The Exploring Information Security podcast interviews a different professional each week exploring topics, ideas, and disciplines within information security. Prepare to learn, explore, and grow your security mindset.
In this episode of Exploring Information Security, host Timothy De Block talks with David Mytton, founder of ArcJet, about enabling developers to build secure applications seamlessly. David shares his journey from running a cloud monitoring business to developing ArcJet, a security-as-code platform that integrates security measures directly into an application's codebase.
They discuss ArcJet's approach to empowering developers with tools for bot detection, rate limiting, and more, all without compromising the developer experience. David and Timothy explore the challenges of bridging the gap between development and security, the philosophy behind "DevSecOps," and how ArcJet addresses real-world issues like bot abuse and API misuse. Whether you're a developer, security professional, or tech enthusiast, this episode offers unique insights into making application security more accessible.
What is ArcJet and the problem it’s solving?: A security-as-code platform designed for developers to integrate protections directly into their applications.
Developer-Centric Security: How ArcJet enhances security workflows by providing developers with intuitive SDKs and tools.
Real-World Use Cases: Stories of companies reducing infrastructure costs and mitigating bot-driven abuse with ArcJet.
The Evolution of DevSecOps: Challenges and opportunities in integrating security into the development lifecycle.
David's Philosophy: The importance of documentation, user experience, and building tools developers love.
Developers can start using ArcJet with just a few lines of code.
ArcJet helps teams address spam, API abuse, and fraud while focusing on feature development.
David's perspective on the state of security tooling and how ArcJet stands out.
David Mytton is the founder of ArcJet, a security-as-code platform. He previously founded a cloud monitoring business and has extensive experience with developer tools and application security. David is passionate about creating seamless developer experiences and advancing security tooling to meet modern demands.
ArcJet: arcjet.com
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.
[RSS Feed] [iTunes] [LinkedIn]
Sign up with your email address to receive news and updates.
Email Address Sign UpWe respect your privacy.
Thank you!In this artistic episode of the Exploring Information Security podcast, Mubix joins me to discuss MS08-067.
Mubix (@mubix), available at room362 and Hak5, joins me to discuss one of his favorite exploits: MS08-067. I invited Mubix on to talk about MS08-067 because of a tweet he retweeted. The tweet included a confession that a consultant used the MS08-067 vulnerability to break into a clients network. This vulnerability is really old and while not widespread it does pop-up from time-to-time. I was happy to discover that Mubix has a great appreciation for the exploit.
In this episode we discuss:
What is MS08-067?
How long has it been around?
Why is it still around?
What name it would be given in today
More resources:
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter
The Inside Story Behind MS08-067 by John Lambert - Microsoft TechNet
In this episode of Exploring Information Security, host Timothy De Block sits down with Amanda Berlin, co-author of the Defensive Security Handbook, to discuss the evolution of the book, the challenges of writing for the blue team, and how it’s helping cybersecurity practitioners today. Amanda shares insights on creating accessible resources for security professionals and the importance of designing security that works for everyone, from SMBs to enterprise teams.
Origins of the Handbook: Amanda reveals how the Defensive Security Handbook was born from her own challenges as a security professional and the lack of accessible, practical blue team resources.
Writing Process and Updates: The journey of creating the first edition and the significant updates in the second edition, including expanded cloud coverage and reorganized database content.
Designing Security for SMBs: Amanda highlights the unique challenges small and medium businesses face, from budget constraints to vendor complexities, and how the book aims to provide practical, scalable advice.
Balancing Technical and Practical: The handbook’s goal is to simplify complex concepts, making them digestible for newcomers while still useful for seasoned professionals seeking quick references.
The Importance of Empathy in Security: Amanda emphasizes the need for empathy in designing security tools and processes, especially for SMBs that lack dedicated resources or expertise.
Feedback and Impact: How the book has resonated with unexpected audiences, including developers and detection engineers, as a guide to understanding security concepts.
Books:
Defensive Security Handbook (2nd Edition) by Amanda Berlin and Lee Brotherston
Blue Team Handbook by Don Murdoch
Security Engineering by Ross Anderson
Episode Links
Mental Health Hackers, founded by Amanda to address mental health challenges in the security industry.
Get the Book: Defensive Security Handbook on O'Reilly
Connect with Amanda: @InfoSystir on Twitter
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.
[RSS Feed] [iTunes] [LinkedIn]
Sign up with your email address to receive news and updates.
Email Address Sign UpWe respect your privacy.
Thank you!In this episode of Exploring Information Security, host Timothy De Block and guest Javvad Malik, security awareness advocate and writer for KnowBe4, delve into the concept of user-centric design in security. Javvad shares insights on building security controls that enhance user experience rather than hinder it, and explores how organizations can foster a security culture by making processes more intuitive and less obstructive.
Empathy in Security Controls: Javvad discusses the importance of understanding users’ needs and challenges. He emphasizes that security should focus on helping users rather than enforcing rigid policies. Using familiar examples, like Tetris vs. Minecraft, he illustrates the shift from a rigid, top-down approach to a more adaptable, user-driven model.
Learning from Shadow IT: Rather than forbidding unauthorized tools, Javvad suggests engaging with employees to understand why they choose certain applications. By integrating tools that users find convenient, security teams can balance security with user needs.
Behavioral Science Meets Security: Javvad highlights the value of metrics in understanding user behavior and assessing risks. He proposes using a combination of security metrics—like phishing susceptibility and device usage—to gauge an individual’s or department’s security behavior, thereby creating a more effective, user-centric security program.
The Power of Nudge Theory: Drawing from behavioral science, Javvad explores how gentle prompts, like password managers and risk reminders, can steer users toward safer behaviors. He likens this to everyday nudges we see, such as speed-limit reminders on roads, which encourage compliance without confrontation.
KnowBe4 Blog: Javvad’s blog on KnowBe4 about user-centric design.
Behavioral Science Books: Recommended readings include Nudge: Improving Decisions About Health, Wealth, and Happiness by Richard H. Thaler and Cass R. Sunsteinand and Tiny Habits by BJ Fogg for insights into influencing behavior.
Invisible Gorilla Test: A classic experiment demonstrating how easily we miss the obvious, relevant to security’s focus on user awareness.
Javvad Malik is a security awareness advocate and writer at KnowBe4. He uses storytelling and humor to make security concepts relatable and user-friendly. Follow his latest articles on the KnowBe4 blog, where he offers practical insights into security awareness and user-focused security design.
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.
[RSS Feed] [iTunes] [LinkedIn]
Sign up with your email address to receive news and updates.
Email Address Sign UpWe respect your privacy.
Thank you!Timothy De Block is joined by Shane McCombs and John McCombs of the Innocent Lives Foundation (ILF), Josh Huff and Rev3Dood who volunteer their time with ILF, as they delve into an adventurous and charitable whiskey barrel pick trip from April 2024. This live episode gives an insider’s look into the process of selecting exclusive bourbon barrels and the exciting world of whiskey enthusiasts. From Four Roses to Starlight Distillery, Tim and the team explore unique blends, share laughs, and reflect on how each sip supports a meaningful cause.
Check out Unicorn Auction to place a bid on one of the bottles we’re discussing
Check out the ExploreSec YouTube channel for the live video recording.
In this Episode, You’ll Learn:
The Origins of ILF's Barrel Pick Club: Learn about how the passion for whiskey and charity combined to form this unique fundraising avenue for the ILF.
The Complexity of Barrel Picking: Discover why selecting a barrel involves more than just a good taste – it requires considering the community’s preferences, uniqueness, and the impact on the ILF mission.
Inside Four Roses & Starlight Distilleries: Hear about the in-depth tours, the science of barrel aging, and the behind-the-scenes processes that make these distilleries so iconic.
Unique Barrels and Bottles: Highlights include details on Four Roses’ single-tier rickhouses, rare yeast strains, and the exceptional Starlight Mizunara cask, a rarity in the whiskey world.
The Auction and Community Impact: John McCombs from ILF explains how the auction supports ILF and offers tips for placing bids on exclusive bottles.
Memorable Moments:
Whiskey Tasting: A breakdown of tasting notes for Four Roses and Starlight bottles, featuring everything from minty finishes to complex layers of caramel, chocolate, and spices.
Funny Stories: From almost puking in a 15-passenger van to accidental whiskey spills, Tim and the team share some hilarious moments from their trip.
Chris Hadnagy’s Unique Taste: Chris’s love for scotch sets him apart as he humorously describes notes like “pine sol” that others struggle to find.
Auction Information: The auction, hosted by Unicorn Auctions, is open for two weeks, and all proceeds go to supporting ILF’s mission. Bids can be placed on unique bottles hand-picked by the ILF team, with Unicorn waiving all fees to maximize impact. Check out the auction site for updates and be ready to place your bids!
Connect with ILF:
Innocent Lives Foundation: Innocent Lives Foundation Website
Follow on Instagram: @innocentlivesfoundation
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.
[RSS Feed] [iTunes] [LinkedIn]
Sign up with your email address to receive news and updates.
Email Address Sign UpWe respect your privacy.
Thank you!In this episode of Exploring Information Security, host Timothy De Block sits down with Thomas Ritter, a seasoned attorney specializing in cybersecurity and privacy law, to discuss the often-overlooked legal complexities surrounding incident response (IR). From breach terminology to ransomware negotiations, Ritter shares insights from his years of experience navigating legal pitfalls that can arise when responding to security incidents.
Understanding "Incident" vs. "Breach": Ritter emphasizes the importance of careful communication within an organization during a security incident. Misusing legally significant terms, like "breach," can lead to premature obligations, such as breach notifications, which may have serious consequences for an organization.
Attorney-Client Privilege in IR: External counsel's role can extend attorney-client privilege over critical aspects of IR, including the involvement of forensic specialists. This protection can prove essential if an incident escalates into litigation.
Ransomware Negotiation Nuances: With ransomware incidents on the rise, Ritter provides a detailed look at the negotiation process, advising organizations to work with professional negotiators. He recounts instances where attackers leveraged knowledge of clients' cyber insurance coverage to increase ransom demands.
Tabletop Exercises for IR Preparedness: Ritter highlights the value of tabletop exercises, especially involving executive leadership. He notes that regular, comprehensive drills help organizations refine incident response policies and minimize legal exposure during actual incidents.
Navigating Class Action Exposure: As data breaches often trigger class action lawsuits, organizations must take steps to prepare, including consulting legal professionals to reduce risk through privilege-protected documentation.
International Association of Privacy Professionals (IAPP): A valuable source for privacy and security trends.
Cybersecurity Law Report: An in-depth publication on current legal issues in cybersecurity.
Ritter Gallagher Blog: Thomas Ritter’s firm provides regular insights on emerging legal topics in cybersecurity.
Thomas Ritter is a cybersecurity and privacy attorney at Ritter Gallagher, where he focuses on helping organizations navigate the legal landscape of security incidents and data breaches. For more information, or to get in touch, visit RitterGallagher.com or email Thomas directly at [email protected].
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.
[RSS Feed] [iTunes] [LinkedIn]
Sign up with your email address to receive news and updates.
Email Address Sign UpWe respect your privacy.
Thank you!In this holiday edition of the Exploring Information Security podcast, Ed Skoudis joins me to discuss the SANS Holiday Hack Challenge.
Around this time each year the SANS Holiday Hack Challenge releases under the direction of Ed (@edskoudis) and instructor with the SANS institute. This year Santa has been kidnapped and it’s up to use to figure out who did it and save Christmas. The challenge is for new people in infosec, and for those who have been in the industry for many years. As Ed notes in the episode it is even for children. The challenge itself has been around for years and several past years are still available for people to go through.
In this episode we discuss:
What is the SANS Holiday Hack Challenge
How it got started
What preparation goes into making the challenge each year
Who can participate
In this epic episode of the Exploring Information Security podcast Jayson E. Street (@jaysonstreet), Dave Chronister (@bagomojo), Johnny Xmas (@J0hnnyXm4s), April Wright (@aprilwright), Ben Brown (@ajnachakra), and surprise guests Adrian Crenshaw (@irongeek_adc) and Kevin Johnson (@secureideas)all join me to discuss various security related topics.
ShowMeCon is one of my favorite security conferences. The organizers are awesome and take care of their speakers like no other conference. The venue is fantastic. The content is mind blowing. I can't say enough good things about the even that Dave and Renee Chronister put on every year in St. Louis, Missouri. They know how to put on a conference.
Regular listeners of the podcast will note that I recorded an episode with Dave on ShowMeCon several weeks ago. After that recording he asked if I was interested in doing a recording at the conference. I said yes and thus the birth of this epic episode. This format is experimental. First, it is marked as explicit, because there is swearing. Second, It's over 90 minutes long. I didn't think breaking it up into four or five pieces would serve the recording well. Send me your feedback good or bad on this episode, because I'd like to do more of these. I would really like to hear it for this episode.
In this episode we discuss:
Certificates
Hiring
Interviewing
Where to get started
Soft skills
ShowMeCon and other conferences
Community and giving back
Imposter syndrome
Irongeeks impact on those in attendance
In the refreshed edition of the Exploring Information Security (EIS) podcast, I talk to Amanda Berlin AKA @Infosystir about security awareness.
Amanda was charged with setting up a security awareness program for her company from scratch. Setting up a security awareness program is hard work, making it effective is even harder, but Amanda rose to the challenge and came up with some creative ways to help fellow employees get a better handle on security.
In this interview we cover:
What is security awareness?
How a security awareness program should be implemented.
What does an effective security program look like?
How do you measure the effectiveness of a security awareness program
In this episode, Dave Chronister, founder of Parameter Security and ShowMeCon, shares valuable insights into the world of penetration testing (pentesting). Listeners will learn about the differences between vulnerability assessments and penetration tests, what red teaming is, and why organizations should lean towards white-box pentests. Dave and Tim discuss how to avoid common pitfalls when engaging with pentest companies, the importance of rules of engagement, and how to ensure you're getting a high-quality test. Dave also shares stories from his 17+ years in the field, illustrating the critical lessons organizations need to understand.
Difference between vulnerability assessments and penetration tests.
Red teaming vs. penetration testing: When and why to use each.
How to choose the right pentest company.
The importance of setting clear rules of engagement.
Real-world examples of pentesting gone wrong.
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.
[RSS Feed] [iTunes] [LinkedIn]
Sign up with your email address to receive news and updates.
Email Address Sign UpWe respect your privacy.
Thank you!In this timely episode of Exploring Information Security, host Timothy De Block is joined by Pieter Arntz from Malwarebytes to discuss the growing threat of election-related scams. With election season upon us, scammers are becoming more active, and this episode dives deep into how these scams work, what tactics scammers use, and how to protect yourself from falling victim.
You can check out Pieter’s article How To Avoid Election Related Scams at the Malwarebytes blog.
Seasonal Scams: Scams are often timed with key events, including elections, holidays, and tax season. Pieter discusses how scammers shift focus from elections to events like Black Friday or Christmas.
Common Election Scams: Scammers often target voters through text messages, social media, and robocalls, attempting to steal personal information or solicit fake donations.
Mobile Devices as a Target: With more focus on mobile devices, Android and Apple users are increasingly targeted through phishing texts and malicious links.
Social Engineering: Scammers manipulate users by pretending to represent political parties, asking for donations, or engaging in online discussions to steal information.
Detecting Scams: Pieter and Timothy offer practical advice on identifying scam messages, such as unsolicited communications, urgency in messaging, and phishing links with suspicious domains (e.g., .xyz, .top).
Who’s Behind These Scams?: The episode touches on the actors behind the scams, ranging from cybercriminal gangs to state actors, and how they profit from fraudulent activities.
Scams Beyond Elections: While elections are a prime target, natural disasters and other events are also exploited by scammers to steal donations and personal information.
Privacy Concerns: A survey revealed that 3% of people are hesitant to vote due to privacy concerns, highlighting the critical need for secure election processes.
Be Wary of Unsolicited Messages: If you receive unsolicited texts or emails, always double-check the source before acting. Election scams often use urgency to push people into making hasty decisions.
Verify Political Donations: Only donate through verified websites. Scammers frequently clone official websites to trick people into giving money to fraudulent causes.
Protect Your Personal Information: Avoid sharing personal details through unofficial or unfamiliar channels. Scammers can use this information for identity theft or phishing attacks.
Report Scams: If you suspect a scam, report it to organizations like the FTC or the FBI to help others stay safe.
Report Fraud – Federal Trade Commission’s fraud reporting site.
Do Not Call Registry – Sign up to reduce unwanted calls.
National Association of Secretaries of State – Provides resources on election security.
FBI Alerts – Stay updated on the latest scams from the FBI.
Election season raises fears for nearly a third of people who worry their vote could be leaked - MalwareBytes Labs
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.
[RSS Feed] [iTunes] [LinkedIn]
Sign up with your email address to receive news and updates.
Email Address Sign UpWe respect your privacy.
Thank you!Your feedback is valuable to us. Should you encounter any bugs, glitches, lack of functionality or other problems, please email us on [email protected] or join Moon.FM Telegram Group where you can talk directly to the dev team who are happy to answer any queries.