Look for any podcast host, guest or anyone
Showing episodes and shows of

Secarma

Shows

Hacked OffHacked Off108. IASME: IOT Security ComplianceFollowing audience responses to Pod 107 with Jason Blake, Secarma Jen Williams has circled back to do a deeper dive into the PSTI legislation and IoT devices. With the legislation going live at the end of April, any manufacturers that have not yet found a successful route to show compliance should listen to this podcast which goes into finer detail with Jason Blake. As IASME's IOT scheme manager, Jason shares a selection of ways to navigate the legislation and he and Jen discuss the ways to approach an accreditation that will also help any business and their devices to improve on...2024-04-2226 minHacked OffHacked Off107. Jason Blake: IoT and PSTISecarma Head of Testing, Simon Chapman, takes over the hosting duties as the Hacked Off podcast returns. Episode 107 focuses on IoT and the new regulations that are forcing manufacturers to place security at the heart of their devices. Simon interviews Jason Blake, IOT scheme manager at IASME and Jen Williams who heads up consultancy services at Secarma. Jason talks us through the diverse world of IoT devices, from smart letter boxes to B2B moisture content monitors for farmers and explains why the need for tighter security regulation is long overdue. Jen approaches the subject from a consumer perspective and...2024-02-0624 minHacked OffHacked Off106. Simon McNamee: Optimising Security ServicesIn this episode of Hacked Off, Holly interviews Simon McNamee - Secure Impact's Security Technology Lead. This week, they discuss what issues security experts often encounter when working with businesses; both those with a high level of security maturity, as well as those just starting off on that journey. Holly and Simon offer some sage advice to organisations about getting the most out of their security services - it all starts with understanding the difference between these services and recognising what your business is ready for - and they also share some of their own experiences from different on-site engagements. 1:00...2021-10-2943 minHacked OffHacked Off105. Rob Demain: SOCs and SMEsFor some organisations, using Security Operation Centre services is a great way to minimise the impact of a possible cyberattack. Moving quickly and effectively, SOCs can detect, analyse and respond to breaches if an organisation doesn’t have the resources to do so themselves. In this episode we spoke to Rob Demain – founder and CEO at e2e-assure – about the role of SOCs, today’s diverse threat landscape, and the importance of research and development when working in cybersecurity. 02:00 Why SOCs? 06:00 Building trust 13:35 Keeping up-to-date 15:40 Delivering the service 23:20 When disaster strikes 29:20 Working with SMEs 33:55 Security risks Listening time: 42 minutes Host: Holly Gr...2021-10-1542 minHacked OffHacked Off104. David Barr: Cybersecurity CSIIn the cybersecurity world, the digital forensics dept acts as the Crime Scene Investigation team for a business that has fallen foul of a cyber-criminal. DFI techniques are used to investigate and rectify the problems caused by the hack, and/or bring the perpetrator to justice. Similarly to traditional forensics, cyber incident response teams can find data to use as evidence in the investigation. In this episode, we talk to David Barr – Principle CIRT Consultant at Secure Impact – about the day-to-day of digital forensics, how the scene is evolving, and what to expect from his talk at UnLocked: London Olympia. 00:35 Work...2021-09-2430 minHacked OffHacked Off103. Declan Doyle: Cyber ResilienceValuing your SME as ‘too small to get hacked’ can leave you complacent and open to attacks, with little to no defences in place. For those who find cybersecurity daunting, there are organisations out there, ready to help. In this episode, we talk to Declan Doyle – head of Ethical Hacking at the Scottish Business Resilience Centre – about cyber resilience, misconceptions around who can get hacked, and understanding clients to best help them stay secure. 00:26 What is the SBRC? 01:35 Resilience 02:55 Helping out 05:35 Misconceptions around size 07:49 Optics and tailoring services 19:55 Different pathways in Cyber 26:50 Engaging with SBRC Listening time: 31 minutes Host: Holly Grace Wi...2021-08-2031 minHacked OffHacked Off102. Nick Blundell: Automating TestingThe medium of cyber-attacks is code, but the mastermind that drives them is always human intelligence. Systems are created by people, and automated tech still can't understand every nuance that humans embed into them. In this episode, we talk to Nick Blundell – head of R&D at AppCheck – about the pros and cons of vulnerability scanning, how hackers can enter weak systems and the need for a blended approach. 00:50 Will automation take over? 04:25 Scanning or Pentesting: the pros and cons 17:30 Issues with automation 22:00 Weak systems 52:50 A blended testing approach Listening time: 1 hour 5 minutes Host: Holly Grace Williams, MD at Secarma Gues...2021-08-161h 05Hacked OffHacked Off101. Greg van der Gaast: Rethinking RecruitmentIn a time of record unemployment due to the pandemic, it’s strange that cybersecurity job openings receive so little applicants and take 20% longer to fill than typical IT roles. Is there a cyber skills shortage, or are we simply looking in the wrong places? In this episode, we talk to Greg van der Gaast – CISO at Scoutbee GMBH and author of Rethinking InfoSec – about how we can rethink the cyber hiring process and role requirements, in order to find many more suitable candidates. We also touch on diversity, the role of HR, and building stronger enterprising teams. 00:28 Security in supply...2021-08-0631 minHacked OffHacked Off100. Jai Aenugu: Why We Have to Win Every TimeTo celebrate Hacked Off's 100th episode, we spoke with Jai Aenugu – founder of TechForce Cyber - a highly regarded cybersecurity resilience organisation with offices in both Edinburgh and Aberdeen. This week’s podcast features conversation around what sets Scotland apart in terms of cybersecurity, doing one thing and doing it really well, plus security essentials for SMEs, and an overview of the NotPetya and Kaseya cyber-attacks. 0:49 Cybersecurity in Scotland 4:45 Why found an InfoSec business? 7:00 The Kasaya attack 10;10 Minimising impact 14:00 Don't plan for ransomware 19:45 Security bias 25:00 When phishing turns foul 30:30 Risk 37:00 The baseline and beyond 41:00 Look after the customer Listening time: 46 minu...2021-07-2646 minHacked OffHacked Off099. Ian Murphy: Against ApathyWorkplace security training can be hit or miss; to keep your business safe, your awareness training needs to be memorable, but a conventional annual security presentation on passwords and phishing scams can be tedious and forgettable. In this episode, we talk to Ian Murphy – founder and content creator at CyberOff, and co-founder of LMNTRIX – about how we can utilise engaging, out-of-the-box content to revamp security training and get the general population excited about security practices. 00:50 Creating engaging content 06:48 The need for a new approach 15:00 Context, content and culture 19:45 Attracting an audience 21:40 What’s going wrong? 24:15 The need for good communication 30:53 Buildi...2021-07-1645 minHacked OffHacked Off098. Javvad Malik: What Makes Effective Security Awareness Training?Security awareness training is a common requirement in most businesses, but oftentimes it can be difficult to effectively teach employees how to recognise and respond to security risks. In this episode, we speak with Javvad Malik – Security Awareness Advocate at KnowBe4, co-founder of Security B-Sides London and cybersecurity blogger – about the variety of risks out there, the challenges of security awareness training, and how best to promote it. 00:28 What is a Security Awareness Advocate? 