Security Weekly - A CRA Resource
Security Weekly - A CRA Resource
The Security Weekly podcast network: technical segments, interviews with security luminaries, and the latest information security and hacking news! Engaging and informative podcast and video programming that has built awareness on emerging solutions and aligned sponsors with trusted personalities and loyal audiences, delivering robust and actionable content from experienced hosts and guests.
Пікірлер
it's really great
Darktrace is a leader in this space, check us out!
This episode is so timely, considering ... 😬
NIST 800-14 General guidelines for Secure software applications I bet the next security audit is going to be brutal - We are effectively synergizing backward outflow for upward revenue stream dynamics REMEMBER BASELINE CONTROLS SATISFY REQUIREMENTS
Updating the kernel daily without testing, using cheap labor? what can go wrong?
😆
Good to hear that about team work. Thanks
Any time!
error when importing the module, could you explain it? Import-Modul.\Mailsniper.ps1 : The term 'Import-Modul.\Mailsniper.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + Import-Modul.\Mailsniper.ps1
Awesome episode!!!!
Tyler is missing something in blaming customer when okta support explicitly states don't upload passwords.. what happens when a customer asks for help to remove passwords.. Often, support isn't going to be helpful.. when that happens the requirement to remove becomes unsupportable as a way to remove responsibility from Okta.
Excellent point! I think the key is setting expectations (whatever they are) and then living up to those expectations. It's when the line is blurry that ownership becomes difficult. We also have to look at the expectations (the line being drawn) and reevaluate it periodically to make sure that it's well designed over time. Thanks for commenting!
IMO, it's all on Okta - they required customers to do something that 99% of their customers weren't going to be able to do. And the fact that no one reads instructions in the US lifts that percentage to 100%. On top of all that, they were leaving themselves open to liability, made them an attractive target, and it bit them, HARD.
Speedway gas stations were also done. Some smaller stations were cash only in ohio
Maybe its time for IBM to take the lead and provide closed systems for critical infrastructure and captured servers running Linux with mainframe backends. The cloud and Microsoft along with connectionless protocols (IP) are not really suited for critical systems. BTW-VPN will not save you. Devops is death for these systems as well.
Love listening to you!! I work for Amazon Transportation Department. Most sites in North America are still able to send stuff out via trucks. Most of the issues we faced was workstations with BSOD, but there are was around the system to get trucks in and out. At least for those of us who have been around for a while and recall doing things before automation was put in.
Thanks for sharing!!
The "workaround" is there and very easy. There is no reason to "PANIC"...if the servers are repaired...(by deleting a bunch dumb .sys files) and restarting. It takes a minute.
how do you “beta test” something that is used throughout all major industries. complete incompetence on MS.
I worked IT for almost 20 years. I feel for ALL of the poor agents having flipped out customers. All the best folks. I hope this is not some kind of "test run"? 🤔
Great video on this!
i had a feeling you would cover this! thanks
6:46 I also got the Zero W deal on prime day! I’m wanting to try my hand at a Pwnagotchi or Pi-hole
According to ‘Psychology’ fifth addition by Schacter, Gilbert, Nock, and Wegner, chapter 10: Emotional Intelligence is defined as the ability to reason about emotions and to use emotions to enhance reasoning. It is the type of intelligence that allows you to tell a friend that she talks too much without hurting their feelings, calm yourself down and cheer yourself up after a failed test, and recognizing whether you are angry or anxious. Emotional intelligent people know what kinds of emotions a situation will trigger; they can identify, describe, and manage their emotions; they know how to use their emotions to improve their decisions; and they can better identify other people’s emotions through facial expressions and tones of voice. This is very important for social relationships. They have better social skills and more friends, judged to be more competent in their interactions, and they have better romantic and workplace relationships. Emotional intelligent people tend to be happier and more satisfied with their lives. Emotional intelligence is one of the middle-level abilities that the data-based approach has missed.
Had to listen to this podcast, rather than watch, out of solidarity for my Mavericks 😂
😆
Emotion is not.intelligence, intelligence requires logic
Great stuff from NightWing listening to this. They understand the issues a lot of people talk about .
Thanks.
Ask Timothy what he's looking for. I am a beginner programmer looking to land a job in cybersecurity.
His camera is a potato lolzz
I am the new viewer. The one who didn’t know what SOHO meant. Thank you for the explanation 😂
You’re welcome 😊
Cyborgs Unite! Great show, was a good watch.
Thank you for tuning in!
