When not to use Burp Suite

In this gassy edition of the Exploring Information Security podcast, James Green joins me to discuss when not to use Burp Suite. 

James (@Greenjam94) is a member of the MISec community and recently gave a talk about why not to use Burp Suite. Being in application security this was a topic I had interest in. Unfortunately, the presentation was not recorded. I decided to take matters into my own hands and have James on the show to discuss this topic.

In this episode we discuss

  • What is Burp Suite?
  • How is Burp used
  • Why Burp shouldn't be use
  • When to use Burp

How to write an infosec resume

In this advice driven episode of the Exploring Information Security podcast, I talk about my experiences writing a resume.

I received some positive feedback from people on the, "How I got into information security" episode. I've decided to try another episode where I talk about writing a resume for an information security position. Writing a resume for infosec is not unlike writing a resume for any other field. Two resources I've leaned heavily on to improve my resume are the Career Tools podcast and What Color Is Your Parachute by Richard N. Bolles. I recommend both for those looking to improve their resume.

In this episode I discuss:

What is MS08-067?

In this artistic episode of the Exploring Information Security podcast, Mubix joins me to discuss MS08-067.

Mubix (@mubix), available at room362 and Hak5, joins me to discuss one of his favorite exploits: MS08-067. I invited Mubix on to talk about MS08-067 because of a tweet he retweeted. The tweet included a confession that a consultant used the MS08-067 vulnerability to break into a clients network. This vulnerability is really old and while not widespread it does pop-up from time-to-time. I was happy to discover that Mubix has a great appreciation for the exploit.

In this episode we discuss:

  • What is MS08-067?
  • How long has it been around?
  • Why is it still around?
  • What name it would be given in today

More resources:

What is another home lab use case?

In this alternate episode of the Exploring Information Security podcast, Brian Hearn joins me to discuss another home lab use case.

Brian (@drambuie_B) after listening to the How to build a home lab episode, gave me some feedback on the episode. he also shared his home lab setup. He uses an application called GNS3 which allows him to setup a more elaborate networking lab. I was intrigued and decided to have him on to discuss his lab further.

In this episode we discuss:

  • Brian's home lab setup
  • How he uses the lab
  • What he gains from this lab setup
  • GNS3

How I got into information security

In this journey episode of the Exploring Information Security podcast, I discuss how I got into information security.

I am in a bit of a transition right now. Getting guests for the show hasn't been as much of a priority for me the last month. This is something I've been wanting to try and so naturally now is a good time to experiment. In this episode I talk about my path to information security. Which includes military service and roles as system analyst, network and system administrator.

I would appreciate feedback on this episode. I may do more of these where I'm just solo talking about my personal experiences or covering certain topics. Email me at timothy[dot]deblock[at]gmail[dot]com or hit me up on Twitter @TimothyDeBlock.

What is Tactical Edge?

In this exotic episode of the Exploring Information Security podcast, Ed Rojas joins me to answer the question, "What is Tactical Edge?"

Ed (@EdgarR0jas) is the creator of Tactical Edge (@Tactical3dge), which runs October 24 - 27, 2016, and PVC Security podcast co-host. For listeners of that podcast, I apologize. You've heard about about Tactical Edge extensively. However, I managed to get a little more out of him in this episode. We discuss origins and what makes this conference unique.

In this episode we discuss:

  • What is Tactical Edge
  • The origins of the conference
  • What makes it unique
  • Some of the fun activities to take part in while at the conference.

What is social engineering?

In this humanized episode of the Exploring Information Security podcast, Valerie Thomas joins me to answer the question, "What is social engineering?"

Valerie (@hacktress09) is an executive consultant for Securicon. She uses many techniques to pentest an organization via social engineering. One of the techniques she uses the most is phishing emails.

In this episode we discuss:

  • What is social engineering?
  • The different types of social engineering techniques
  • How social engineering test are conducted
  • Why social engineering is important.

More resources:

How to be a better mentor

In this guided episode of the Exploring Information Security podcast, Chris Spehn joins me to discuss, how to be a better mentor.

Chris (@_Lopi_) has some interesting thoughts on mentorship and how the infosec community can be better at it. Here is the tweet from Chris that caught my attention:

Upon further investigation I noted that Chris is creating a game for people trying to break into information security. How this applies? You will have to listen to the episode.