02:45 Challenges 11:14 Messaging 16:20 Importance of Security Champions 19:25 Minimising risk 21:45 Lesser-known types of phishing attacks 29:20 Promotion 38:10 The fear of embarrassment 40:40 Bias and the role of marketing Listening time: 46 minu...2021-07-1246 minHacked OffHacked Off097. Dr Andrea Cullen & Lorna Armitage: Women in CyberStudies in recent years have revealed how little diversity there is within the cybersecurity industry, with women making up only 8% of the cyber workforce in the UK. In this episode, we speak with Dr Andrea Cullen and Lorna Armitage – co-founders of cyber training organisation CAPSLOCK – about the difficulties of getting into cyber, the need for accessibility and inclusivity in the industry, and recruitment advice for organisations and those wanting to get hired. 02:52 Obstacles for those wanting to enter the industry 09:33 Cyber skills 14:05 Building confidence 16:35 Breaking into cyber 21:32 Imposter syndrome and conquering fears 31:14 Finding yourself and your strengths 36:14 The importance of find...2021-07-0544 minHacked OffHacked Off096. Natasha Taylor: The Future of Cybersecurity EventsOver the past year and a half, the event industry have had to adapt like never before, and this led to many events going online via webinars, digital roundtables, and large-scale virtual conferences. In this episode, we interviewed Natasha Taylor - Senior Conference Producer at DTX - about what makes a successful cybersecurity event, networking from home, and what the future of tech conferences could look like. 0.40 Preparation is everything 4:36 What makes a good panel or presentation? 8:50 It's good to disagree 14:55 Overcoming obstacles 17:20 Technical difficulties 22:30 Why you should give public speaking a go 26:00 Finding a balance 34:20 The future of networking ...2021-06-2545 minHacked OffHacked Off095. Kathleen Booth: How Cyber Criminals Target Your Marketing TeamThis week, Holly is joined by Clean.io's Kathleen Booth to talk about how the very methods that marketing teams use to bring in customers may also attract the unwanted attention of cyber-criminals. Whether it's third party plug-ins, digital ads, or even a stray tweet - hackers can corrupt your marketing department's efforts and attack your organisation. Thankfully, there are ways to balance robust business security without cutting your marketing team off at the knees. Listen to this week's interview for discussion around innovative yet secure marketing strategies, the importance of cybersecurity awareness training, and why marketers and security staff...2021-06-1842 minHacked OffHacked Off094. Patricia Keating: How Crisis Spawns InnovationThis week, Holly speaks with Patricia Keating, founder of Tech Manchester - a start-up hub designed to upskill Manchester-based entrepreneurs, nurture their ideas, and connect them with investors. They discuss cybersecurity for start-ups, the tech business landscape in Manchester, and how virtual conferencing allows you to be in two places at once. 1:20 Working with start-ups 3:55 Is London the only tech hub? 5:30 Common misconceptions 7:55 Mentoring tech business founders 12:00 What does "failing" mean? 16:00 Work-life balance 22:35 Crisis spawns innovation 30:05 Working from home means working anywhere 34:00 Sharing the journey Listening time: 36 minutes Host: Holly Grace Williams, MD at Secarma Guest: Patricia Keating, Founder of...2021-06-0736 minHacked OffHacked Off093. Dr Dan Prince: Teaching the Next Generation to Think DifferentlyThis week, Holly delves deeper into the topic of security higher education and training with Dr Dan Prince - Senior Lecturer in Security and Protection Science at Lancaster University's School of Computing and Communications. Together, they discuss the challenges that the mentors of today have when teaching the security experts of tomorrow, how to prepare students for threats that may not exist, and how thinking differently may be the key to keeping one step ahead of threat actors. 1:00 Preparing the next generation 4:30 Creating the framework for a Masters in security 9:55 Where is the line? 17:15 Know your enemy 20:40 Working with the...2021-05-2842 minHacked OffHacked Off092. University of Salford & Tanium: Higher Education's Security ChallengesRecently, the University of Salford announced their partnership with Tanium, to help the education institution improve their security against an increase of attacks. Universities have been high up on the target list for threat actors over the course of the pandemic, and these nefarious parties aren't slowing down anytime soon. In this episode, Holly interviews Mark Wantling - the University of Salford's CISO, as well as Chris Vaughan of Tanium to understand more about their partnership and trade tips on protecting the education sector from cyber-attacks. 1:00 Security challenges in higher education 3:40 Joiners, movers, and leavers 8:30 Are the basics really all...2021-05-211h 00Hacked OffHacked Off091. Evan Jones: Demystifying Security ArchitectureAlthough our specialty is penetration testing, there's a wide variety of interesting roles available within the security industry. In this episode, Holly sits down with Evan Jones of Complete Cyber, to explore the ins and outs of security architecture. Over the course of the conversation, they discuss the skills necessary to become a security architect, the benefits of using a pen and paper to map out possible threats, and Evan also explains how solution architecture is a lot like a Rubik's cube... somehow. 0:35 Transferring your skills 3:30 What is a security architect? 15:00 What makes a good security architect? 17:00 Dear customers, help...2021-05-1750 minHacked OffHacked Off090. Jonathan Slater: Start-ups and Starting Again: The Benefits of ReskillingIn last week's episode we talked about how security professionals can leverage their skills to get into cyber, but how do you obtain those skills in the first place? Enter Jonathan Slater, co-founder of CapsLock and our guest for today. In this episode, we discuss his journey from nuclear, to recruitment, to co-founding a disruptive education model that's designed to help everyone from bus drivers to web developers gain a qualification - and most importantly, employment - in cybersecurity. We also take a deep dive into how candidates can make themselves more attractive to hiring managers, diversity in cyber, and...2021-04-3050 minHacked OffHacked Off089. Jay Jay Davey: Getting Into CybersecurityIn this episode, Holly interviews Jay Jay Davey - SOC Analyst at CyberClan and founder of NoxCyber - a one stop page of career advice for aspiring cyber security professionals, with resources to help you get into the industry. We spoke with him about the different routes into cyber, as well as what to do once you're in. Listen to this episode for career advice, CV tips, and why explaining what networks are to your parents could lead you being a CEO's shoulder to cry on one day. 1:05 About NoxCyber 2:40 Getting into cybersecurity 7:15 Getting hired 13:05 The different roles in cyber 22:30...2021-04-2343 minHacked OffHacked Off088. Shauni Adekoya: Marketing Cybersecurity ServicesIn this episode, Holly sits down with Shauni - our Marketing Manager - to discuss how she promotes technical services to a non-technical audience. Marketers in the security industry have a pretty big task on their hands; as technical people - cybersecurity is our passion (hence last week's 55 minute rant about security policies), but how do you create content that appeals to CEOs and other non-technical decision makers? Over the course of the conversation, we discuss Shauni's journey from fashion marketing to cybersecurity, what she has in common with a lot of penetration testers, and how much marketing fluff is...2021-04-1632 minHacked OffHacked Off087. Michael Ranaldo: Your Security Policy Needs to Make SenseIn this episode, Holly and Michael have an in-depth discussion - okay, maybe it's a little bit of a rant - about security policies. Many organisations' cybersecurity policies are rarely given the attention they deserve, despite them being such an important part of protecting your business. Over the course of this conversation, Holly and Michael take a look at policy building and reviewing, common mistakes that organisations tend to make, and why you should be worried if no one on your team has any questions after "reading" through the policy... 0:15 Policy review 3:20 Rethink your security policy 11:00 Exceptions to the rule...2021-04-0955 minHacked OffHacked Off086. Thomas Ballin: The MITRE ATT&CK FrameworkIn this episode, Holly and Thomas discuss the MITRE ATT&CK framework and the multi-layered security strategies that organisations need to defend against threat actors. 