How to harden AWS

In this firm episode of the Exploring Information Security podcast, Andrew Krug of ThreatResponse joins me to discuss tips and resources for hardening AWS.

Andrew (@andrewkrug) and Alex (@amccormack) recently presented on AWS hardening at DerbyCon (slides). I previously talked about their talk on the "What I learned at DerbyCon" episode. Alex was gracious enough to join me to discuss what he talked about in his talk. He also provided some other tips and resources for improving the security in an AWS environment.

In this episode we discuss:

  • Why hardening AWS is important
  • What attacks we need to worry about in AWS
  • How to harden AWS
  • What are the tools he's created to help harden AWS

More resources:

How to break android apps for fun and profit - part 2

In this ruptured episode of the Exploring Information Security podcast, Bill Sempf joins me to discuss how to break android apps.

Bill (@sempf) is an application security architect who loves the grind of security. He recent spoke at DerbyCon on "Breaking android app for fun and profit." Watching the talk prompted me to invite Bill on the show to dive in a little more. What I like about the talk is that it's almost entirely a demo that walks through the steps of setting up the test environment. You can find more content from Bill at his website and the OWASP .NET project.

In this episode we discuss:

  • Other tools to use for testing mobile applications
  • OWASP Mobile Top Ten
  • Methodology for testing
  • Types of vulnerabilities Bill has found

More resources:

How to break android apps for fun and profit - part 1

In this ruptured episode of the Exploring Information Security podcast, Bill Sempf joins me to discuss how to break android apps.

Bill (@sempf) is an application security architect who loves the grind of security. He recent spoke at DerbyCon on "Breaking android app for fun and profit." Watching the talk prompted me to invite Bill on the show to dive in a little more. What I like about the talk is that it's almost entirely a demo that walks through the steps of setting up the test environment. You can find more content from Bill at his website and the OWASP .NET project.

In this episode we discuss:

  • Whybreak an android app
  • The skills needed to break android apps
  • We start to get into some of the tools needed to break an android app
  • What operating system to perform the tests on

More resources:

What is a denial of service (DOS) attack?

In this disclaimed episode of the Exploring Information Security podcast, Daniel Smith of Radware joins me to discuss denial of service attacks.

Daniel (@hypoweb) is a security researcher at Radware and he loves watching denial of service attacks. He joins me to explain what is a denial of service attack and the nuances of this type of attack. He will be speaking on this type of attack and the threat landscape in general in Bogota Columbia October 26, 2016, at Tactical Edge.

In this episode we discuss:

  • What is a denial of service attack
  • The different kinds of denial of service attacks
  • Who will launch a denial of service attack
  • Who DOS attacks typically target

What I learned at DerbyCon

In this enlightening episode of the Exploring Information Security podcast, I talk about what I learned at DerbyCon.

This was my second trip to DerbyCon. Last year was a wonderful experience. This year was much the same. While at the conference I had some takeaways that I wanted to share on the podcast (Also, I've been slack in getting guests on the show lately).

In this episode I discuss:

What is Practical Web Applicaiton Penetration Testing?

In this educational edition of the Exploring Information Security podcast, Tim Tomes joins me to discuss Practical Web Application Pentration Testing (PWAPT) training.

Tim (@LaNMaSteR53) is one of the leading names within the application security field. A former instructor for many organizations, he wanted to do more with training. He wanted to provide attendees to training with more hands on work. Get into an application, exploit it, and then provide remediation steps. He came up with the PWAPT training.

In this episode we discuss

  • How the idea for the training came about
  • Why the training is important
  • Who should attend the training
  • What makes this training unique

How to find balance in information security

In this balanced edition of the Exploring Information Security podcast, Joey Maresca AKA l0stkn0wledge joins me to discuss finding balance in information security.

Joey (@l0stkn0wledge) has been i the infosec industry for over 10 years. He's had his highs and he has had his lows. He joins me to discuss some of those lows and what he did to get out of them. In the end it's all about setting goals and moving towards inner peace. This is another episode in our DerbyCon series.