In this episode Chris and I discuss:

  • What is a mentor?
  • Why mentors are importnat
  • How to define a good mentor
  • Mentorship doesn't have to always be a one-on-one thing

What is a security framework?

In this framed episode of the Exploring Information Security podcast, Steven Legg joins me to answer the question, What is a security framework?

Steven (@ZenM0de) is a principal security strategist at eSentire. Part of his role is implementing, and even sometimes creating, security frameworks for organizations. We define what a security framework is and then discuss the process for choosing a framework.

In this episode we discuss:

  • What is a security framework
  • Why is it important
  • Who should be making the decision on a security framework
  • How to know the right ones has been chosen

More resources:

How to make time for a home lab

In this timely episode of the Exploring Information Security podcast, Chris Maddalena and I continue our home lab series by answering a listener's question on how to find time for a home lab.

Chris (@cmaddalena) and I were asked the question on Twitter, "How do you make time for a home lab?" We answered the question on Twitter, but also decided the question was a good topic for an EIS episode. Home labs are great for advancing a career or breaking into information security. To find the time for them requires making them a priority. It's also good to have a purpose. The time I spend with a home lab is often sporadic and coincides with research on a given area.

In this episode we discuss:

  • Making a home lab a priority
  • Use cases for a home lab
  • Ideas for fitting a home lab into a busy schedule

More resource:

How to build a home lab

In this getting stared episode of the Exploring Information Security podcast, I discuss how to build a home lab with Chris Maddalena.

Chris (@cmaddalena) and I have submitted to a couple of calls for training at CircleCityCon and Converge and BSides Detroit this summer on the topic of building a home lab. I will also be speaking on this subject at ShowMeCon. Home labs are great for advancing a career or breaking into information security. The bar is really low on getting started with one. A gaming laptop with decent specifications works great. For those with a lack of hardware or funds there are plenty of online resources to take advantage of. 

In this episode we discuss:

  • What is a home lab?
  • Why would someone want to build a home lab?
  • What are the different kinds of home labs?
  • What are the requirements?
  • How to get started building a home lab

More resources:

What is red vs. blue? - Part 2

In this competitive episode of the Exploring Information Security podcast, I discuss red team vs. blue team with Mubix AKA Rob Fuller.

Rob (@Mubix), recently had a post titled "Friendly Fire." In the post he talks about the red vs. blue dynamic and some of the pitfalls of that attitude. I knew of the red vs. blue dyanmic, but I never thought it would be hurting the security industry. I decided to have Mubix on to discuss the topic a little bit more. 

In this episode we discuss:

  • Maximizing the pentest window
  • CTFs and how they contribute to the problem

More Resources

What is Red vs. Blue - Part 1

In this competitive episode of the Exploring Information Security podcast, I discuss red team vs. blue team with Mubix AKA Rob Fuller.

Rob (@Mubix), recently had a post titled "Friendly Fire." In the post he talks about the red vs. blue dynamic and some of the pitfalls of that attitude. I knew of the red vs. blue dyanmic, but I never thought it would be hurting the security industry. I decided to have Mubix on to discuss the topic a little bit more. 

In this episode we discuss:

  • Define red team vs. blue team
  • Working together

More Resources

How to start a successful CitySec meetup - Part 2

In this get together episode of the Exploring Information Security podcast, I discuss "How to start a successful CitySec meetup" with BurbSec organizer Johnny Xmas.

How to start a successful CitySec meetup - Part 1

Johnny, (@J0hnnyXm4s), helps organize four monthly meetups in the Chicago area called BurbSec. Starting a CitySec is a unique challenge but one that is easily doable. CitySec's provide an opportunity for security professionals and enthusiasts to get together to network, learn, and improve their security mindset. Johnny will be presenting this topic as a talk at BSides Nashville April 16, 2016.

In this episode we discuss:

  • Location of the meetup
  • Website viability

More Resources

How to start a successful CitySec meetup - Part 1

In this get together episode of the Exploring Information Security podcast, I discuss "How to start a successful CitySec meetup" with BurbSec organizer Johnny Xmas.

Johnny, (@J0hnnyXm4s), helps organize four monthly meetups in the Chicago area called BurbSec. Starting a CitySec is a unique challenge but one that is easily doable. CitySec's provide an opportunity for security professionals and enthusiasts to get together to network, learn, and improve their security mindset. Johnny will be presenting this topic as a talk at BSides Nashville April 16, 2016.

