7 Minute Security
534 episodes - English - Latest episode: almost 2 years ago - ★★★★★ - 63 ratings7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
7MS #283: OFF-TOPIC - I Love Cops and COPS
October 27, 2017 21:34 - 18 minutes - 25.9 MBMy plans for this week's podcast went hush-hush, kablooie, bye-bye, see ya, adios. So, I'm pinch-hitting and going off-topic and talking about...of all things...cops. Now wait! Wait wait! Don't run away. I'm not going all political on you or anything like that. Just wanna share some anecdotes and perspectives on the following: What it was like growing up with a dad who was a cop Losing a cousin in the line of duty Getting a call from my local police department this week claiming I was a...
7MS #282: A Peek into the 7MS Mail Bag
October 19, 2017 03:14 - 11 minutes - 16.2 MBI'm gonna level with you: it's been a heck of a week. So I thought I'd try something a little different (and desperate?) and use this episode to answer some FAQs that come in via email and Twitter DM. Today's burning questions include: Q: Do I think it's dangerous to podcast and drive? A: Not really, especially now that I got one of these babies. Q: What is the eJPT cert all about? A: It looks like a pentest training/cert path that sits somewhere (difficulty wise) between CEH and OSC...
7MS #281: Baby's First Banking Infosec Conference
October 11, 2017 19:25 - 15 minutes - 21 MBI went to my first ever banking-focused infosec conference a few weeks ago (WBA's Secure-IT) and learned a ton. I met some really great people and had many productive conversations around security. The main takeaways from the conference that I talk about in today's episode: Standing all day and talking about security is exhausting! You can thwart "swag whores" (sorry mom, but I learned that that's what they're called!) by pushing your merch table deep into the booth so it's touching the ...
7MS #280: How to Become a Packtpub Author
October 05, 2017 02:57 - 11 minutes - 16.1 MBI'm excited to announce I'm going to be a PacktPub author! I'm going to work with them to create a course on network/vulnerability scanning. I'm pumped, but kinda nervous, so when I had the initial conversations with PacktPub staff, I made sure I hit them with my burning questions: Q: Are you going to ask me to create a sweet course and then pay me pennies for every digital copy sold? A: No. Authors get paid a lump sum up front and then share in profits for digital copies sold. Q: Who'...
7MS #279: Patching Solutions Bake-Off - Part 4
September 28, 2017 04:10 - 15 minutes - 21.1 MBIntro The patching solutions review concludes this week with Ivanti's patch solution, as well as PDQ Deploy/Inventory. As a quick reminder, here's where our bake-off currently sits: Ninite (covered in 7MS #275) ManageEngine (covered in 7MS #277) Quick reminder: none of these solutions are bribing me with fat wads of cash to plug their products. Some day I hope to have such problems, but today is not that day. Ivanti You might know Ivanti as Shavlik - that's the product name I'm m...
7MS #278: Interview with Rob Sell
September 21, 2017 04:47 - 56 minutes - 77 MBIntro We're breaking ground with this episode, folks! For the first time in 7MS history, we've got a guest on the show (finally, right?!). Rob Sell is an IT manager who has been working in IT for many years, with a focus on information security specifically for the last 4 years. He recently came home from Defcon 25 with a third place in the SE CTF. Rob sat down with me to discuss the CTF, how to make an outstanding CTF audition video, OSINT tools/tips/techniques, the value of tech/secu...
7MS #277: Patching Solutions Bake-Off - Part 3
September 14, 2017 02:19 - 13 minutes - 18.1 MBManageEngine Desktop Central Overall, I have to bluntly say that I really enjoyed playing with ManageEngine's solution. It's got a crap-ton of features built into it - above and beyond patching - that I think IT/security folks will really appreciate. Pros Agent or agentless management of systems MDM (didn't play with it but it certainly looks feature-rich) Application white/blacklisting Ability to push out configurations for things you'd normally use GPOs for - i.e. setting a login b...
7MS #276: The CryptoLocker song
September 06, 2017 13:54 - 12 minutes - 16.9 MBThis is it! The worldwide Internet debut of an original infosec-themed song called CryptoLocker'd, and as the name implies, it's about a CryptoLocker incident. Here's the quick back story: A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on ...
7MS #275: Patching Solutions Bake-Off - Part 2
August 30, 2017 19:52 - 11 minutes - 16 MBThis episode continues our series on comparing popular patching solutions, such as: Ninite ManageEngine Ivanti PDQ Ninite This week I focused on Ninite, and here's the TLDR version: Pros Does one thing (third party patching) and does it really well Extremely affordable User interface is clean, simple and really easy to use/learn Cons No "agentless" option - it's an agent or nothin' I'm not sure if Ninite has the brand name recognition and reputation to be accepted/respected...
