7MS #285: The Quest for Critical Security Controls - Part 2
Nothing to do with security, but I've heard this song way too much this week. I love the CIS Controls but it seems like there isn't a real good hands-on implementation guide out there. Hrmm...maybe it's time to create one? Speaking of that, check out the MacMon project and chat with us about it via Slack. After hearing rave reviews about Fingbox (not a sponsor), I picked one up (~$120) and wow, I'm impressed! It's got a lot of neat features that home users and SMBs would like as it related to mapping to CSC #1: Ability to map network devices to users to create an inventory Email alerts for new devices that pop up on the network Block unwanted users from the app, even when not directly connected to the LAN Nice set of troubleshooting tools, such as wifi throughput test, Internet speed test, and port scanning of LAN/WAN devices More on today's show...
9 Marras 201712min
7MS #284: The Quest for Critical Security Controls
For a long time I've been electronically in love with the Critical Security Controls. Not familiar with 'em? The CIS site describes them as: The CIS Controls are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization. Cool, right? Yeah. And here are the top (first) 5 that many organizations start to tackle: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Google searches will show you that you can definitely buy expensive hardware/software to help you map to the CSCs, but I'm passionate about helping small businesses (and even home networks!) be more secure, so I'm on a quest to find implementable (if that's a word?) ways to put these controls in place. I'm focusing on control #1 to start, and I've heard great things about using Fingbox (not a sponsor) to get the job done, but I'm also exploring other free options, such as nmap + some scripting magic. More on today's episode...
2 Marras 201712min
7MS #283: OFF-TOPIC - I Love Cops and COPS
My plans for this week's podcast went hush-hush, kablooie, bye-bye, see ya, adios. So, I'm pinch-hitting and going off-topic and talking about...of all things...cops. Now wait! Wait wait! Don't run away. I'm not going all political on you or anything like that. Just wanna share some anecdotes and perspectives on the following: What it was like growing up with a dad who was a cop Losing a cousin in the line of duty Getting a call from my local police department this week claiming I was a danger to a school bus full of kids. Whaaaaa? Oh, and I sing a little bit on this episode too.
27 Loka 201718min
7MS #282: A Peek into the 7MS Mail Bag
I'm gonna level with you: it's been a heck of a week. So I thought I'd try something a little different (and desperate?) and use this episode to answer some FAQs that come in via email and Twitter DM. Today's burning questions include: Q: Do I think it's dangerous to podcast and drive? A: Not really, especially now that I got one of these babies. Q: What is the eJPT cert all about? A: It looks like a pentest training/cert path that sits somewhere (difficulty wise) between CEH and OSCP. It's favorably reviewed and will set you back a few hundred dollars. Have you taken this cert? I'd love your feedback and, if possible, to do a mini Skype interview with you for the show. Drop me a note and lets chat. Q: What's a good place to practice Web hacking skills online? A: I've been a long time fan of Juice Shop, and up next in my queue is HackTheBox. Q: Any more Vulnhub.com VMs in the works? A: Kinda. Listen to today's episode :-)
19 Loka 201711min
7MS #281: Baby's First Banking Infosec Conference
I went to my first ever banking-focused infosec conference a few weeks ago (WBA's Secure-IT) and learned a ton. I met some really great people and had many productive conversations around security. The main takeaways from the conference that I talk about in today's episode: Standing all day and talking about security is exhausting! You can thwart "swag whores" (sorry mom, but I learned that that's what they're called!) by pushing your merch table deep into the booth so it's touching the rear curtain. That way people have to go through your "people perimeter" and engage in conversation with you in order to be granted access to the swag! From the conversations I had with the staff at these small banks, they're definitely wanting to slurp up as much helpful info from the sessions as possible. Specifically, finding ways to better improve security posture using free/cheap tools is ideal! I attended a few sessions that got my blood boiling. The outline of these talks went something like this (slight exaggeration added, but not much): Hackers are way smarter and more physically attractive than you, and they can get by all your defenses with ease You're helpless, hopeless, and not physically attractive Luckily we (Vendor X) are here and we offer our patented Super Solution Y that will thwart the APTs 100% of the time, no question, guaranteed People don't appreciate being talked down to, nor do they want to be shamed, blamed or scared into making security better. More on today's episode...
11 Loka 201715min
7MS #280: How to Become a Packtpub Author
I'm excited to announce I'm going to be a PacktPub author! I'm going to work with them to create a course on network/vulnerability scanning. I'm pumped, but kinda nervous, so when I had the initial conversations with PacktPub staff, I made sure I hit them with my burning questions: Q: Are you going to ask me to create a sweet course and then pay me pennies for every digital copy sold? A: No. Authors get paid a lump sum up front and then share in profits for digital copies sold. Q: Who's gonna dictate the project outline - as well as timeline for recording it? A: It's a joint effort. The author dreams up the timeline, fine-tunes it with PacktPub, and then hammers out a mutually agreeable project timeline. Q: Do I have to buy some expensive software/hardware to make these videos? A: Not really. PacktPub did recommend I buy a better microphone (so I got a Snowball), and then they license authors a copy of Panopto to record the videos. More Qs and As covered on today's episode!
5 Loka 201711min
7MS #279: Patching Solutions Bake-Off - Part 4
Intro The patching solutions review concludes this week with Ivanti's patch solution, as well as PDQ Deploy/Inventory. As a quick reminder, here's where our bake-off currently sits: Ninite (covered in 7MS #275) ManageEngine (covered in 7MS #277) Quick reminder: none of these solutions are bribing me with fat wads of cash to plug their products. Some day I hope to have such problems, but today is not that day. Ivanti You might know Ivanti as Shavlik - that's the product name I'm more familiar with anyways. Back in February, Shavlik became Ivanti. Pros Pretty easy to install and manage - even without a deep background in IT (in today's episode I tell a story that can back this claim based on my experience) Does a solid job of applying patching Windows OS and third party Cons Pricing is a little steep - last figures I saw were ~$80 per server, per year and ~$40 per workstation, per year. ITScripts library (that allows for GPO-style policy enforcement) is a little slim when compared to similar functionality offered from other solutions PDQ Deploy/Inventory Pros Lets you crazy with building custom packages you can deploy to granular groups Awesome online help resources, including a YouTube video library that's got a video for just about everything Quick response to support tickets Cons A bit more complicated to get comfortable with than the other solutions A little confusing on the Windows patching side - not quite as "point and patch" as some of the other solutions Agentless system - machines have to be able to "see" the PDQ
28 Syys 201715min
7MS #278: Interview with Rob Sell
Intro We're breaking ground with this episode, folks! For the first time in 7MS history, we've got a guest on the show (finally, right?!). Rob Sell is an IT manager who has been working in IT for many years, with a focus on information security specifically for the last 4 years. He recently came home from Defcon 25 with a third place in the SE CTF. Rob sat down with me to discuss the CTF, how to make an outstanding CTF audition video, OSINT tools/tips/techniques, the value of tech/security certifications, career advice, and more! Interview notes and links Here's Rob's Defcon CTF audition video EchoSec helps you see a geographical area at a certain point in time. According to the Web site, EchoSec is "the most comprehensive social sentiment tool on the market" - hmmmm, seems like a great SE tool! X-Ray is "a tool for recon, mapping and OSINT gathering from public networks." Michael Bazzell's Web site has online training, free tools and other goodies. Michael also has some books. Christopher Hadnagy has a podcast that's strictly focused on SE. He's also got some books. ArcGIS isn't necessarily labeled as an SE tool, but can certainly be used for SE efforts.
21 Syys 201756min