0:58 What is the MITRE ATT&CK framework? 9:50 A real-world breach progresses in layers 11:50 Using MITRE ATT&CK 15:08 Communication is key 16:50 Vulnerability scan, penetration test, or red team? Yes. 30:23 How to get started Listening time: 34 minutes Host: Holly Grace Williams, MD at Secarma Guest: Thomas Ballin, Testing Team Lead at Secarma MITRE ATT&CK framework link: www.attack.mitre.org Our website: www.secarma.com2021-03-2634 minHacked OffHacked Off085. Certifications and TrainingWhat are the benefits of gaining skills that are a little more broad to the niche that you do? In this episode, we have a discussion around certifications, training, and upskilling. We also provide a brief overview of our penetration testing training courses, which are a great resource for businesses that are looking to upskill their security and IT teams, as well as for tech savvy individuals that want to break into pentesting. 0:50 Holly's own experience with recent exams 4:45 Reasons to upskill 8:30 Breaking into the cybersecurity industry 9:40 Our Hacking & Defending training courses Listening time: 16 minutes Host: Holly Grace Williams, MD...2021-03-1916 minHacked OffHacked Off084. CyberFirst Girls: Creating a Diverse Talent PoolThe Hacked Off podcast is back! In this episode, we sit down with Sarah and Sian from the NCSC's CyberFirst initiative to talk about the CyberFirst Girls competition. The National Cyber Security Centre is committed to developing the UK's next generation of IT professionals and has a number of fantastic initiatives designed to introduce 11 – 17 year olds to the fast-paced world of cybersecurity. Because we need the broadest mix of minds to tackle the security threats of tomorrow, and the NCSC’s CyberFirst Girls competition is all about developing that diverse talent pool. The competition is a girls-only event for 12-13 year...2021-03-1237 minHacked OffHacked Off2020: A Year in ReviewIt's the last podcast of the year, so Holly is revisiting some of our key guest interviews from 2020. We also couldn't do a 'A Year in Review' without discussing the impact of the pandemic on business security, and how now is the time to revisit your change management and risk register. Key points: 0'34 Our new training course 4'00 Lockdown and change management 6'49 Time to review the risk register 8'14 Security Awareness Training 10'52 What kind of attacks do we need to worry about? 15'58 Turning off antivirus 17'42 The future of phishing scams Useful Links: Our new training...2020-11-2622 minHacked OffHacked Off076. Joe Thorpe: Hacking Mobile AppsWe speak to fellow co-worker and Senior Security Consultant at Secarma, Joe Thorpe, who specialises in app testing. He gives us the low down on hacking mobile apps, how they're similar to web apps, which vulnerabilities are most common and how to choose the right testing for your mobile app. Key points: 0'43 What is mobile application testing? 3'43 Similarities to web application testing 4'49 Finding vulnerabilities in mobile apps 7'21 Hacking mobile apps with Frida and bypassing root detection 9'33 Choosing the right kind of testing for you mobile app 13'09 The Tinder app vulnerability 14'48 The most common...2020-10-0817 minHacked OffHacked Off074. Martin Lethbridge: There’s more to Firewalls than Blocking PacketsThere's more to firewalls than simply installing them and leaving them to it! WatchGuard's Senior Sales Engineer Martin Lethbridge, joins Holly Grace Williams to discuss common firewall misconceptions, and how to get the most out of your firewall to ensure your organisation is safe. 0'22 Guest introduction 2'10 Firewall misconceptions - they aren't just for your network perimeter 6'52 Protecting your laptop on 'dirty networks' - working from home or remotely 11'59 Security vs convenience 17'43 The importance of VLAN and network segmentation 19'45 Don't just block it, monitor it, review it, maintain it 26'53 Deep packet inspection 38'41 Why...2020-09-2457 minHacked OffHacked Off073. Vulnerabilities in FirewallsAlthough perimeter breaking vulnerabilities are quite rare they're certainly not unheard of - Firewalls aren't perfect systems and they can have vulnerabilities too. In this week's episode, Holly Grace looks at some previous critical vulnerabilities in firewalls and tries to highlight some key lessons learned. 4'37 The firewall vulnerability 'BEIGNCERTAIN' 7'22 Protecting your organisation against threat actors gaining internal network access 10'47 How to protect firewall interface Useful link: Firewall Configuration Security Review - www.secarma.com/services/cybersec…urity-review.html Listening time: 14 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma2020-09-1714 minHacked OffHacked Off072. An Intro: Firewall SecurityOur latest 'Intro' podcast takes a look at Firewall Security. Holly discusses different types of firewalls, the importance of network segmentation and Firewall Configuration Security Reviews, and how firewalls are targeted during a pentest. 1'30 How firewalls are they targeted during a Penetration Test? 8'29 Network segmentation 11'08 How threat actors jump between networks 13'56 Next Generation Firewalls 19'14 Web Application Firewalls Useful links: Firewall Configuration Security Review - https://www.secarma.com/services/cybersecurity-assessment/firewall-configuration-security-review.html Listening time: 24 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma2020-09-1023 minHacked OffHacked Off071. Month In Review: Bribery & Bug BountiesFrom bribery to bug bounties! In August's Month in Review podcast, Holly Grace discusses the failed social engineering attack on a Tesla employee, and the uproar off the back of Slack's minimal payout to a researcher for a critical security bug. Key points: 1'20 The failed social engineering attack against Tesla 3'05 How to test your organisation against bribery 8'21 Critical security bug discovered through Slack's bug bounty program 10'06 How much is a bug worth? Let us know your thoughts on the Slack Bug Bounty over social media: Twitter - @Secarma LinkedIn - @Secarma Ltd Listening time: 15 minutes Hosted...2020-09-0315 minHacked OffHacked Off070. How Vulnerability Scanners WorkWhilst Secarma perform Penetration Testing which is in-depth approach to security testing, organisations can get additional assurance through ongoing automated security scanning Nick Blundell, AppCheck's Head of R&D, joins us on our podcast to discuss how vulnerability scanners work, their pros and cons, and how they compliment Penetration Testing to achieve a balance of depth and frequency. 0'20 Nick's background 2'00 How do you map web applications? 4'52 How do scanners work 22'29 Making scanners more intelligent 28'02 Penetration Testing plus Vulnerability Scanning 30'52 Why is automated scanning hard? 53'17 How does a scanner handle authentication? Useful links: https...2020-08-271h 05Hacked OffHacked Off069. An Introduction to the OWASP Top 10The OWASP Top 10 is a list of the 10 most common web application vulnerabilities. This podcast provides an introduction to this awareness document, and why it's so beneficial to organisations and their journey to better security. Key Points: 1'00 Who are the Open Web Application Security Project? 2'18 What is the OWASP Top 10? 7'55 The current OWASP Top 10 list 9'04 Why it's such a useful document 10'19 Other 'Top 10' lists 11'27 The OWASP Top 10 isn't the be all and end all! Listening time: 17 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma2020-08-2017 minHacked OffHacked Off068. An Intro: Vulnerability ScanningThis podcast provides an excellent introduction to vulnerability scanning, covering how it works and what it tests. It discusses the benefits of vulnerabilities scanning and how alongside penetration testing, can provide an organisation with a more continuous testing model. Key points: 1’34 What is vulnerability scanning? 