Brakeing Down Security Podcast

Bryan Brake, Amanda Berlin, Brian Boettcher

A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

JW Goerlich on Training, phishing exercises, security metrics,getting the most from user training
Jul 5 2022
JW Goerlich on Training, phishing exercises, security metrics,getting the most from user training
JW Goerlich -  “Wolfgang is a cyber security strategist and an active part of the Michigan security community. He co-founded the OWASP Detroit chapter and organizes the annual Converge and BSides Detroit conferences. Wolfgang has held roles such as the Vice President of Consulting, Security Officer, and Vice President of Technology Services. He regularly advises clients on topics ranging from risk management, incident response, business continuity, secure development life cycles, and more.”     RSA talks and discussion Phishing tests -  What are the goal of these tests?     That someone will click and activate (is that not a given?) What made them popular in the first place? Is this an example of management not taking security seriously, so we needed proof?   FTA: “This will only undermine the efforts of cybersecurity teams as a whole, alienating the very people they aim to engage with, Barker adds. “People generally don’t like to be tricked, and they don’t usually trust the people who trick them. One counterargument I often hear is that criminals use emotive lures in a phish, so why shouldn’t we? Well, criminals also cause physical damage to property, take systems offline, and disrupt services, but physical social engineers and pen-testers don’t—for good reason. Simulations should not cause active harm.””   Is this part of a larger issue? Why do we treat these tests the way we do? Typical scenario?Mgmt does not believe or trust their internal people to tell them what is wrong, and takes a 3rd party source/product to tell them the same thing.     Are these stories Apocryphal? Or just my experience?
Mieng Lim, Ransomware actions, using insurance to offset risk, good IR/PR comms
May 15 2022
Mieng Lim, Ransomware actions, using insurance to offset risk, good IR/PR comms
Full VOD here (must subscribe to Twitch):   Mieng Lim, VP of Product at Digital Defense by HelpSystems Topic she will discuss: Outsmarting RaaS: Strategies to Implement Before, During, and After a Ransomware Attack Webinar: Prepared questions from Mieng: Belief that “malicious actors today are using cutting edge techniques for the majority of attacks”Belief that “majority of compromises are via zero-day vulnerabilities”Organizations continue to leave systems unpatched with years old vulnerabilitiesBelief that “my organization doesn’t have anything a malicious actor would be interested in…I’m not a target”My organization has cyber insurance and that’s enough.“I don’t have budget to buy all the products/hire the staff needed to protect my network.”   As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before. The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone. The FBI’s Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints in the first half of 2021. (FBI and CISA) At least one employee downloaded a malicious mobile application in 46% of organizations in 2021. (Check Point) @infosystir @boettcherpwned @bryanbrake (on Mastodon & Twitter) @brakeSec   Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" #AmazonMusic:   #Spotify:  #Pandora:   #RSS:  #Youtube Channel:   Apple Podcasts: #Google Play Store:  Our main site:   #iHeartRadio App:   #SoundCloud:  #Patreon:   #Player.FM :  #Stitcher Network:  #TuneIn Radio App:
Mieng-Lim-Ransomware-Best-Practices-p1
May 11 2022
Mieng-Lim-Ransomware-Best-Practices-p1
Mieng Lim, VP of Product at Digital Defense by HelpSystems Topic she will discuss: Outsmarting RaaS: Strategies to Implement Before, During, and After a Ransomware Attack Webinar: Prepared questions from Mieng: Belief that “malicious actors today are using cutting edge techniques for the majority of attacks”Belief that “majority of compromises are via zero-day vulnerabilities”Organizations continue to leave systems unpatched with years old vulnerabilitiesBelief that “my organization doesn’t have anything a malicious actor would be interested in…I’m not a target”My organization has cyber insurance and that’s enough.“I don’t have budget to buy all the products/hire the staff needed to protect my network.”   As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before. The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone. The FBI’s Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints in the first half of 2021. (FBI and CISA) At least one employee downloaded a malicious mobile application in 46% of organizations in 2021. (Check Point) @infosystir @boettcherpwned @bryanbrake (on Mastodon & Twitter) @brakeSec   Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" #AmazonMusic:   #Spotify:  #Pandora:   #RSS:  #Youtube Channel:   Apple Podcasts: #Google Play Store:  Our main site:   #iHeartRadio App:   #SoundCloud:  #Patreon:   #Player.FM :  #Stitcher Network:  #TuneIn Radio App:
K12SIX-project-Doug_Levin-Eric_Lankford-threat_intel-edusec-p2
Mar 1 2022
K12SIX-project-Doug_Levin-Eric_Lankford-threat_intel-edusec-p2
For context, we at the K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections’ series – an effort to establish baseline cybersecurity standards for schools. See: Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.   We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.   Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.                     2020 report:   85-89% are underneath 2,500 students Omg:   –Florida mom, daughter accused of rigging homecoming queen votes break silence l GMA   There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here’s how they break down:   All: 130,930Elementary schools: 87,498Secondary schools: 26,727Combined schools: 15,804Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?   How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?   Someone listening might say “hey, I’d love to help…” what/if any opportunities can the larger infosec community do to help your org?
K12SIX's Eric Lankford and Doug Levin on helping schools get added security -p1
Feb 22 2022
K12SIX's Eric Lankford and Doug Levin on helping schools get added security -p1
The K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections’ series – an effort to establish baseline cybersecurity standards for schools. See: Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.   We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.   Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.                     2020 report:   85-89% of school systems have 2,500 students or fewer Omg:   –Florida mom, daughter accused of rigging homecoming queen votes break silence   There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here’s how they break down:   All: 130,930Elementary schools: 87,498Secondary schools: 26,727Combined schools: 15,804Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?   How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?   Someone listening might say “hey, I’d love to help…” what/if any opportunities can the larger infosec community do to help your org?