7MS #274: Speaking at ILTACON - Part 4
August 23, 2017 22:40 - 15 minutes - 20.9 MBI'm back from Vegas! My talk went really well and I'm excited to tell you about it in today's episode. First, some conference/trip highlights: During the ILTACON conference I attended a great talk by Don McMillan about how to infuse humor into your work environment. Really enlightening, and you know those things you hear about how humor lowers blood pressure, increases satisfaction and just overall makes you a more pleasant person to be around? Turns out it's true! On the day before my p...
7MS #273: Speaking at ILTACON - Part 3
August 17, 2017 03:23 - 9 minutes - 2.71 MBI ran out of time in episode #272 to tell you about why preparing to be a speaker for ILTACON was way more stressful that preparing for Secure360 a few months ago. The main points of difference/stress were: ILTA wanted to see PowerPoint deck progress weekly, whereas with Secure360 it was pretty much "Your talk is accepted - see you at the conference!" ILTA is going to show a "speaker slide" with bio a few minutes before the sessions starts. That way the session is focused on content (and p...
7MS #272: Speaking at ILTACON - Part 2
August 17, 2017 03:07 - 11 minutes - 3.49 MBThis is part 2 of a series focusing on public speaking - specifically for the ILTACON conference happening in Vegas this week. In this episode I share a high-level walkthrough of my talk and the 10 "Blue Team on a Budget" tips that the talk will focus on. These tips include: Turning up Windows auditing and PowerShell logging Installing Sysmon Installing Security Onion Don't put too much faith in endpoint protection Keep an eye on Active Directory Install RITA Deploy a Canary ...
7MS #271: Patching Solutions Bake-Off - Part 1
August 10, 2017 02:43 - 10 minutes - 14.2 MBSeems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or vice-versa. Either way, the team I work with is excited to kick the tires of some popular patching solutions over the next few weeks, and we'll audibly barf up what we learn into this mini-series! Solutions we'll poke around with include: Ninite ManageEngine PDQ Deploy PS: None of these s...
7MS #270: IDS on a Budget - Part 4
August 03, 2017 04:27 - 12 minutes - 17.1 MBI spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (home) environment. After a few days, I went back to check the Security Onion dashboard to check the alerts. There was a bunch of benign stuff (computers pinging each other, Dropbox broadcasting to the network) but also a couple interesting finds - SO caught one of my VMs downloading (intentiona...
7MS #269: Documentation
July 27, 2017 21:09 - 13 minutes - 17.9 MBDocumentation is super boring, right? Yet it's critical to getting your client/audience excited about making their security better! In this episode I talk about my mixed feelings towards the "big" standards like ISO/NIST/etc. and how a more tactical, down-to-earth documentation approach might be more effective in some cases. And I think we need our documentation to be much more focused on consultation/remediation and not just "Hey, your security sucks...and these next 100+ pages will tell ...
7MS #268: IDS on a Budget - Part 3
July 19, 2017 12:50 - 12 minutes - 16.7 MBBeen having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look! I also spent a lot of time the last few nights playing with Security Onion and love it. After zipping through the install wizard and hitting reboot a few times you're pretty much good to go. A few recommendations I'd make after those initial reboots though: Run the soup command to update Security Onion with all the latest packages Use u...
7MS #267: Backup Disasters
July 18, 2017 22:00 - 11 minutes - 16.2 MBToday's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error. Yes, this oopsie was 100% my fault, but I think backup providers can do a better job of warning us (via text or automated call rather than just email) before blowing away our life's work.
7MS #266: IDS on a Budget - Part 2
July 13, 2017 18:51 - 10 minutes - 14.7 MBThis week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, such as the ability to break the Bro + ELK stack across multiple machines. I also lost a lot of sleep these last few days playing with Security Onion and will do a future episode focusing only on that!
7MS 265: IDS on a Budget - Part 1
July 05, 2017 20:04 - 10 minutes - 15 MBI've been wanting to get a Bro IDS installed for a long time now - and for several reasons: It looks fun! My customers have expressed interest It will be part of my upcoming ILTACON session. So this weekend I started getting the hardware portion ready, which includes: Ubiquiti Edge Router X (~$99) TP-Link TL-SG105E (~$35) CanaKit Raspberry Pi 3 Complete Starter Kit (~$70) If you need additional information such as screenshots/configs etc to get the VLANs passing properly from the Edg...
