7 Minute Security

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Psst...my pals Paul and Dan are hosting a Webinar all about building your own pentest lab for ~$500. This is happening next Tuesday, Feb. 5 at 12 p.m. CST. Sign up here. Today I thought I'd kind of hit the reset/refresh button and give you a little background on: My self-diagnosed job ADHD (check out my series on career guidance for the even longer version :-/) The history of 7MS the podcast (inspired by 10 minute podcast) How the podcast helped launch 7MS the business The various resources 7MS has worked on to help you in your IT/security career, such as: BPATTY - Brian's Pentesting and Technical Tips for You A Slack channel full of cool security people who want to help you learn, and learn from others as well Vulnerable VMs to help you practice hacking, such as Billy Madison and Tommy Boy Thinking about starting your own company? Come see me at Secure360 this summer for my talk called So You Want to Start a Security Company.

WARNING: Today's episode is a bit of an experiment, and I hope you'll hang in there with me for it. I had the opportunity to do a week-long red team engagement, and so I recorded a little summary of the experience at the end of each day, and then pasted them all together to make today's episode. Listening back to the episode now, it sounds like I might belong on a funny farm. But I thought it would be fun to give you a first-hand account of the experience so you can share the stomach-twisting journey with me.

Coming up on Tuesday, January 22 I'll be doing a Webinar with Netwrix called 4 Ways Your Organization Can Be Hacked. It features a Billy Madison theme and pits evil Eric Gordon against sysadmin Billy Madison. Hope you'll join us - it'll be fun! Today I'm pleased to welcome Amber Boone to the program! She is an awareness builder for a cybersecurity vendor (insert dramatic music!), and Amber was gracious enough to help me pilot a new style of interview called 7 Minute Interviews with 7MS. I basically asked Amber a "serious" question about security, then a goofy one, then another serious, then another goofy...and so on and so forth until the 7 minutes was up. Amber answered important questions such as: Would she rather fight 100 duck-sized horses, or 1 horse-sized ducks? What basic security effort could orgs address without investing a huge amount of dollars and effort? Would she rather be a giant hamster or a tiny rhinoceros? If you'd like to check out what Amber's doing online, check out her LinkedIn, her side project YourLegacies.com or follow Amber on Twitter. Interested in doing a 7 minute interview with 7MS? Head here.

I'd like to coordially invite you to the first-ever 7MS User Group meeting, coming up Monday, January 14th at 6 p.m.! You can attend physically, virtually or both! All the info you need is in today's podcast, as well as here. See you there!

Psssst! Wanna come to the first ever 7MS User Group meeting? It's coming up on January 14th. You can join in person or virtually! Head here for more information! Dan DeCloss (a.k.a. wh33lhouse on Slack and @PlexTracFTW aon Twitter) joined me virtually in the studio to talk about his passion project, PlexTrac. Dan also shared his insight on all sorts of great topics, including: How to bleed "purple" and get comfortable playing on both the attacking and defending side of the house What areas are we failing in defending our networks - and what kind of things can we do make our networks more resilient?! What's the biggest challenge you see on both the blue and red team side (spoiler alert: communication is super important!)? How do you break into a cyber security position that requires X years of experience when you have zero experience (Dan offers a great tip: don't be intimidated by requirements on job postings...they're often excessive/unreasonable) Ways to show security aptitude on your resume without necessarily having a bunch of experience: Build a home lab Create a blog Bug bounties Make a podcast Get certs (or at least get enrolled in them) Some history on PlexTrac and what inspired Dan to create it

Matt McCullough (a.k.a. Matty McFly on Slack) joined me in the studio to talk about his wild and crazy path to security. He started literally with no technical experience, but through a lot of hard work, aggressive networking and taking advantage of educational and career opportunities, Matt now rocks a SOC job. Matt and I sat down to talk about a lot of good stuff: How to start an IT career as "the family IT guy" Leveraging a higher education (at places like Lake Superior College to meet people of influence and start networking like a beast Entry level sysadmin and helpdesk jobs are fun - great opportunities to make the most of the position, build your skills and stretch yourself outside your comfort zone MSPs (Managed Service Providers) are another great way to see different clients/verticals/systems and the various requirements that go into supporting them. From there, look for opportunities to start securing those organizations, as many MSPs don't dabble heavily into the security realm. If you're going to school for cybersecurity training, look for ways to leverage your status to get discounts on security training, such as with SANS Competitions like CCDC are awesome. You're given a handful of servers that are full of vulnerabilities, and you essentially are tasked with defending a network against a professional group of pentesters/redteamers. You even have to deal with real-life "injections" (other random emergencies and mock customers to deal with) while you're in the thick of the battle! Join local cyber clubs (or start your own)! Looking for a fun CTF to get started in a group setting? Try hacking the OWASP Juice Shop Attend security conferences(or start your own)! ...more notes at 7MS.us!