2’16 What does vulnerability scanning test 9’09 How a scanner grades a vulnerability 11’47 Pentesting v vulnerabilty scanning 14’40 The benefits of vulnerability scanning 24’09 Overview Listening time: 26 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma2020-08-1326 minHacked OffHacked Off067. Month in Review: Data Stolen and Ransoms PaidIn July it was revealed that travel company CWT paid $4.5 million in ransom to cyber criminals. Whilst shocking, ransomware is unfortunately not new and not uncommon. Secarma’s MD, Holly Grace Williams, discusses why ransomware is such a popular option for cyber criminals and how companies can prepare for potential attacks with incident response training. Key Points: 1’05 Paying ransoms 2’00 Why is it always ransomware? 2’40 CWT’s ransom negotiation conversation 5’15 Incident response training for ransomware 10’22 The TikTok ban in the US 12’07 Technically, how would you ban TikTok? 15’09 Coming soon - Secarma Webinars! What content would you like to see in our webinars? Let us k...2020-08-0618 minHacked OffHacked Off066. Encryption isn't MagicAfter a brief break, the Hacked Off Podcast is back! If you missed our MD’s Trusted Tech Talks webinar last week, Holly Grace Williams summarises the key points of her presentation, Encryption isn’t Magic: Hackers Can Break It. She discusses why encryption is a little more complex than being on or off and the importance of configuring it correctly. Key points: 0’33 Introduction 4’20 Cyptography lasts a long time 7’44 Grading cryptographic weaknesses 11’30 How quickly can you crack passwords and how much does it cost? 17’45 What other hashes might we commonly come across? 22’45 The problem with password strength meters 24’30 Summary Listening time: 19 minutes H...2020-07-3027 minHacked OffHacked Off065. PenTesting: Efficiency vs RealismIn today's episode we talk about penetration testing realism versus efficiency, and why sometimes aiming for a security test that exactly matches the options available to criminals isn't always possible and why sometimes it isn't always desirable. It's all about the context. Key points: 1'05 The motiviation behind an assessment is key 2'10 When realism is key 3'45 when total realism isn't possible 8'40 Technique-orientated vs goal-orientated 14'40 Fix the fundamentals first Listening time: 19 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma2020-06-1818 minHacked OffHacked Off064. Mike Jones: Privacy and OpSecPrivacy is a right and it is important to protect that right, but operational security it hard. Mike Jones joins us again to talk all things OpSec and we cover some things to check to make sure your privacy is protected. Key Points: 1'30 Why is Privacy important? 4'20 Photos, GPS and Geotagging 10'15 Social Media settings 12'15 Removable Media 14'15 Communications security and Leaks 18'00 Privacy and Adult Entertainment 24'30 Balancing operational security and convinience 29'00 Cleaning up Data footprints 34'23 Situational Awareness 38'30 Burner Accounts Links: Operation Robin Sage - https://en.wikipedia.org/wiki/Robin_Sage Listening...2020-06-1146 minHacked OffHacked Off063. Incentivising the Security TeamIn today's episode we talk about incentivising your Security Team and making sure that the defensive team are getting praise for a job well done. As well as noting that the red team's job isn't over when they find a high impact vulnerability. Key Points: 0'49 There's more to staff retention than bonuses 1'40 The problem of the romanticisation of the red team 3'30 Measuring progress in security improvement 4'25 Purple Teaming may help reduce the gap 11'00 Empowering the defensive team 15'15 Measuring offensive teams Links: https://soundcloud.com/hackedoff/009-an-intro-penetration-testing-vs-red-teaming https://soundcloud.com/hackedoff/an-intro-cybersecurity-maturity-assessments Listening Time: 18 minutes ...2020-06-0418 minHacked OffHacked Off062. Adam Louca: Cutting Through Vendor NoiseAdam Louca joins us today to talk about how to get the most out of security products, and how to cut through the marketing to find out what works for you! Key Points: 0'30 What is a technologist? 2'05 Why do we have to cut through vendor noise? 4'21 How you can determine the truth of products 9'25 Planning for the unknown 12'00 How to know products are working 19'50 Network segmentation, antivirus, and other specifics 22'40 Gaining internal visibility 31'00 Blame: Users vs Products 34'00 The Security People vs Products Links: Mitre Att&ck Framework: https://attack.mitre.org/ ...2020-05-2841 minHacked OffHacked Off061. - Kevin Fielder: Building Security, Teams, and CultureKevin Fielder joins us today discussing building security and building security teams. We talk risk appetite, balancing likelihood and impact, and team culture! 1'20 Where to start 4'00 Risk Appetite and moving quickly 11'13 Balancing appetite, likelihood and impact 15'15 Keeping the security team happy 18'45 Team Culture 25'45 Team Development and building Careers 38'25 How DevOps affects building security 48'12 Handling staff retention Listening Time: 54 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma Guest: Kevin Fielder, CISO at JUST EAT2020-05-1453 minHacked OffHacked Off060. Security StrategyToday we have a Marc Avery, Kevin Fielder, and Sean Atkinson discussing how to build a business security strategy. We talk about cyber insurance, operational security, and building security in companies. As well as detours to talk about Equifax getting hit by Hurricane Irma, the problems of working from home, and company culture. Key Points: 01'00 Guest Introductions 05'10 The security risk of the new baseline 15'00 Real-world attacks vs Click-bait News 18'22 Security Awareness Training for the Home 23'00 Pandemics and Business Continuity Plans 27'00 Risk Lifecycles - Revisiting Risk Exceptions 34'36 Cyber Insurance Benefits and Woes 48'05 Will...2020-05-0759 minHacked OffHacked Off059. - Mike Jones: Anonymous, Suits, and Building Better SecurityMike Jones is a former member of anonymous, a former confidential informant, and is here to talk about building better security. We talk about everything from Cyber Prevent programmes to help people avoid becoming cyber criminals to becoming a better penetration tester. 01'12 Working with Anonymous 03'25 Meeting with the Suits 04'18 Working as a Confidential Informant 16'50 A hacker's impression of the legal system 20'40 Cyber Prevent Programme 25'50 Developing PenTesting Skills 32'20 Covering up breaches and vulnerabilities Listening Time: 44 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma Guest: Mike Jones, Security Researcher2020-04-3044 minHacked OffHacked Off058. Starting Security From ScratchMany security guides out there presume that you're implementing security on an existing system or an existing product; look at what has been missed and improving things incrementally - but what if you're building something completely new? If it's a new product or a new company, things can be a different. When you're struggling with security many experts will tell you that you should have started sooner - but where exactly do you start? You can't PenTest a product before you've written your first line of code, so what should you do first? It's difficult to fit it all in...2020-04-2324 minHacked OffHacked Off057. Lockdown: FinalIn this episode we follow up on recent news events including the Travelex Ransom payment, fraud linked to Covid-19, and US-Cert Guidance on the cyber risks from North Korea - plus Secarma announce a Charity Support Fund. Key Points: 2'45 Travelex: Paying the Ransom 4'28 Business Continuity and Getting Through Lockdown 5'25 FTC report on Covid-19 Fraud 8'35 Blurring nation states and organised crime 11'10 Cryptojacking Attacks and the ICO 13'33 Extortion Campaigns 16'43 Charity Support Fund Links Charity Support Fund: https://blog.secarma.com/charity-support-fund.html US-Cert Guidance: https://www.us-cert.gov/sites/default/files/2020-04/DPRK_Cyber_Threat...2020-04-1618 minHacked OffHacked Off056. Lockdown: Part 3We look into the importance of protecting user privacy and the difficulty of anonymising data - both in regards to COVID19 as well as broadly for businesses. Key Points: 0'45 The benefits of location-tracking 3'15 The risks of location tracking 6'36 Reducing risk through pseudonymisation 10'07 The risk of sharing data 12'00 Balancing benefit and protection 14'10 The 5 Data protection questions Listening time: 20 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma2020-04-0919 minHacked OffHacked Off055. Lockdown: Part 2In Lockdown Episode 2 we're talking about video conferencing vulnerabilities, staff