7MS #264: Hacking Wordpress
June 29, 2017 04:32 - 11 minutes - 15.9 MBI was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into Kali - or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options: --throttle - for example, I've been using --throttle 1000 in order to...
7MS #263: Make Nessus Reporting Fun Again!
June 25, 2017 22:46 - 13 minutes - 18.7 MBTell me I can't be the only one who regularly wants to combine a bunch of small Nessus scans files into a big fat Nessus scan file, and then make pretty pictures/graphs/summaries that the customer can easily understand? Over the last few weeks I must've tried every Powershell and Python script I could get my hands on, yet still didn't find the magic bullet solution. That is, until I found this little beauty of a tool: NamicSoft. It's a $65 tool for Windows that will not only combine multip...
7MS #262: Speaking at ILTACON
June 14, 2017 22:49 - 10 minutes - 14.2 MBThrough kind of a weird series of events, I have an opportunity to speak at ILTACON this summer in Vegas (baby!). I'll be talking about some things you can do if you suspect your perimeter is breached, as well as low-hanging fruit you can implement to better defend against breaches. I'm pumped. And I've done the most important part and chosen a PowerPoint theme: A Few Good Men :-) I've spoken with some of you in the past and know a few of you spend your days and sleepless nights hunting th...
7MS #261: Blind Network Security Assessments
June 07, 2017 22:24 - 10 minutes - 14.9 MBThis week I had the fun opportunity to do a "blind" network security assessment - where basically we had to step into a network we'd never seen before and make some security posture recommendations. I've found that the following software/hardware is quite helpful for this type of assessment: The PwnPulse helps a ton in scanning wired and wireless networks...and even Bluetooth! I've covered the Pulse in past episodes - check out part 1 and part 2. Network Detective will do a ton of helpful ...
7MS #260: PwnPro 101 - Part 2
June 02, 2017 22:00 - 12 minutes - 16.5 MBI'm continuing to love the our PwnPro and had a chance to use it on a customer assessment this week. For the most part the setup/install was a breeze. Just had a few hiccups that the Pwnie support team straightened me out on right away. In the episode I mention some command line tools and syntax that helped me work with the Pulse. One was using fping to sweep large subnets and accurately find live hosts: fping -a -g 10.0.5.0/16 > blah.txt Then, to setup the reverse shell, I just for...
7MS #259: OFF-TOPIC - Home Robbery Attribution
May 25, 2017 02:15 - 9 minutes - 13.1 MBWarning! Warning! This is an off-topic episode! I try really hard to create valuable weekly content about IT/security. However, sometimes a virtual grenade goes off in my life and prevents me from having the necessary time/resources to get my act together. This has been one of those weeks. :-) So today I'm going off-topic and talking about an alleged burglary of some electronics at my home. And once we identified the culprit, wow...nobody was more surprised than me.
7MS #258: Speaking at Secure360 - Part 2
May 18, 2017 19:45 - 14 minutes - 20 MBIntro I mentioned last week that I was speaking at the Secure360 conference here in the Twin Cities, and at that time I was preparing a talk called Pentesting 101: No Hoodie Required. I was so nervous that I've basically spent the last week breathing heavily into paper bags and wishing I was on sedatives. But I have good news to report in today's episode, friends! The talk was very well received and the attendees didn't get out torches and pitchforks! #winning! So today's episode (audio ...
7MS #257: Speaking at Secure360
May 11, 2017 15:00 - 11 minutes - 15.5 MBThe nervous butterflies are chewing up my organs this week. Why? Because I'm speaking at Secure360 next Tuesday and Wednesday. I'm trying to build a presentation that: Appeals to both techie nerds like me, as well as regular human people Strikes a healthy balance between fun and informative So, my outline is roughly as follows: Intros Lets talk about pentesting vs. vulnerability scans Build your own hackin' lab for $500! Good/bad training (CEH vs. OSCP) Lets hack some stuff fol...
7MS #256: AlienVault Certified System Engineer - Part 2
May 04, 2017 01:29 - 11 minutes - 15.1 MBSo a few weeks ago I did an episode about the AlienVault Certified Security Engineer certification, and last Friday I took a stab at the test. I failed. It kicked my butt. Today I'm here to both rant about the unfairness of the test and offer you some study tips so you don't suffer a similar fate. P.S. - you should definitely check out this blog as it's one of the few valuable study guides I could find out there on the Interwebs.
7MS #255: PwnPro 101
April 27, 2017 02:22 - 10 minutes - 14.7 MBI'm kicking the tires on the PwnPro which is an all-in-one wired, wireless and Bluetooth assessment and pentesting tool. Upon getting plugged into a network, it peers with a cloud portal and lets you assess and pentest from the comfort of your jammies back at your house! Oh, and did I mention it runs Kali on the back end? Delicious. Today's episode dives into some of what I've been learning about the PwnPro as I run it through its paces at work and warm it up for our first customer asses...
