Visit https://reddit.com/r/insiderthreat for show notes and discussion! This is a podcast where we explore the issues today with the insider threat, or human factor, of our organizations. We also talk about ways to tackle those issues through training, culture, and technology in order to help information security and business professionals reduce risks in their environments.
Title - Art of the Phish
In this episode we explain phishing, cover some recent news, like KRACK, and more. Don't touch that dial!
Welcome back! This is episode 23 of The Insider Threat podcast, for the week of October 23rd, 2017.
I'm sicks as a dog today, so if you hear something funny about my voice, that's probably it. I wonder where that came from.. sick as a dog..
We had more feedback, which i'll cover later. I think that wraps up the announcements. So...
Infosec Question of the Week
It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "In 1952, the first compiler came into existence. What famous person created it and what other very noteworthy technological advancement did they take part in?"
The answer was "Grace Hopper".
Grace Hopper was a cornerstone of both the IT and information security industries, in addition to what she symbolizes for women in tech. To this day, you'll still see people wearing tshirts at conferences with Grace Hopper's picture on them.
Rich from Virginia, Gerald from Illinois, Simone from Kentucky, and Abby from Maine for getting the correct answer.
Here's your question for this week: "In 2003, David Heinemeier Hansson created and has since maintained a key capability that has programmer happiness as one of its key principles. What did he create?"
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "Chuga Chug Choo Choo".
Discussion Topic for the Week
This week’s discussion topic is Phishing
- What is phishing?
- Form of social engineering
- Primarily email with attachements or links
- Links go to malicious websites for drive by downloads or fake login screens
- Attachments have malicious code
- Read that 92% of all breaches start with a phishing email
- Spear Phishing
- Basically targetted phishing (executives, system administrators, finance)
- Social Engineering over the phone
- "Purchasing scams" " Can you hear me alright?
- Similar to normal phishing, but using SMS or text messages
- Business Email Compromize
- Where you get an email from a legitimate user in the organization
- Wire money, send a file or data
- No direct protection solutions
- Have to rely on other security solutions, such as SIEMs or UBA to detect and mitigate
- How can we protect ourselves?
- Cybersecurity Awareness Month
- Awareness vs. Education
- Ongoing education that also focuses on reporting procedures
KRACK and Rocca, or marketing for widespread vulnerabilities
Compare the two
KRACK was a very highly publicized vulnerability, complete with suspense, a logo, website, and even t-shirts (seriously. google it.)
If you haven't read more about this vulnerability yet, there are several good writeups out there. Here's my take: have to be in wifi range to exploit it, doesn't impact communication over vpn or encrypted web traffic (https), therefore not quite as big of an attack surface or impact as the headlines and marketing indicated
Now take ROCA (Return of Coppersmith's Attack)
Imagine a world where all the trust we have in public key cryptography
What if you found out that the key part of that encryption, the virtual impossibility of deriving the private key from the public, has been broken for the last 10 years?
This is a serious vulnerability, yet there are almost no headlines, no website, no logo, and no tshirts that i could find
What does this say about our industry? Is it just aligning with every other sucessful industry out there?
For listener feedback this week, one of you told me that the new format and structure is much easier to listen to. Thanks for that. I'm still tweaking some things here and there, but it I think it will be nice to have a main topic for each episode so listeners can go back and listen to a specific one that matches something they are currently dealing with in their own organizations.
Thought of the Week Segment
Our thought of the week comes from Grace Hopper. She said, "A ship in port is safe, but that's not what ships are built for."
Thank you for listening to episode 23 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
You can contact me on twitter @stevehigdon or send an email to firstname.lastname@example.org. Join our Reddit community and discussions at the subreddit named insiderthreat. The subreddit is also where you'll also find the show notes for this and any other episode, as well as links to the topics we've covered. If you go to our website, you can also find a link to the Patreon page and you can subscribe to the newsletter to get up-to-date information on current episodes and news for the show. Call and leave a voicemail at (443) 292-2287 to have a conversation, get a comment added to the show, or even ask a question.
Thanks again and I'll see you folks next time!