complacency, and security awareness risks brought on by job role changes. Key Points: 2'00 Zoom under security researcher scrutiny 6'03 Stealing passwords from video-conferences 9'30 Network architecture and working from home 13'05 Staff complacency and risk 14'35 Job role changes and risk 16'12 Attack surface reduction Listening time: 18 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma2020-04-0217 minHacked OffHacked Off054. Lockdown: Part 1For this episode we're starting a new mini-series, investigating how recent news events are impacting companies; in part 1 we're looking at performing effective internal infrastructure tests, remotely. Key points: 5'08 Assessing VPN security 6'41 Differences with remote testing 8'30 Our (VOT) Virtual Onsite Testing Solution 9'30 Hackers hacking home WiFi 11'00 Making remote-internal testing effective Download on iTunes: apple.co/2Ji61Ek Listening time: 13 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma2020-03-2612 minHacked OffHacked Off053. COVID-19: The Impact on Your BusinessWhat do you do when a pandemic hits and you are forced to send your entire workforce to work from home? Is your business ready for the technical and security risks that comes with that? What have you missed? COVID-19 is presenting organisations with new challenges and testing their business continuity plans. Holly Grace Williams talks about these challenges and a few things you may not have already considered. 1'58 The challenges of working from home 8'43 The perfect time to be hacked 10,27 Phishing 13'38 Events 16'18 Web traffic Download on iTunes: apple.co/2Ji61Ek Listening time: 18 minutes Hosted...2020-03-1918 minHacked OffHacked Off052. An Intro: Wireless SecuritySecarma's Technical Director, Holly Grace Williams, discusses how threat actors could bypass your wireless security through guest WIFI, pre shared keys, or even enterprise wireless security. She talks about the benefits of network segmentation and how your networks may not be as separate as you think! Key Points: 1'20 Network segmentation 3'38 Technologies to protect wireless networks 5'56 Open wireless networks 11'12 Pre shared keys(PSK) 13'12 Cracking hashes 19'57 Enterprise security Download on iTunes: apple.co/2Ji61Ek Listening time: 25 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma2020-03-1227 minHacked OffHacked Off051. The Truth about Cybersecurity Marketing Buzzwords!There seems to be a colour for all the different types of cybersecurity teams these days, but is there any value behind these marketing buzzwords and what do they really mean? Holly Grace Williams takes us through the different 'team' definitions and how to look beyond their colourful names! Key Points: 1'41 The difference between penetration testing and red teaming 3'25 Red Teaming and Blue Teaming 4'13 Purple Teaming 9'04 White Teaming 9'56 Gold Teaming 11'19 Looking past the marketing buzzwords! 14'33 TIBER - Threat intelligence based ethical Red Teaming 16'30 Atomic Red Teaming Download on iTunes: apple.co/2Ji61...2020-03-0519 minHacked OffHacked Off050. Month in Review: The Redcar and Cleveland Borough BreachOn Saturday 8th February 2020, Redcar & Cleveland Council was hit with, what is thought to be, ransomware. Holly Grace Williams discusses the wider impact of hacking a council, and the brand damage that can come from this kind of attack. Key points: 1'27 What happened to Redcar & Cleveland Council? 1'50 Do people really understand what ransomware is? 4'll The timing of ransomware attacks 6'44 Why restoring from backup is not always as simple as it sounds 8'17 The wider impact of councils being hacked 13'04 Dealing with brand damage from a breach 21'39 How can you have confidence in an organisation's...2020-02-2726 minHacked OffHacked Off049. James Mckinlay: Why I turned antivirus off!Is your antivirus working for you? It wasn't for James Mckinlay, the Group Information Security Officer at Barbican Insurance, so he made the controversial decision to switch it off! James discusses why he made this decision and infrastructure he built to replace it. Key points: 1'18 The decision to turn off antivirus 2'35 Alternatives to antivirus 4'10 Application whitelisting 13'28 Cyber Essentials 16'53 To patch or not to patch 23'00 Other things we turned off 34'50 Not everyone should switch their antivirus off! Download on iTunes: apple.co/2Ji61Ek Listening time: 40 minutes Hosted by: Holly Grace Williams | Technical Director...2020-02-2044 minHacked OffHacked Off048. Cybersecurity Predictions: Do things really change that much?Every year we are asked the question, 'what are your cybersecurity predictions for this year?', but is there really any value in predictions and have cybersecurity threats really changed that much over the years? Holly Grace Williams, takes a look back at last years predictions to see how accurate they really were, and to discusses the most prominent threats for 2020. Key points: 3'35 Cloud outages 4'16 Nation state attacks 4'48 SQL injection 5'26 Supply chain risk 5'52 Ransomware 10'18 Phishing 11'34 Physical Access 19'10 Holly Grace's predictions! Download on iTunes: apple.co/2Ji61Ek Listening time: 21 minutes Hosted by...2020-02-1321 minHacked OffHacked Off047. Mike Koss: Hear no evil, see no evilWe invite our most popular interviewee of last year, Mike Koss, back into the studio to discuss one of the emerging cyber threats of the modern day – deepfakes. Mike discusses how this machine learning model, fakes content, and the impact it can have on business. Key Points: 0’43 What is a deepfake? 3’32 What fake content might be used for 10’00 Faking audio 14’13 Faking videos 16’56 Faking photos 22’53 Educating and preparing organisations for deepfakes 28’05 Detecting fake content with algorithms 34’40 What should companies do now? Download on iTunes: apple.co/2Ji61Ek Listening time: 40 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma Guest: Mike Koss, Cyberse2020-02-0340 minHacked OffHacked Off046. The Travelex Ransomware AttackRansomware has been around since the 80's and unfortunately, due to it's effectiveness, it's not going away. Holly Grace Williams's discusses the recent Travelex ransomware attack - what we can learn from it, how to deal with being held to ransom and predictions for the future. Key points: 0'35 The Travelex breach 7'14 A two-part ransomware attack 9'17 Keep your systems up to date! 10'41 Why attackers use ransomware 13'23 Media response following a breach 15'38 What should you do if you're held to ransom? Download on iTunes: apple.co/2Ji61Ek Listening time: 21 minutes Hosted by: Holly Grace Williams...2020-01-3021 minHacked OffHacked Off045. Pauline Norstrom: Who's Watching You?According to the BSIA's report on CCTV surveillance, there is approximately 6 million cameras in the UK. But who owns these cameras and how is the data being stored and used? Pauline Norstrom, the Founder & CEO of a boutique consultancy focusing on technology for video surveillance, joins us to discuss facial recognition and the future of AI in the industry. Key points: 0’22 Guest introduction 3’50 The picture is not clear - how many CCTV surveillance cameras in the UK?* 5’48 The concerns of facial recognition 15’02 The benefits of video surveillance 16’00 The future of AI for video surveillance 26’10 How AI is applied in business 29’05 How AI will af...2020-01-2337 minHacked OffHacked Off044. Jenny Radcliffe: Hacking the HumanWe are kicking off our new season of the Hacked Off podcast with an interview with Jenny Radcliffe, Founder & Director of Human Factor Security. Jenny speaks to Secarma’s Technical Director Holly Grace Williams, about the fascinating world of social engineering. 0’26 Guest introduction 6’05 Where companies should start with social engineering 9’32 Exploiting the pattern of life 10’56 The importance of pre-engagement research 14’07 Stumbling across other hackers! 18’19 The aim of a physical access test 32’25 Tricks of the trade 47’48 What happens after an engagement Download on iTunes: apple.co/2Ji61Ek Listening time: 60 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma Guest: Jenny Radcliffe, F...2020-01-1659 minHacked OffHacked Off043. Month in Review - Nov ' 19: The Disney Plus hackCatch up on November's cybersecurity news with our month in review. From the Labour Party DDoS attack to the phising attack on the new Disney Plus streaming service, Holly Grace William's discuss the importance of balancing user experience and security. 