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In today's episode we talk about how to identify - and resolve - unquoted service paths. Maybe you've seen this pop up in your vulnerability scanner and aren't quite sure what the risk is or how to fix it - and maybe more importantly, how to fix it at scale if need be. That's the technical conundrum I faced this week, so I talk about some resources to help you identify this risk and get it out of your environment! And here's a gist I wrote that walks you through everything step by step:

Last week I had the fun privilege of speaking twice at the Minnesota Goverment IT Symposium on the following topics: Forensics 101: This was a "reloaded" talk that I started earlier this year (and covered in episode 299 and 300). At a high level, the talk covered: Hunting malware with Sysinternals Creating system images with FTKImager Dumping memory with Volatility and ripping icky stuff out of memory images with their 1-2-3 punch article Seeking out DNS tunneling/exfil using Security Onion Pecha Kucha: this talk, which is in a 20x20 format is part PSA about how to not click bad links, part cautionary tale (and music video!) about how the promise of a free burrito can ruin your business! Check out the video here, and special thanks to Joe Klein for providing the awesome pics to go along with the storyboard - you're a champ. Also, check out the Digital Forensics Survival Podcast which is awesome for learning more about forensics and IR.

On a recent security assessment I was thrown for a loop and given the opportunity to do a two-part physical pentest/SE exercise - with about 5 minutes notice(!). Yes, it had me pooping my pants, but in retrospect it was an amazing experience. This is the mission I was given: See if you can get the front desk staff to plug in a USB drive - I posed as John Strand and armed myself with a fake resume. And as I approached the front desk I suddenly panicked and thought, "What if the front desk person is a BHIS fan?!?!?" Break into a door with weak security and steal equipment - I was given a plastic shiv and asked to try and get into a secure area in the middle of a busy office morning. No pressure, right? Was I successful? Was I arrested? Find out in today's episode!

Today's episode talks about some SIEMple tests you can run on your SIEM (OMg see what I did there? I took the word simple and made it SIEMple. Genius stuff, right? And there's no extra charge for it!). And if you're just now starting to shop around for a SIEM, this episode also has an extensive questionnaire you can use to put your vendors' feet to the fire and see what they're made of! Along with today's episode, I'm releasing a companion gist that contains: Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts Enjoy!

Happy Thanksgiving! In this episode I: Share some things I'm thankful for - like you! Talk about a fun episode I'm working on that has some SIEMple tests you can use to test your SIEM (omg see what I did there? So clever) Announce the 7MS user's group that will start meeting in the south metro area of Minnesota in January of 2019! Tell you a story about a kid that peed his pants in front of me (you're welcome in advance) Hope you can take some time off and enjoy your friends/family this week and weekend. Have a blessed Thanksgiving!

Welcome to part 6 of our miniseries all about the ups, downs, trials and tribulations of being a small, one-person security start up. In this episode I detail out all the software/services I use to run 7 Minute Security, LLC in hopes it might help you run your company as well! I started a new gist to complement this episode, which you can get by clicking here. Enjoy!

Today I'm excited to brain-dump a bunch of cool stuff I learned at a red team conference called ArcticCon this week. Although this conference observes the Chatham house rule I'm just going to talk about a few things from a general, high level. Specifically, I asked several heavy-hitting red teams these burning questions: When you red team an org, do you usually assume compromise (i.e. plug a Kali box into the network and go from there) or are you crafting email payloads from scratch, trying to get a reverse shell past various email/firewall filtering efforts? Does your management seem to "get it" when it comes to the true value of having a red team? Or do they put limits on your efforts - like "Wait a sec, don't phish my boss!" Or "OMG hold on, don't pwn those systems!"

This week I got to celebrate Halloween with my friends at Netwrix by co-hosting a Webinar called IT Security Horrors That Keep You Up at Night. The content was a modified version of the Blue Team on a Budget talk I've been doing the past year or so, and essentially focuses on things organizations can do to better defend their networks without draining their budgets. The presentation had a Child's Play theme and showed Chucky trying to hack Andy's company via: Phishing Abusing bad domain passwords Abusing bad local admin passwords Responder attack Lack of SMB signing Each attack was also followed up my some advice for how to stop it (or at least slow down its effectiveness). The presentation itself was a blast and I learned some good public speaking lessons as a result: Get your slides done early! - when co-presenting, it makes sense that they want to see your slides sooner than the day of! :-) Don't freak out about an audience of "none" - I always think Webinars are weird because you can't see people's faces or interpret their body language to get a feel for whether they appreciate your humor or understand the points you're trying to make. I learned you just gotta keep pushing forward "blind" whether you like it or not. Setup a redundant presentation system - ok so file this one with the irrational fears dept, but I actually had a second laptop ready with my presentation loaded, and the laptop was connected to a cell hotspot I setup on a tablet. That way if my machine BSOD'd or Internet went out in my house, I could quickly rejoin the presentation and pick up where I left off. Safe or psycho? You decide! Happy belated Halloween!

This week I was in lovely Boise, Idaho doing some security assessment work. While I was there I got to hang out with Paul Wilch and some of the Project7 crew and picked up a lot of cool tools and tips I share in today's episode: The Badger Infosec group did a cool Rubber Ducky demo. Dan from DDSec did a demo of PlexTrac which is "the last cybersecurity reporting tool you will ever need." I'm actually going to use PlexTrac for my next few assessments and am working to line up a future interview with Dan to learn even more. Paul gave a demo of Parrot which is cool and Kali-like. However, when Paul and I did a side-by-side test with Kali, we noticed that Parrot kind of barfed when it set out to do an Eyewitness report. After meeting Paul's son, Simon, I'm optimistic about the future IT/security leaders in this country. There are some wicked-smart youth out there! Paul gave me a hotel keycard lockpick/shiv (his own creation!) and staged a few doors for me to try and bypass. He made it interesting when he promised to throat-punch me if I failed! Thankfully, I got off without any throat punches!