Joey's DerbyCon talk is available here.

In this episode we discuss:

  • What the talk is about
  • The idea for this talk
  • Why finding balance is important
  • How to find that balance

What can an OSINT creeper learn?

In this creepy edition of the Exploring Information Security podcast, Josh Huff and I discuss what you can learn being an OSINT creeper.

Josh (@baywolf88) is one of the up and coming professionals in the Open Source Intelligence (OSINT) discipline. By day, he's a forensic analyst at an investigation firm. By night, he's an information gathering OSINT creeper. He's been studying OSINT heavily the last year and is here to share his experience and lessons learned.

Josh's talks is available here.

In this episode we discuss:

  • What is an OSINT creeper?
  • What is the methodology of an OSINT creeping?
  • What are the lessons learned?
  • How to get started OSINT creeping

How to automate security into the SDLC

In this automatic episode of the Exploring Information Security podcast, Jimmy Byrd joins the show to discuss his DerbyCon talk, "Security automation in your continuous integration pipeline."

Jimmy (@jimmy_byrd) is the lead developer at Binary Defense. Recently, he was accepted to speak at DerbyCon. He will be speaking Saturday September 24, 2016, in the stable talk track. His topic is on integrating security into the automation part of the software development life cycle (SDLC).

Jimmy's DerbyCon talk is available here.

In this episode we discuss:

  • What is the SDLC?
  • What is continuous integration?
  • Why getting security automated in the SDLC is important
  • How to get security automated in the SDLC

More resources:

What is DerbyCon?

In the return of the Exploring Information Security podcast, I explore DerbyCon with Adrian Crenshaw AKA Irongeek.

Adrian (@Irongeek_adc) is one of the founding members of DerbyCon. Last year I went to DerbyCon for the first time. I had an absolute blast and I happy that I am getting an opportunity to go again this year. The talks are all fantastic, but even better are the connections that can be made at the conference. DerbyCon is in Louisville, Kentucky, September 21 - 25, 2016. The conference is sold out, but tickets can be usually found by watching Twitter for people selling tickets.

DerbyCon videos are up.

In this episode we discuss:

  • The origins of DerbyCon
  • All the events and activities available
  • How to get involved in the conference
  • BONUS: How to get accepted at DerbyCon

Other resources:

EIS taking a break

First, thank you to everyone who listens to the show regularly. From time-to-time I hear from people who enjoy the show and I couldn't be happier that they enjoy the content I produce. With that said, the show is going into a temporary hiatus. I am in a big transition right now in life and maintaining the show has become a struggle.

I have decided to take a break because I don't want the quality of the shows to suffer. I'm hoping it's only a month long hiatus, but there is a chance it could be longer. A lot of it will depend on how quickly I can get out of the chaos and into a regular routine. I want to thank everyone in advance and I am looking forward to filling the feed with new episodes.

Thank you,

Tim

When not to use Burp Suite

In this gassy edition of the Exploring Information Security podcast, James Green joins me to discuss when not to use Burp Suite. 

James (@Greenjam94) is a member of the MISec community and recently gave a talk about why not to use Burp Suite. Being in application security this was a topic I had interest in. Unfortunately, the presentation was not recorded. I decided to take matters into my own hands and have James on the show to discuss this topic.

In this episode we discuss

  • What is Burp Suite?
  • How is Burp used
  • Why Burp shouldn't be use
  • When to use Burp

How to write an infosec resume

In this advice driven episode of the Exploring Information Security podcast, I talk about my experiences writing a resume.

I received some positive feedback from people on the, "How I got into information security" episode. I've decided to try another episode where I talk about writing a resume for an information security position. Writing a resume for infosec is not unlike writing a resume for any other field. Two resources I've leaned heavily on to improve my resume are the Career Tools podcast and What Color Is Your Parachute by Richard N. Bolles. I recommend both for those looking to improve their resume.

