Why communication in infosec is important - Part 2

October 7, 2018

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

How important is it for the company to take security seriously
How would someone get started improving communication?
Why we have a communication problem in infosec
Where should people start

More resources:

Networking with Humans to Create a Culture of Security by Tracy Maleeff - BSides NoVa 2017
Courtney K BsidesLV 2018, Implementing the Three Cs of Courtesy, Clarity, and Comprehension to Optimize End User Engagement (video not available yet)
BSidesWLG 2017 - Katie Ledoux - Communication: An underrated tool in the infosec revolution
Jeff Man, The Art of the Jedi Mind Trick
The Thing Explainer: Complicated Stuff in Simple Words
Chris Roberts, Communication Across Ranges

[RSS Feed] [iTunes]

Why communication in infosec is important - Part 1

September 30, 2018

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team at Tenable. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

What Claire’s experience is with communication and infosec
What’s ahead for communication in infosec
Why do people do what they do?
What questions to ask

More resources:

Networking with Humans to Create a Culture of Security by Tracy Maleeff - BSides NoVa 2017
Courtney K BsidesLV 2018, Implementing the Three Cs of Courtesy, Clarity, and Comprehension to Optimize End User Engagement (video not available yet)
BSidesWLG 2017 - Katie Ledoux - Communication: An underrated tool in the infosec revolution
Jeff Man, The Art of the Jedi Mind Trick
The Thing Explainer: Complicated Stuff in Simple Words
Chris Roberts, Communication Across Ranges

[RSS Feed] [iTunes]

A conversation with Justin Seitz

September 23, 2018

In this brand new edition of the Exploring Information Security podcast, I have a conversation with Justin Seitz (@jms_dot_py).

When I have guests hop on the podcast, I usually try to break the ice a little and get them warmed up for the episode. Often times these can turn into some really good conversation about the infosec field. I'd like to start capturing those conversation and release them (with the person's permission), because there are some really great insights.

I've released this episode early to the people on my newsletter (check below to get in on the fun). I wanted to get feedback and also give people who sign-up some bonus content, which is something I hope to do more.

In this episode we discuss:

My unique role working with other departments
Report writing and dealing with awful reports
Similarities between the developer boom and the security boom

[RSS Feed] [iTunes]

Why container security is important - Part 2

September 16, 2018

In this shipped edition of the Exploring Information Security podcast, Wes Widner joins me to discuss container security.

Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.

In this episode we discuss:

What are some of the other security considerations?7
Who should secure containers?

More Resources:

[RSS Feed] [iTunes]

Why container security is important - Part 1

September 9, 2018

In this shipped edition of the Exploring Information Security podcast, Wes Widner joins me to discuss container security.

Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.

In this episode we discuss:

What are containers?
What are the different kind of containers?
What is Wes' experience with containers?
What are the big security concerns?

More Resources:

[RSS Feed] [iTunes]

What is Hunchly?

September 5, 2018

In this screenshot edition of the Exploring Information Security podcast, Justin Seitz joins me to discuss Hunchly.

Justin (@jms_dot_py) is the creator of Hunchly. I got to know Hunchly at SANS SEC487 OSINT training earlier this year. It's a fantastic tool that takes screenshot as the web is browsed. This is very useful for investigations involving OSINT. I'm also finding it useful for incident response, particularly for clicking on phishing pages. I sometimes forget to take screenshots as I'm investigating a phishing page. Having Hunchly means, I don't have to worry about taking screenshots. I then use the screenshots for reports and training. It's a really useful tool.

In this episode we discuss:

What is Hunchly?
How did Hunchly come about?
Who should use Hunchly?
What is the cost of Hunchly?

More resources:

Automating OSINT

[RSS Feed] [iTunes]

How to make a Burp extension

August 26, 2018

In this crafting episode of the Exploring Information Security podcast, Paul Johnston Customer Champion at Portswigger joins me to discuss how to make a Burp extension.

Paul (@paulpaj) wrote a blog post on how to make a successful burp extension and get it published in the Burp Store. A lot of the recommendations in the article are from Paul's experience handling extension submissions for the Burp Store.

In this episode we discuss:

What is the process for extension approval?
What is Burp Suite?
How does someone make an extension?

[RSS Feed] [iTunes]

How to handle CFP rejection(s)

August 19, 2018

In this refused episode of the Exploring Information Security podcast, Michael Kavka joins me to discuss how to handle call for presentation rejections.

Michael (@SiliconShecky) wrote a blog post on his site at the beginning of the year titled, It is CFP season... So what. In the article he hit on rejections and I thought it'd make for a great podcast topic. More recently, he wrote a blog post on the, Anatomy of a Rejected CFP. The article walks through his rejected CFP for DerbyCon.