Thank you for having me on your show. It was a pleasure!
Thank you for joining us! The pleasure was all ours 🤗
You guys are amazing. Aaran was my inspiration to get into cyber. Now I’m an analyst. Today analyst, tomorrow ransomware Pinky.
ı enjoyed the ıntro a lot
Only get hands dirty with deep dives if directly relevant to current projects.. too many rabbit holes.. I pick ones that may have most value in as many different activities as possible
40:00 boom, this is a boom moment in this excellent interview. the reason is that security requirements ARE product requirements, and they cant be treated like a separate set of requirements, they are engineering requirements and they need to be included in the overall planned engineering effort. so many times security is an afterthought, consider the length and frequency of the CISA alert list. The engineers must own their requirements, including the security requirements, so we've found methods to improve this by compelling leadership to insist that security requirements are planned and not foisted on engineers as extra work. product management must lead and set the tone for this, and program management must step up and start tracking everything security related, as well. secondly, the good-engineer is delighted to see me, because i represent a body of knowledge that can only be gained through experience, and our advisement and insights are invaluable, esp when considering the broad range of inexperienced, or rather, "specialized" engineers that companies employ today. it takes only one ill-managed moment to assign the wrong task to an engineer not well-prepared for it, and this may introduce defects that result in loss of human lives. to avoid that, we must build product security teams that operate pen-test labs continously testing releases. we must introduce hands-on security-focused attacker-mindset engineering concepts for the engineers, and we must have leeadership understanding that they must aquire a technical security vocabulary and use it. directors and above should have security leadership training, and should get it from outside the org, like from SANS or something other than their own intenral groups. also, the security team should report outside the engineering management chain, and significantly higher in the chain than the lowest engineering director. directors are typically failed engineers, but then again, what is a title. its all bs at the end of the day.
Glad you enjoyed the interview and love all the points you made in your comments!
So good to watch and learn about IDR. Thanks for your sharing your view Dave and we are implementing the same!
Bhavanasinghthapa halooo if weafgf more hoo
Bhavanasinghthapa nmaste . Do good and happy day.
Everyone who works in IT has to know something about security. From the website designer who is building the forms, or setting up the eCommerce, to the janitor who is always on the look out for open doors, to the help desk agent who is setting GPO and changing passwords. To say only pentesters and SOCs are security is probably why organizations are so poorly trained, why the people on the front lines are constantly left out of the conversation, and why we keep losing. Utah? Where the data centers are? BTW, this video is poorly linked. I had to search for it. Part 2 is saying some really great stuff. More people should see it. Jeff, I love you man, but you're fixed on this notion (and I know devils advocate is your job as the host) that you or people exactly like you, are the only ones who can do this job because you've been in it so long. Yes, you have a unique perspective, but it's not the only perspective that matters or is helpful. People are born everyday that are (and are going to be) better than you, me, whoever. The world goes on whether we're in it or not. If we both got hit by a bus tomorrow cybersecurity goes on and someone will fill that position who probably comes from a far more impressive background because they had more resources to draw from than you did. When you started there was no this, this or that. When they started, there was.
I know I'm 2 years late on this video, but what's striking is watching 2 guys refuse to believe that anyone else can do or even learn their job or any job related to security unless they've been around since before AOL chat rooms. I appreciate that you've been around since back in the day, you have much to teach. Teach and stop keeping a such a tight grip on the industry as if you're going to live forever, and when you do go, you're going to take it with you. How are all the old schoolers going to leave the industry? Better than they found it? Or are they going to work until they die and take it all with them? They have an opportunity to actually build the industry, organize it, and set it up for success for the protection of ALL OF US, rather than the rag tag, gatekeeping, dysfunction that it is now. True leaders leave a legacy that benefits generations.
Does CTEM integrate EDR and MDR solutions in its framework?
Hi @shubhamr8867, the CTEM framework speaks to two enabling technology forms: exposure management and exposure validation. These technologies, containing the range of tools like DRPS, VA, VPT, EASM, BAS, and more to help EDR & MDR to understand the potential exploits available to cyber adversaries to ensure high-grade detection and response. Actually, some elements of exposure assessment are already present in some EDR & MDR solutions, so it's increasingly acknowledged that CTEM strengthens and enhances EDR & MDR as a complement or embedded feature.