In this episode I discuss:

What is MS08-067?

In this artistic episode of the Exploring Information Security podcast, Mubix joins me to discuss MS08-067.

Mubix (@mubix), available at room362 and Hak5, joins me to discuss one of his favorite exploits: MS08-067. I invited Mubix on to talk about MS08-067 because of a tweet he retweeted. The tweet included a confession that a consultant used the MS08-067 vulnerability to break into a clients network. This vulnerability is really old and while not widespread it does pop-up from time-to-time. I was happy to discover that Mubix has a great appreciation for the exploit.

In this episode we discuss:

  • What is MS08-067?
  • How long has it been around?
  • Why is it still around?
  • What name it would be given in today

More resources:

What is another home lab use case?

In this alternate episode of the Exploring Information Security podcast, Brian Hearn joins me to discuss another home lab use case.

Brian (@drambuie_B) after listening to the How to build a home lab episode, gave me some feedback on the episode. he also shared his home lab setup. He uses an application called GNS3 which allows him to setup a more elaborate networking lab. I was intrigued and decided to have him on to discuss his lab further.

In this episode we discuss:

  • Brian's home lab setup
  • How he uses the lab
  • What he gains from this lab setup
  • GNS3

How I got into information security

In this journey episode of the Exploring Information Security podcast, I discuss how I got into information security.

I am in a bit of a transition right now. Getting guests for the show hasn't been as much of a priority for me the last month. This is something I've been wanting to try and so naturally now is a good time to experiment. In this episode I talk about my path to information security. Which includes military service and roles as system analyst, network and system administrator.

I would appreciate feedback on this episode. I may do more of these where I'm just solo talking about my personal experiences or covering certain topics. Email me at timothy[dot]deblock[at]gmail[dot]com or hit me up on Twitter @TimothyDeBlock.

What is Tactical Edge?

In this exotic episode of the Exploring Information Security podcast, Ed Rojas joins me to answer the question, "What is Tactical Edge?"

Ed (@EdgarR0jas) is the creator of Tactical Edge (@Tactical3dge), which runs October 24 - 27, 2016, and PVC Security podcast co-host. For listeners of that podcast, I apologize. You've heard about about Tactical Edge extensively. However, I managed to get a little more out of him in this episode. We discuss origins and what makes this conference unique.

In this episode we discuss:

  • What is Tactical Edge
  • The origins of the conference
  • What makes it unique
  • Some of the fun activities to take part in while at the conference.

What is social engineering?

In this humanized episode of the Exploring Information Security podcast, Valerie Thomas joins me to answer the question, "What is social engineering?"

Valerie (@hacktress09) is an executive consultant for Securicon. She uses many techniques to pentest an organization via social engineering. One of the techniques she uses the most is phishing emails.

In this episode we discuss:

  • What is social engineering?
  • The different types of social engineering techniques
  • How social engineering test are conducted
  • Why social engineering is important.

More resources:

How to be a better mentor

In this guided episode of the Exploring Information Security podcast, Chris Spehn joins me to discuss, how to be a better mentor.

Chris (@_Lopi_) has some interesting thoughts on mentorship and how the infosec community can be better at it. Here is the tweet from Chris that caught my attention:

Upon further investigation I noted that Chris is creating a game for people trying to break into information security. How this applies? You will have to listen to the episode.

In this episode Chris and I discuss:

  • What is a mentor?
  • Why mentors are importnat
  • How to define a good mentor
  • Mentorship doesn't have to always be a one-on-one thing

What is a security framework?

In this framed episode of the Exploring Information Security podcast, Steven Legg joins me to answer the question, What is a security framework?

Steven (@ZenM0de) is a principal security strategist at eSentire. Part of his role is implementing, and even sometimes creating, security frameworks for organizations. We define what a security framework is and then discuss the process for choosing a framework.

In this episode we discuss:

  • What is a security framework
  • Why is it important
  • Who should be making the decision on a security framework
  • How to know the right ones has been chosen

More resources: