Brakeing Down Security Podcast-logo

Brakeing Down Security Podcast

158 Favorites

More Information


United States







Direct Link: We are back this week after a bit of time off, and we getting right back into it... What happens after you enact your business continuity plan? Many times, it can cause you to have to change processes, procedures... you may not even be doing business in the same country or datacenter, and you may be needing to change the way business is done. We also talk a bit about 3rd party...

Duration: 00:59:19

2017-SPECIAL003-Audio from Derbycon 2017!

Direct Link: Mr. Boettcher, Ms. Berlin, and I went to Derbycon. In addition to the podcast with podcasters we did during the 3 days, I managed to grab another whole hour of audio from various people at the conference, just to give you an idea of the vibe of the conference, in case you were unable to attend. We talked to the FOOOLs (, and how they have done the lockpick village...

Duration: 01:15:05

2017-034-Preston_Pierce, recruiting, job_descriptions

*Apologies for the continuity this was recorded before we went to Derbycon 2017.* Preston Pierce is a recruiter. We wanted to have him on to discuss some issues with our industry. So we had him on to discuss hiring practices, how a recruiter can help a company recruiter better talent, and how to stop companies looking for the 'unicorn' candidate. Preston is a great guy and we learned a lot about how the recruiting process works, and how Preston's company work differently from other,...

Duration: 01:02:05

2017-SPECIAL002-Derbycon-podcast with podcasters (NSF Kids/Work)

Direct Link: SUPER NOT SAFE for kids (and probably adults, come to think of it). Really this is just us riffing about derbycon (and I really love @oncee, and wished I'd gone to his stable talk (which you can listen/watch here: We actually did talk about the skills gap, resume workshop held...

Duration: 01:18:30

2017-033- Zane Lackey, Inserting security into your DevOps environment

Zane Lackey (@zanelackey on Twitter) loves discussing how to make the DevOps, and the DevSecOps (or is it 'SecDevOps'... 'DevOpsSec'?) So we talk to him about the best places to get the most bang for your buck getting security into your new DevOps environment. What is the best way to do that? Have a listen... Direct Link: RSS: Youtube Channel:...

Duration: 01:00:35

2017-032-incident response tabletops, equifax breach

Everyone should be doing incident response tabletops, even if it's not a dedicated task in your organization. It allows you to find out what you might be lacking in terms of processes, manpower, requirements, etc. This week, we discuss what you need to do to get ready for one, and how those should go in terms of helping your organization understand how to handle the aftermath. And in case you've been under a rock, #equifax was breached. 143 million credit records are in the ether. We...

Duration: 00:47:37


This week, we met up with Robert Sell to discuss competing in the DefCon Social Engineering CTF. You're gonna learn how he prepared for the competition, and learn about some of the tactics you could use to compete in future SE CTF events. Direct Link: RSS: Youtube Channel: #iTunes Store Link:...

Duration: 01:03:46

2017-030-Vulnerability OSINT, derbycon CTF walkthrough, and bsides Wellington!

This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg. We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it. Direct Link: Ms. Berlin is going to be at Bsides Wellington! Get your...

Duration: 00:52:36

2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection. What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif,...

Duration: 01:17:40

2017-026-Machine_Learning-Market Hype, or infosec's blue team's newest weapon?

Direct Link: Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics. We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to...

Duration: 01:09:01

2017-025-How will GDPR affect your Biz with Wendyck, and DerbyCon CTF info

Direct Link: GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the...

Duration: 01:10:48


Direct Link: The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly...

Duration: 01:30:55

2017-023-Jay_Beale_Securing Linux-LXC-Selinux-Apparmor-Jails_and_more

Direct Link: Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class. Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from...

Duration: 01:09:43

2017-022-Windows Hardening, immutable laws of security admins, and auditpol

Direct Link to Download: This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later? Brakesec also announces our "PowerShell for Blue Teamers and...

Duration: 00:53:47

2017-SPECIAL- Michael Gough and Brian Boettcher discuss specific ransomware

Due to popular demand, we are adding the extra content from last week's show as a standalone podcast. Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.

Duration: 00:19:25


This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly. One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments. So we got to...

Duration: 01:18:46


Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing. We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by...

Duration: 01:16:36

2017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses

This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues. We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy. ------- Upcoming BrakeSec Podcast training: Ms. Sunny Wear - Web App Security/OWASP 14 June - 21 June - 28 June at 1900...

Duration: 01:11:33

2017-018-SANS_course-EternalBlue_and_Samba_vulnerabilities-DerbyCon contest details

We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out. Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet? We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and...

Duration: 00:50:39


Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right? Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port...

Duration: 01:25:45

See More