File transfer systems like MoveIt will always have a place as long as two bloated megacorps need to exchange data. You can, above a certain size, have a department that does nothing BUT that. Smol boys can get away with AWS Secure File Transfer Service (there's a reason it's expensive). Big boys have to deal with SFTP, FTPS, god help you regular FTP, and a handful of other transfer protocols in various configurations and directions. MoveIt et al fill that gap. Migrate off MoveIt specifically? Sure. But telling companies to just not move data via multiple protocols their partners use with a tool that brings some sanity to the world is like telling someone to just not breath on a Tuesday.
You need your own show in Security Weekly. Great work
The comments about how, "you should never have vulnerable docker containers," makes me laugh. I would challenge you to do the work the next couple times the, "Friday afternoon, pin it till Monday," situation happens and make that statement again. Realistic mode would be with a php container. As soon as you get into language depencency chains (npm, composer, pip, etc), "Just update it," immediately becomes a painfully naive statement. PHP is hard mode because you also have c extensions to deal with and it's a *very* common language, even if it's no longer in Vogue. I agree with you that the work needs to be done. And I agree that it shouldn't be, "pinned till Monday and then forgotten," or more likely, "pinned till Monday, then Monday morning business decides some other random thing is suddenly a huge priority." Which is something you can easily deflect if you have the gumption, experience, and political clout to tell business to pound sand on security issues when neccesary. But it's rare to find ops teams that curate that. And this is ignoring the common situation of, "We have a centralized 'devops' team (which isn't how it's supposed to work but is very common) and disparate dev teams, none of whom talk to each other or coordinate tools/technology/languages/etc." "Just patch the container," turns into, "Learn a whole new language, dependency chain, and sometimes application to do work business won't otherwise prioritize. And also chase dev and qa around for verification." I'm not going to get into the xz situation, but running bleeding edge versions of dependencies patches all the time also has a crop of issues unrelated to just, "The app broke." I'm sure you didn't mean it that way, but the statement, "You shouldn't have out of date or vulnerable containers in your environment ever," comes off as very, "Decree from the security ivory tower," that is tolerated to an extent and ignored/actively undermined in extreme cases.
Thanks for your comments! Everyone's organization and dev environments are different, as is your risk profile and tolerance. Certainly you will have vulnerabilities in your containers, and so many tools and processes exist to help organizations with this problem. However, at the end of the day it comes down to the risks you are willing to take, what actually protects the business, and the resources you have at your disposal.
Dude really searched his mind for his porn name. Legit awesome
So the -printer- ink companies lose money on their printers unless you buy enough ink and then, if you go to buy your printer from a retail store, they also probably lose money if you buy the printer without ink and/or other "add-ons" (like a warranty). At that point, the consumer going to a typical big box retailer is going through two layers of companies pricing the main product so cheaply that they rely on you buying extras for them to stay in business. I am sure you won't be surprised to hear that it isn't just printers. Computers, video game consoles, and I am sure other consumer electronics also have the same curse of selling you blades instead of razors. Except now they want you to buy a warranty on your razor and also pay someone to install your blade into your razor.
Dave Aitel dodging all kinds of bullets. Cyber, literal. All of em! ;)
The elusive magic ai button - if only!
thats my dad!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Your dad is one cool dude! 😎
In order for open-source programs to become more secure there needs to be an organisation that is structured so as to maintain its integrity towards all those that are within it, and what they do. Open-source programs would require rigorous assessment to ensure their robustness and security. Further, all the subroutines need to be compartmentalised and assessed individually and as part of a system (bottom up and then overall). Those that are assessing the robustness of the program need to be both credible and competent. There needs to be systematically structured protocols for the processes which the respective validating organisation adheres to. Possibly an organisational charter. The protocols and related processes assessment methods need to constantly be updated so as to increase the level of rigorousness during validation for which is not reduced in attempts to streamline the validation process. An efficient security analysis is of no value if it does not meet the required level of security. The open-source program analysis would also require such an organisation to be financially viable with a financial donor list along with a conflict of interest statement for which one is legally accountable. Both the financial donor list and conflict of interest reports need to be transparent and open to the public. Any donations by anonymous parties would need to be stated as such and in the event that party reveals they are a donor (explicitly or implicitly), that donor and whom they represent or are affiliated with must also be published to the public. This ensures bias is not introduced into the organisational structure (thus potentially corrupting it, the organisations intent, and what it represents). Doing the aforementioned would ensure the respective organisation's independence, along with its chore ethos and values are maintained thus mitigating infiltration and the undermining by others attempting to corrupt it.
Pannu Killer 😂
😅😅😅 ye wahi Banda hai kya