In this episode we discuss:

What is Michael's experience in submitting CFPs
Why a CFP is rejected
What are the different types of cons?
How to handle a CFP rejection letter

More resources:

The Building Blocks of Infosec CFPs by Kat Sweet
How Do I Make My CFP Stand Out by Nikita
CFP 101 - Tottenkoph, Guy McDudefella, Security Moey, David Mortman

[RSS Feed] [iTunes]

How to create a phishing email - Part 2

August 12, 2018

In this expedition edition of the Exploring Information Security podcast, Chris Maddalena a senior security consultant joins me to discuss how to create a phishing email.

Chris (@cmaddalena) joins me to discuss crafting a phishing email. This is something I've recently explored at work. Having little to no experience actually crafting a phish, I decided I'd go to someone who does this on a regular basis. Check out Chris' ODIN tool for automating intelligence gathering, asset discovery, and reporting.

In this episode we discuss:

What are the technical steps to creating a phish
What needs to be consider from a technical standpoint
What is GoPhish and GoReporter
How important is timing

Other resources:

[RSS Feed] [iTunes]

How to create a phishing email - Part 1

August 5, 2018

In this expedition edition of the Exploring Information Security podcast, Chris Maddalena a senior security consultant joins me to discuss how to create a phishing email.

In this episode we discuss:

What you need to consider before creating a phish.
Where to get phishing ideas.
Where to get phishing templates.
What happened when accounting sent out an email.

[RSS Feed] [iTunes]

What is OSINT ORCS YOGA?

July 30, 2018

In this battlefield edition of the Exploring Information Security podcast, Micah Hoffman joins me to discuss OSINT ORCS YOGA.

Micah (@WebBreacher), is a SANS Instructor and author of the SEC487 OSINT course. He recently had his second class in Denver, Colorado (more dates here). During that class he found people asking about how to navigate the waters of OSINT resources. His solution was to start the OSINT Resource Classification System (ORCS). It's a call for the OSINT community to standardize on how resources are categorized. YOGA or Your OSINT Graphical Analyzer is meant to be a visual aid for people looking to navigate the streets of OSINT resources.

In this episode we discuss:

How SANS SEC487 is coming along
What is YOGA?
What is ORCS?
Why is ORCS YOGA important?

[RSS Feed] [iTunes]

How to crack passwords

July 1, 2018

In this crackerjack edition of the Exploring Information Security podcast, Sean Peterson of Parameter Security joins me to discuss password cracking.

Sean (@SeanThePeterson), is one of the most passionate infosec people you don't know. He recently did a talk at ShowMeCon on how to crack passwords. It was his first ever talk and pretty damn good. Sean joined me to give me his insights into password cracking.

In this episode we discuss:

What type of hardware is needed for password cracking
What type of attacks are used for password cracking
How to crack passwords
What's ahead for password cracking

[RSS Feed] [iTunes]

ShowMeCon 2018 Live

June 13, 2018

In this panelist episode of the Exploring Information Security podcast, the first ever podcast panel at ShowMeCon 2018!

Amanda Berlin (@InfoSystir), Wik (@jaimefilson), David Cybuck (@dpcybuck), April Wright (@aprilwright), and Dave Chronister (@bagomojo) join me on the live EIS panel at ShowMeCon, June 7, 2018. This is the first panel I've ever done for the podcast. It went so well, I hope to do more in the future. We cover a variety of topics and have a few laughs.

YouTube version

In this episode we discuss:

What's coming back in vogue
What to do with master ID
What our thoughts are on new password policies from NIST
How to handle best practices

[RSS Feed] [iTunes]

What's happening at Converge and Detroit BSides?

May 20, 2018

In this pile of an episode for the Exploring Information Security podcast, Johnny Xmas (@J0hnnyXm4s), Kate Vajda (@vajkat), Rachel Andrus, Kyle Andrus (@chaoticflaws), Daniel (not going to try spelling last name), Amanda Ebbutt, Daniel Ebbutt (@notdanielebbutt), Chris Maddalena (@cmaddalena), and myself get together to record a podcast during Converge and BSides Detroit.

It's another podcast special! This one was at Converge and BSides Detroit. This one took a little bit to get going. When we did we got into a little bit of everything. Topics both in infosec and topics outside of infosec.

In this episode we discuss:

Everyone tries Malort
The "breach" at Twitter
One size doesn't fit all for the populace
Real world issues (net neutrality, income, and public service)

[RSS Feed] [iTunes]