0'32 Cybersecurity highlights of November 1'05 The Labour Party DDoS attack 7'23 The Disney Plus hack 9'46 Password managers 11'48 Balancing user experience and security Download on iTunes: apple.co/2Ji61Ek Listening time: 16 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma2019-11-2816 minHacked OffHacked Off042. Do Pentesters ever Uncover Data Breaches?'When you're doing a penetration test, do you ever find hackers?' After receiving this question a few times recently, our Technical Director Holly Grace Williams discusses how likely it is for a pentester to discover that an organisation has been breached and how to deal with this situation. Key points: 1'10 What a pentester will do when they discover a beach 1'46 The signs of a breach 3'05 Different ways companies have discovered breaches 7'55 What action to take after discovering you've been compromised 11'44 Creating an Incidence Response Plan Download on iTunes: apple.co/2Ji61Ek Listening time: 16...2019-11-2116 minHacked OffHacked Off041. Cybersecurity for Black Friday, Cyber Monday & ChristmasWith Black Friday and Cyber Monday only round the corner, Holly Grace Williams talks about cybersecurity during busy retail periods from both a consumer and retailer's point of view. Here's what to keep an eye out for and how to stay safe! 1'49 The NCSC's guidance for Black Friday. 2'47 The kind of phishing attacks consumers need to keep an eye out for. 9'44 Attackers aren't always after your credit card details 10'57 Cybersecurity for retailers around busy retail seasons 12'51 Why your website might be targeted by a DDoS attack. 15'59 Creating an Incident Response Plan 17'20 Security testing...2019-11-1420 minHacked OffHacked Off040. Password Managers vs Multi-Factor AuthenticationAfter running a poll on Twitter earlier in the year asking "Is SMS based multi-factor authentication better than no multi-factor authentication or should it never be used?", Holly Grace Williams discusses the pros and cons of password managers and multi-factor authentication. Key points: 1'15 How passwords managers work 2'21 The concerns with password managers 4'00 Weighing up the risk 6'29 Two-factor authentication 10'10 Two-factor authentication vs two-step authentication 13'00 Googles research: How effective is basic account hygiene at preventing hijacking What are your thoughts on password managers and multi-factor authentication? Lets us know on Twitter @secarma! Download on iTunes: apple...2019-11-0719 minHacked OffHacked Off039. A Month in Review (Oct '19): The NordVPN Server BreachThere have been a lot of security breaches this month, including NordVPN, Avast and Adobe all falling victim to cyber crime. Holly Grace Williams takes a look at the NordVPN's server breach, what we can learn from it and then discusses why you might want to choose a Virtual Private Network. Key points: 1'03 The NordVPN breach 2'08 Why use a Virtual Private Network? 4'37 Which VPN should you use? 8'43 How NordVPN's breach has impacted the VPN conversation 11'19 What features to look for 13'30 Who is responsible when using a third party provider? 16'00 Summary Download on iTunes...2019-10-3118 minHacked OffHacked Off038. Catching a Hacker!Our technical director, Holly Grace, speaks to Ian Murphy the Co-Founder of LMNTRIX about different ways of catching attackers - such as threat hunting, adversarial deception, and threat intelligence. Key Points: 0'32 Guest introduction 1'22 LMNTRIX 3'40 An over reliance on logs 8'44 What is threat hunting? 11'10 Where do you start with threat hunting? 18'30 What is deception? 32'48 Machine learning and adversarial detection 42'20 The difference between the deep web and the dark web Download on iTunes: apple.co/2Ji61Ek Listening time: 54 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma Guest: Ian Murphy, Co-Founder of...2019-10-2454 minHacked OffHacked Off037. Cost vs Risk: Deciding how much to spend on securityHow much should you spend on cybersecurity? Whilst there isn't a definitive answer to this question or a one-size-fits all answer, our Technical Director Holly Grace Williams, takes a look at how to measure your risk to determine an answer suitable for your organisation. 0'39 According to statistics... 2'09 Estimating breach costs 6'19 Cybersecurity insurance 7'53 What's your cybersecurity maturity? 9'59 Threat modelling 13'13 What kind of security should you be investing in? Send us you cybersecurity budget questions or thoughts on Twitter @secarma! Useful links: Cybersecurity Maturity Assessment - https://www.secarma.com/services/cybersecurity-assessment/maturity-assessment.html Download on...2019-10-1717 minHacked OffHacked Off036. Common Cybersecurity MisconceptionsSecarma’s Technical Director Holly Grace Williams, is joined by Secarma’s People & Event manager Lucy Leaper, to discuss some of the most common cybersecurity misconceptions. From money concerns to the ‘it won’t happen to me’ attitude, Holly debunks certain cybersecurity beliefs, which may be leaving your organisation vulnerable. Key points: 1’00 “There’s no ROI with security testing” 5’39 “Cybersecurity isn’t my responsibility” 9’59 “My hosting provider covers our cybersecurity” 13’27 “It won’t happen to me” 20’24 “I’m secure, I’ve had a Pentest” 25’17 What’s the minimum a company can do to be secure? Which misconception do you most commonly hear? Let us know on Twitter @secarma! Downlo...2019-10-1031 minHacked OffHacked Off035. A month in review (Sept ’19): The New iPhone VulnerabilityLast month an iPhone bootrom exploit dubbed ‘checkm8’ was discovered by researcher axi0mX. This unpatchable vulnerability could give hackers access to iPhones but is it really something we need to be concerned about? 1’40 The new iPhone vulnerability 4’37 Discovering ‘checkm8’ and how it works 11’30 What we can learn from this vulnerability? 13’36 The price of vulnerabilities – bug bounties and brokers 20’53 Which iPhones are affected and how they’re affected 23’21 Is it really something we should be concerned about? What level of confidence do you have in mobile devices? Do you think mobile phones can be trusted? Let us know on Twitter @secarma! Download on iTu...2019-10-0125 minHacked OffHacked Off034. Propogating MalwareFor those who missed The Future of Cyber Security in Manchester this week, our Technical Director Holly Grace Williams, presents her talk on malicious software and how automation will increase the impact of malware attacks. She also discusses the conversation she had with the Q&A panel on cybersecurity insurance. Key points: 1'23 Malicious software hasn't really changed 2'06 A look back on some historical ransomware attacks 3'05 Wannnacry 7'43 Notpetya 14'15 Should cyber insurance be mandatory? 19'20 Self propagating malware 23'37 SamSam Do you think cybersecurity should be mandatory? Let us know on Twitter @secarma! Download on iTunes: apple...2019-09-2625 minHacked OffHacked Off033. The New Cyber Resilience CentreIn the last 12 months, 822 cyber dependent crimes were reported into Greater Manchester Police, costing the victims £1.2 million. Neil Jones, the Detective Superintendent of GMP, is speaking to us today to raise awareness about his cyber investigation team and how they can support you after a cyber-attack. He also discusses how the new Cyber Resilience Centre, which is backed by GM police, can help support smaller businesses protect themselves from cyber-crime. Key Points: 0’52 What is The Cyber Resilience Centre? 