In this episode we discuss:

  • The origin story of BurbSec in Chicago
  • Marketing
  • The people who attend CitySec meetups

More Resources

How to attend a conference

In this driven episode of the Exploring Information Security podcast, I discuss how to attend a conference with Wolfgang Goerlich, the director of security strategy at CBI.

Wolf (@jwgoerlich), recently produced an interesting PVCSec episode at CodeMash on the challenges of getting into infosec. One of the interesting notes from that podcast was learning how to attend a conference. It was such a great point that I invited Wolf back on EIS to discuss how to get the most out of attending a conference.

In this episode we discuss:

  • We define what attending a conference is
  • The individual goals of attendees
  • Attending a conference: pre-game, attending, and post-conference
  • Experiences that should be taken away from attending a conference

More Resoruces

What is the Security Culture Conference? - Part 2

In this relationship building episode of the Exploring Information Security podcast, I explore what is the Security Culture Conference in Oslo, Norway, June 14 - 15, 2015 with the creator of the Security Culture Framework Kai Roer.

Kai (@kairoer), is a speaker, trainer, consultant, and the creator of the Security Culture Framework (SCF). The framework deals with embedding a security mindset into the entire organization. It takes security awareness training to the next level by not only performing the training, but then measuring it's effectiveness. The Security Culture Conference is a result of that idea. It brings the brightest minds in security and gives them a platform to share ideas on the security culture in an organization. The conferences is June 14 - 15 in Oslo, Norway.

EIS listeners can get a discount on an admission ticket by entering promo code: PVCSEC

In part two we focus on the Security Culture Framework:

  • Why you should attend the conference
  • What was the motivation for the conference?
  • The type of content people can expect
  • The activities attendees can expect while attending the conference

What is the Security Culture Conference? - Part 1

In this relationship building episode of the Exploring Information Security podcast, I explore what is the Security Culture Conference in Oslo, Norway, June 14 - 15, 2015 with the creator of the Security Culture Framework Kai Roer.

Kai (@kairoer), is a speaker, trainer, consultant, and the creator of the Security Culture Framework (SCF). The framework deals with embedding a security mindset into the entire organization. It takes security awareness training to the next level by not only performing the training, but then measuring it's effectiveness. The Security Culture Conference is a result of that idea. It brings the brightest minds in security and gives them a platform to share ideas on the security culture in an organization. The conferences is June 14 - 15 in Oslo, Norway.

EIS listeners can get a discount on an admission ticket by entering promo code: PVCSEC

In part one we focus on the Security Culture Framework:

  • What is the Security Culture Framework
  • How it's applied to an organization
  • The four items of success
  • Metrics used to measure security culture

More Resources

What is a CISSP?

In this certifiably awesome episode of the Exploring Information Security podcast, I explore what a Certified Information Systems Security Professional with Javvad Malik.

Javvad Malik (@J4vv4d) doesn't need much introduction. He's done a video on the benefits of being a CISSP. He's also done a music video with his Host Unknown crew on the CISSP. There's also The CISSP companion handbook he wrote. which has a collection of stories and experiences dealing with the 10 domains of the CISSP. Check out his website at j4vv4d.com and his YouTube channel.

In this episode we discuss:

  • What is a CISSP?
  • What is the value of having a CISSP?
  • Who should get the CISSP?
  • The nuances of the certification test (pay attention to the questions)

More resources:

What is the problem we're trying to solve?

In this catalyst episode of the Exploring Information Security podcast, I explore the question, "What is the problem we're trying to solve" with Michael Santarcangelo.

Michael Santarcangelo, AKA The @catalyst, joins me to explain why answering the question is key to better security. The question, "What is the problem we're trying to solve" is the first step in identifying whether or not the problem at hand is worth addressing at this time. Essentially, is this what we should be working on right now and what will this gain us. This is a question to be answered by leadership. Michael has two decades of experience in security and working at the executive level. He's a regular on the Security Weekly and Down the Security Rabbithole podcasts. He's also launching his new program Straight Talk on Security.

In this episode we discuss:

  • What does the question mean?
  • Risk catnip
  • Why is the question important?
  • How to answer the question
  • The three perspectives of the quesiton