7MS #254: Bash Bunny
April 20, 2017 01:45 - 10 minutes - 14.1 MBI've been working with the Bash Bunny for the past few weeks in preparation for a presentation/demo I'm doing in a few weeks. Today I want to talk about what the Bunny is, the cool things it can do, and some of my favorite payloads. Also, I started thinking about what conversation topics spawn from a demo of the Bunny. Specifically, I want to know how people would defend against the Bunny using AD policies, peripheral controls, etc. Check out the Hak5 thread I started about this, as it has...
7MS #253: Desperately Seeking Service Accounts
April 13, 2017 14:17 - 9 minutes - 12.4 MBFind the show notes here!
7MS #252: LAPS - Local Administrator Password Solution
April 06, 2017 03:27 - 8 minutes - 11.9 MBShow notes are here.
7MS #251: Blackholing Malvertising with Pi-Hole
March 30, 2017 00:17 - 10 minutes - 13.9 MBShow notes are here
7MS #250: The PBS Telethon Episode!
March 23, 2017 15:52 - 10 minutes - 13.8 MBShow notes for today's episode can be found here!
7MS #249: AlienVault Certified Security Engineer - Part 1
March 16, 2017 19:21 - 9 minutes - 13.7 MBShow notes are here.
7MS #248: How to Hack the 10 O'clock News
March 09, 2017 15:32 - 11 minutes - 15.4 MBShow notes are here.
7MS #247: Webapp Pentest Tool Bake-Off - Part 4
March 02, 2017 04:11 - 9 minutes - 13.2 MBShow notes are here.
7MS #246: Webapp Pentest Tool Bake-Off - Part 3
February 23, 2017 03:53 - 11 minutes - 15.2 MBSite notes are here. Enjoy.
7MS #245: Webapp Pentest Tool Bake-Off - Part 2
February 17, 2017 19:31 - 9 minutes - 12.5 MBShow notes are here.
7MS #244: Webapp Pentest Tool Bake-Off - Part 1
February 09, 2017 04:50 - 10 minutes - 14.8 MBShow notes are here
7MS #243: ZOMG Logo Design Contest!
February 02, 2017 16:25 - 9 minutes - 13.1 MBHere are today's show notes!
7MS #242: Bye Bye Dream Job - Part 4
January 26, 2017 04:13 - 10 minutes - 14.3 MBWe've reached the end of this series, and I come into this final chapter bearing good news: I have a job! So in today's episode, I just wanted to kick back and share some cool things I'm working on as I ramp up in this new adventure (and that will also provide good topics for future episodes): Webapp pentest tool bake-off In the next week I'll be evaluating the following for a more general/automatic Webapp scans: Netsparker HP WebInspect Qualys AppSpider SIEM comparison We're l...
7MS #241: Bye Bye Dream Job - Part 3
January 19, 2017 04:59 - 13 minutes - 17.9 MBShow notes are here
7MS #240: Bye Bye Dream Job - Part 2
January 12, 2017 04:29 - 12 minutes - 17.6 MBShow notes are here.
7MS #239: Bye Bye Dream Job - Part 1
January 05, 2017 04:31 - 9 minutes - 13.7 MBShow notes: https://7ms.us/7ms-239-bye-bye-dream-job-part-1
7MS #238: Network Monitoring 101 - Part 2: NMAP, Papertrailapp and OpenCanary
November 30, 2016 15:52 - 8 minutes - 12.1 MBShow notes: https://7ms.us/7ms-238-network-monitoring-101-part-2-nmap-papertrailapp-and-opencanary
7MS #237: Network Monitoring 101 - Part 1: Nessus
November 23, 2016 16:59 - 8 minutes - 11.7 MBShow notes: https://7ms.us/7ms-237-network-monitoring-101-part-1-nessus
7MS #236: From "Derp!" to Domain Admin with MOVEit Central
November 17, 2016 04:00 - 11 minutes - 15.7 MBShow notes: https://7ms.us/7ms-236-from-derp-to-domain-admin-with-moveit-central
7MS #235: Pwning Billy Madison
November 10, 2016 21:27 - 10 minutes - 14.4 MBShow notes: https://7ms.us/7ms-235-pwning-billy-madison
7MS #234: Pentesting OWASP Juice Shop - Part 5
November 04, 2016 01:58 - 7 minutes - 11 MBShow notes: https://7ms.us/7ms-234-pentesting-owasp-juice-shop-part5