2’44 Why cyber-crime reports are so low 6’34 The support you receive after reporting cyber-crime 11’52 Government backed cybersecurity products and services 19’10 Raising the awareness of the GM c...2019-09-1936 minHacked OffHacked Off031. A Month in Review (Aug ’19): Security Conference Controversy!Introducing our new monthly podcast updating you with the latest cybersecurity news, we kick off ‘A Month in Review’ with some security conference controversy! Our Technical Director Holly Grace Williams discusses the BSides Twitter battle about corporate involvement and the controversial talk Crown Sterling presented at Blackhat. Key points: 1’00 The benefits of security conferences 4’29 The ‘Twitter battle’ about corporate involvement at BSides 11’17 Corporate sponsorship for corporate talks 13’34 A controversial "Sponsored Session" at BlackHat 22’26 Vetting sponsored talks and audience participation 23’49 The fallout following BlackHat's "Sponsored Sessions" 29’34 An very brief intro to Cryptography and Quantum How do you think conferences should handle corporate sponsorship...2019-09-0536 minHacked OffHacked Off030. Why Organisations Struggle with Security BasicsSome of the most common cybersecurity issues have been around for decades and whilst basic security practices can help protect organisations against these threats, businesses are still struggling to implement security basics. We talk phishing, patching and supply chain risk with the new Head of InfoSec at The University of Salford, Greg van der Gaast and why organisations need to be playing the long game when it comes to security. 0’22 Guest introduction 0’54 Why do companies struggle with security basics? 9’41 How to prioritise security 10’24 Phishing, patching and supply chain risk 34’16 Playing the long game 37’00 CISO certifications – are they worth it? 45’20 Security consistency 50’3...2019-08-2954 minHacked OffHacked Off029. Leveraging Cybersecurity to Boost Your SMECybersecurity isn’t just a barrier. If leveraged correctly, it can help to improve and grow your business.The Cyber Foundry project, a European regional development fund program, has been designed to encourage and demonstrate to SMEs how to do just that. In this episode, we speak to the Project Manager of The University of Manchester, Brian Higgins, who runs us through delivering this unique initiative. We cover how businesses in all sectors are at risk of cyber crime, some common security problems, and how crime groups are operating like businesses themselves! Key points: 0’29 Guest introduction 0’46 Educating SMEs about security by des...2019-08-2244 minHacked OffHacked Off028. An Intro: Election SecurityIn 2016 it was reported that the Russian government targeted the US election system, and whilst there wasn’t any evidence that votes were tampered with, they could have changed data or even deleted voters. With the start of the US presidential 2020 election campaigns, we take a look at why you’d want to hack an election and the pros and cons of online voting. Key points: 1’00 Why would you want to hack an election? 4’13 The challenges of online voting 8’34 The ‘public intrusion test’ on the Swiss Government’s voting system 15’02 The benefits of online voting 17’24 Electronic voting machines 22’32 The Mueller Report - Russian inter...2019-08-1532 minHacked OffHacked Off027. Getting a Cybersecurity AdvisorEver wondered if you should be hiring a cybersecurity advisor or CISO, or whether the roles you currently have in place are right for your organisation? Mark Avery, Independent Cybersecurity Advisor, talks about the different CISO options, the pros and cons of these roles and how they can help support your organisation. He also discusses the challenges of the CISO role. How it is often misunderstood, resulting in demanding workloads and eventually burn out. Key points: 0’24 Guest Introduction 2’16 Understanding and implementing security foundations 4’00 How would an organisation know they need a cybersecurity advisor? 7’17 What scale of company needs a cybersecurity advisor...2019-08-0835 minHacked OffHacked Off026. The Benefits of Building a Peer Network in CybersecurityBook author, founder of the IN Security movement, judge to numerous awards in business, books and security; Jane Frankland has worn many hats over her 22 years in cybersecurity. She talks with passion about her work with leaders and women in cybersecurity, helping them build enviable and impactful results, going from being burnt out and under appreciated to being motivated, connected and sought after. Key points include: 0’41 Guest introduction 3’24 Burn out in security industry 6’23 The benefits of a peer network 13’24 The fear of putting yourself out there 19’14 The challenges of writing a book 29’48 Building a peer network 32’29 The IN Security Tribe 38’45 The challenges o...2019-08-0147 minHacked OffHacked Off025. The Misconceptions of the British Airways BreachWhilst the British Airways breach of 2018 is 'old news' it has been bought to the fore front of everyone's mind with the recent announcement that they face a record-breaking GDPR fine of £183 million. Secarma's Technical Director discusses what we know about the BA breach, the misconceptions over what may have happened and the remediation steps you can take after a data breach. 2'25 - What happened to British Airways? 13’31 - Attack misconceptions 15’51 - Have there been similar attacks? 21'45 - Can you remove third party scripts? If not what should you do? 22’27 - Are you using Content Security Policy and Sub Res...2019-07-2528 minHacked OffHacked Off024: Security in the ‘good old days’ and the future of the CISO roleMike Koss, Head of Security and Risk at N Brown Group reminisces about the ‘good old days’ when security was just a hobbyist thing, his career in IT security and how he believes the future of the CISO role it should be developed into a business position and a separate technical position. Key points include: 0’30 Guest introduction 1’38 IT security in retail 11’21 Security relationships with the board 14’37 When security was just a hobbyist thing! 24’13 The pros and cons of bug bounties 30’16 Capture The Flag vs testing in the ‘real world’ 43’43 Should CISOs have a technical degree or a business degree? The future is a CTSO role...2019-07-1859 minHacked OffHacked Off023. The different challenges of the CISO roleSecarma’s Technical Director Holly Grace Williams speaks to Mo Ahddoud Security Consultant and interim CISO, about his vast experience in the cybersecurity industry. They cover everything from the difference between a Security Manger and CISO role, the benefits of working with start ups and a little bit about his experience working with critical infrastructure. 0’49 Guest introduction 1’50 The Security Manager role vs the CISO role 4’06 The CISO role in different sectors 10’04 How to separate the snake oil from the useful technology 13’41 The benefits of working with start-up sized vendors 22’40 Tailoring vendor offerings 30’08 To patch or not to patch 36’25 The supply chain risk 46’34 T...2019-07-1154 minHacked OffHacked Off022. Certifications and Upskilling in Cybersecurity & ITWe talk to Zeshan Sattar, Director of Learning & Skills Certification at CompTIA, about how organisations like CompTIA can help people not only in getting certified, but reskilling, upskilling and networking within IT and Cybersecurity. 1’53 What is CompTIA? 6’00 Developing the exams with industry experts 8’24 Continuing professional development with certifications 13’56 Who are these certifications for and where do you start? 18’36 What is a BETA exam? 22’56 CompTIA isn’t just exams! How they help you reskill or upskill. 33’43 The CompTIA Certification Roadmap – choosing the right certification for your role and level 38’24 It’s all about community and networking! Useful links: CompTIA Certification Roadmap - https://certificatio...2019-07-0442 minHacked OffHacked Off021. Thomas Ballin: The Evolution of Penetration TestingWe talk to Senior Security Consultant Thomas Ballin, on what he thinks are the major facets of red team engagements, how they can differ by provider or scenario, and how he thinks they might evolve over time. 0’32 Thomas’ unconventional route into the cybersecurity industry and his role at Secarma 4’31 The many ‘definitions’ of penetration testing 7’30 The benefits of red teaming and where to start 15’02 The race between attack and defence 20’15 Debriefing after a red team 26’00 The future of red teaming 31’31 What you should do after a red team 37’47 The infrastructure that’s used for red team engagement 41’00 How to become a red teamer! Download on...2019-06-2747 minHacked OffHacked Off020. Malicious Software – Past, Present & FutureWe take a look at the history of malicious software, some of the oldest known attacks and how it has changed over the years. Holly also speaks about her own personal experience of the 2017 Notpetya attack and predicts what the future holds for malicious software attacks. It doesn’t look good… 1’22 Different types of malicious software 5’33 The oldest known malware attacks 12’13 Dealing with the Notpetya attack 16’14 Automated propagation 19’24 Manual propagation 20’24 The future of malware 21’47 Why anti-malware isn’t perfect Download on iTunes: apple.co/2Ji61Ek Listening time: 33 minutes For more information, follow us on Twitter @secarma or @secarmalabs or email us at podcast...2019-06-2033 minHacked OffHacked Off019. Cybersecurity Maturity AssessmentsWe share the talk we presented at UKFast’s recent Cybersecurity 101 workshop, in a little more detail, discussing where companies should start with cybersecurity and how they can be comfortable that they have covered a broad enough area of security to be safe. 1’41 What is Cyber Essentials and is it right for your company? 