7MS #502: Building a Pentest Lab in Azure

Today I'm excited to be joined by my friend and advisor Kevin Keane (Twitter / LinkedIn) who is a lawyer, blogger, keynote speaker, business advisor, and just all around great guy. Kevin and I sit down to talk about: How SMBs can take some productive security baby steps How to get the most value out of your next security consultant engagement Can breaches ever be funny? What is the Trust Calculus? Do I need to care about GDPR? That and much more is coming up today on this special interview edition of the 7 Minute Security podcast!

25 Jan 201859min

GDPR in a nutshell GDPR, in a nutshell, is a set of legal regulations focused on the privacy of personal information for EU citizens - no matter where they are. Entities that store and/or process personal information about EU citizens must clearly explain to the citizens what data is being stored and processed, and any parties the data is being shared with. The citizens must opt-in and agree to each instance or reason that their data is being stored and processed. The citizens also must be able to, at any time, request a copy of the data or request that it be deleted. How does GDPR define "personal data" As “any information relating to an identified or identifiable natural person." When do GDPR regulations start being enforced? May 25, 2018. What are the key roles organizations need to be aware of as it relates to handling data under GDPR regulations? Two primary roles: Controller An entity that determines the purposes, conditions and means of the processing of personal data Processor An entity which processes personal data on behalf of the controller What are the GDPR lawful basis for processing data? Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Contract Legal obligation Vital interests Public task Legitimate interests Are there any good step-by-step guides to GDPR compliance? This site lays things out at a high level with a 12-step program, if you will. How can I learn more about GDPR? This http://gdprandyou.ie/ site is a great GDPR primer, and this PDF from Imperva is good as well. I also googled GDPR for dummies and found some good results too :-)

18 Jan 201811min

Back in episode 280 I talked about how I started working with PacktPub to start authoring a video course on vulnerability scanning using Kali. Since that episode I've found that recording and editing high quality video clips is taking waaaaaayyyyyyyyyyy longer than I'd like, but it's worth it to create good stuff! PacktPub authored a tool called Panopto to make videos, but I found it a little frustrating to work with, so I'm going with the following janky - but functional - recording setup: Record raw video using iShowU Pull that video into iMovie and cleanup all the mistakes Record audio in Quicktime Pull audio clips into iMovie and edit those to match up with what's happening in the video Export video as 1080p Additionally, here are a few little tweaks that help the content creation match up with PacktPub's requirements: Resolution should be 1920x1080 (full HD) - I just bought a secondary monitor for this. Specifically, an HP 22cwa. I set my .bashrc file to use all white for the terminal prompt. See this article which helped me out. In Terminal I created a PacktPub profile that has font as Monospace Regular 20pt.

4 Jan 201815min

Hey folks, I had originally planned to cover the CredDefense toolkit but I couldn't get it working. I'm basically having the same issue that someone reported here. Sooooo....will have to save that for next week. In the meantime, this episode features a story about how I nearly knocked a retina out of my sister's face with an ice ball when I was about 8 years old. Yep, she's still mad about it, but I think 2018 is the year for forgiveness! Enjoy, and we'll talk to you in 2018. Blessings to you and yours!

28 Des 201711min

Did I mention I love the Critical Security Controls? I do. And here's an absolute diamond I found this week: This site (http://www.auditscripts.com/free-resources/critical-security-controls/) offers awesome CSC-mapping tools (and they're free!), specifically: A spreadsheet with how the CSCs map to other popular frameworks like ISO and NIST A manual assessment tool for measuring your org - or someone else's org - against the CSCs. Flippin' sweet right? RIGHT! Also, be sure to come and Slack chat with us, as my pal hackernovice is building a tool called MacMon to help you satisfy CSC #1! Lastly, I built an LOL-worthy pentesting recon tool called SSOTT (Scan Some of the Things) that might help you automate some NMAPing, DIRBing, NIKTOing, and the like. Cheggitout!

21 Des 201713min

My pal and former coworker Joe Klein joins me in the virtual studio to discuss: His career as a diesel mechanic and insurance guru How to leave a stable job, take a huge pay cut and start a risky infosec internship (sounds like the name of a broadway musical!) The start of his new career as a SOC analyst The importance of having a career cheerleader/mentor Being hungry for knowledge and certifications without being ashamed or afraid to look like a newb CompTIA Security+ and Cisco CCNA Cyber Ops certs The proper pronunciation of the word "dude" How to do a proper Arnold Schwarzenegger impression Other references made in the episode: Arnold Schwarzenegger the love poet Joe welcomes your comments, concerns, insults and questions via email (listen to today's episode for the address!) or Twitter.

14 Des 201752min

Two weird things happening in this episode: I'm not in the car, and thus not endangering myself and others while podcasting and driving! My once beloved lav mic made a trip through the Johnson family's washer and dryer. I don't know that she'll ever record anything again. We'll see once it fully dries out (fingers crossed). I spent some time this last week getting back into Windows systems forensics, which has been really fun. If you want a play-by-play guide with some fantastic, practical, hands-on advice, grab yourself a copy of the Blue Team Handbook: Incident Response Edition. I also started a forensics page on BPATTY. Also, I picked up a Google Home Mini for $30 and can honestly say it quickly has found a special place in my tech/geek heart...even if it is recording everything I say and sending it to the NSA. But a small device that will play Michael Buble's Christmas album as soon as I command it with my voice? Worth the privacy sacrifice. Finally, if you're in the St. Paul, MN area tomorrow and wanna hear me come talk about "Blue Team on a Budget," come to the Government IT Symposium - more info here.

7 Des 201713min

Sorry the podcast is late this week - but it's all for good reasons! I'm busy as a bee doing a ton of pentesting so I have a smattering of random security stuff to share with you: Mac High Sierra root bug Did you hear about this? Basically anybody could log in as user root on your system without a password because...there isn't a password! Read the Twitter thread where I originally read the news here, read about the root account madness here, and then read how the fix broke file sharing here. BPATTY ROCKS! I tried to wiki-fy my BPATTY project to make it a bit easier to read, so head to bpatty.rocks and let me know what you think! I'm BURPing a lot I can't tell you how fun it has been to get back in the pentesting saddle and hack some Web sites these past few weeks. Here are a few tips/tricks others taught me that have helped me get back in the swing of things: In Burp, state files are being depreciated in favor of project files. Read more here For BApp extensions, here are a few that help you get the job done: retire.js looks for old/outdated/vulnerable Javascript libraries Software vulnerability scanner helps you find vulnerable software, such as old versions of IIS CO2 has a bunch of tricks up its sleeve - my favorite of which is helping you craft sqlmap commands with the right flags More on today's show!

1 Des 201714min