originally built the tool to help developers build better applications. The tool was so good that it caught the eye of the security community and is now used by developers, people just getting into security and veteran pen testers. You can follow him on Twitter @psiinon and find out more on the tool by going to the project site on OWASP.

In this interview we cover:

  • What is ZAP and how did the project get started?

  • Who should utilize ZAP?

  • What skill level is need to start using ZAP?

  • Where should ZAP be used?

  • How you can get involved in the project.

[RERELEASE] How to get into information security

Originally posted June 25, 2014

I've been wanting to do a podcast, for a while now, on information security. I wasn't sure what I wanted the objective of the podcast to be. Most of the information security podcasts out there, or at least the ones I listen to, usually do a guest interview and cover some of the latest news and happenings within the information security. I didn't want to spin up, yet, another one of those.

Instead I've decided to spin up a podcast that explores the world of information security. One of the things I've been hearing the infosec community needs are people to teach security to those inside and outside the community. I am still very much in the early stages of my career as an information security professional and trying to learn as much as I can. I thought a podcast that allowed me to share what I've learned and explored would make for a great podcast. So here we are and my first podcast is about how to get into information security.

To explore that topic I decided to do an interview with VioPoint consultant and roundhouse master Jimmy Vo (@JimmyVo). We covered how he got into information security and also talked about some of things people on the outside looking in can do to get into information security.

Feedback is very much appreciated and wanted. Leave them in the comment section or contact me via email.

 

[RERELEASE] What is MS08-067?

In this artistic episode of the Exploring Information Security podcast, Mubix joins me to discuss MS08-067.

Mubix (@mubix), available at room362 and Hak5, joins me to discuss one of his favorite exploits: MS08-067. I invited Mubix on to talk about MS08-067 because of a tweet he retweeted. The tweet included a confession that a consultant used the MS08-067 vulnerability to break into a clients network. This vulnerability is really old and while not widespread it does pop-up from time-to-time. I was happy to discover that Mubix has a great appreciation for the exploit.

In this episode we discuss:

  • What is MS08-067?

  • How long has it been around?

  • Why is it still around?

  • What name it would be given in today

More resources:

[RERELEASE] What is the SANS Holiday Hack Challenge

In this holiday edition of the Exploring Information Security podcast, Ed Skoudis joins me to discuss the SANS Holiday Hack Challenge.

Around this time each year the SANS Holiday Hack Challenge releases under the direction of Ed (@edskoudis) and instructor with the SANS institute. This year Santa has been kidnapped and it’s up to use to figure out who did it and save Christmas. The challenge is for new people in infosec, and for those who have been in the industry for many years. As Ed notes in the episode it is even for children. The challenge itself has been around for years and several past years are still available for people to go through.

In this episode we discuss:

  • What is the SANS Holiday Hack Challenge

  • How it got started

  • What preparation goes into making the challenge each year

  • Who can participate