5’57 Risk management – building a security culture and getting the board involved 10’39 Security protections – what you can do yourself and when to get a third party involved 19’43 Incident detection – alert generation, automatic monitoring and training the team 27’57 Minimising impact – response testing and planning, root cause analysis and backups Download on...2019-06-1338 minHacked OffHacked Off018. Your Security Awareness Training isn't WorkingJust 27% of businesses in the UK reported that staff had attended internal or external training on cybersecurity in the last 12 months* and more often than not, what is being taught is either incomplete or no longer relevant. This talk, which our Technical Director Holly Grace Williams presented at InfoSecurity Europe, discusses the miseducation of cybersecurity aspects such as physical security, phishing and malicious websites and why trying to oversimplify security is a part of the problem. Key points: 2’11 Physical access isn’t just tailgating 10’02 ‘Diffused responsibility’ lowers the chance of a challenge 16’49 Phishing isn’t just emails 19’15 HTTPS doesn’t stop phishing 21’1...2019-06-0636 minHacked OffHacked Off017. Equifax Breach: The Inside StoryIn 2017 Equifax, one of the largest credit agencies in the world, became the victim of a major breach resulting in over 150 million records being stolen. In this podcast we speak to Graeme Payne, the CIO of Equifax during their breach about the lessons learnt and his personal experience. 0’48 Graeme Payne, guest introduction 3’48 The timeline of the Equifax breach 6’47 How incident planning can help businesses be better prepared for a breach 10’13 Announcing a breach – The lessons learnt from disclosing a major hack 16’04 How do you get the board more interested in security? 19’14 Is there a benefit for organisations to have a CISO? 26’03 Ho...2019-05-3043 minHacked OffHacked Off016. An Intro: A Checklist for SecurityLooking to take the first steps to ensuring your business is secure but not sure where to start? Holly Grace takes a fresh look at some basic, fundamental security steps that every business should be adopting. Highlights include: 0’53 Software updates 2’08 Passwords 4’06 Network Segmentation 5’40 Manage out of band 6’26 If you don’t need it, disable it! 8’58 Pre-shared keys 10’09 Network access control 11’15 Credential stuffing 12’50 Restrict user input 15’01 Trust but verify! Download on iTunes: apple.co/2Ji61Ek Listening time: 19 minutes For more information, follow us on Twitter @secarma or @secarmalabs or email us at podcast@secarma.com Hosted by: Holly Grace Williams, Technical Director at 2019-05-2318 minHacked OffHacked Off015. An Intro: The Stages of Penetration TestingWe’ve previously discussed the difference between Penetration Testing and Red Teaming, so in this episode we delve a little deeper into the different stages of PenTesting. For organisations who are considering this security assessment, it’s is an excellent starting point to better understand the process. The discussion includes: 2’00 What is a Penetration Test? 3’02 How is it performed? 5’03 An example of a vulnerability: SQL Injection 6’52 What kind of vulnerabilities do we look for? The OWASP top ten* 8’07 What we do when we find a vulnerability 11’50 Reporting after a penetration test *https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Down...2019-05-1615 minHacked OffHacked Off014. An Intro: Hardware HackingThe ‘Internet of Things’ is evolving fast and more and more companies are seeing the value it can bring by increasing business productivity and efficiency. However, adding IOT devices to a company can increase security vulnerabilities in a way that businesses might not have considered. We take a look at hardware hacking as an aspect of penetration testing and how IoT can affect an organisation's security. Key points discussed include: 0’28 Hardware hacking as an aspect of penetration testing 2’31 How you perform hardware testing 07’05 Why should your company be concerned about hardware hacking? 8’58 How is this different to traditional testing? Download on iTunes: a...2019-05-0911 minHacked OffHacked Off013. An Intro: Cloud Security TestingCloud computing offers many benefits, such as scalability and elasticity; but with new technologies and terminologies some companies worry about the security implications. In this week's episode Holly Grace gives us an intro to Cloud Security Testing perspectives. Here's what she covers: 0’52 Perspectives when looking at Cloud hosted systems 3’15 Where are things the same? 4’41 Where do we start in terms of Cloud security? 6’10 What should we have tested? 6’38 When Cloud has gone wrong! NCSC Cloud Security Guidance: https://www.ncsc.gov.uk/collection/cloud-security Download on iTunes: apple.co/2Ji61Ek Listening time: 11 minutes For more information, follow us on Twitter @se...2019-05-0210 minHacked OffHacked Off012. An Intro: Is a bug bounty program right for your business?In 2018 it was reported that there had been a 36% increase in total bug bounty payouts*, but does this mean this kind of security testing is best for your business? We take a look at the pros and cons of bug bounty programs and how it compares to penetration testing. Key points include: 1’13 A brief definition of penetration testing and bug bounties 1’53 How the costing works 3’05 The difference between a penetration test and a bug bounty 6’46 The difficulty with reporting bug bounties 7’42 The negatives and positives of the output of both pen testing and bug bounties 9’36 The time Uber was held to ransom by...2019-04-2516 minHacked OffHacked Off011. An Intro: Social Engineering and Physical AccessSecurity risks aren’t always found through vulnerability scanning and hacking. Holly Grace talks us through how physical access testing and social engineering can be used to demonstrate security risks in a target organisation. This introduction to social engineering talks about how these assessments are performed and their benefits, through some funny on-the-job stories. 1’43 What is social engineering? 3’25 Three common Phishing attacks 7’00 Training staff to recognise the signs of a social engineering 15’40 What is physical access? 17’13 How physical access assessments are performed 28’18 The time Holly got stopped by a security guard! Download on iTunes: apple.co/2Ji61Ek Listening time: 32 minutes For mo...2019-04-1832 minHacked OffHacked Off010. An Intro: Becoming a Penetration TesterWe’re often asked about the career pathway to becoming an ethical hacker, or penetration tester. So, we thought it would be best to let a current penetration tester share her thoughts on working in the industry. Whether you’re interested in penetration testing, computer science or security in general, Holly Grace's intro to becoming a penetration tester is packed full of tips you can use when getting started in cybersecurity. 1’00 What is a penetration tester? 1’35 What makes a good candidate? 4’10 Paths into pentesting. 5’00 Practising pentesting 6’36 Do I need programming skills? 7’30 The benefits of attending security conferences 8’36 Exams and certifications Useful links: Damn...2019-04-1111 minHacked OffHacked Off009. An Intro: Penetration Testing vs Red TeamingYou’ve probably heard of the term ‘penetration testing’ and ‘red teaming’, but are you clear about what they really mean? Our Principal Security Consultant, Holly Grace Williams talks us through the difference between these two security tests, elaborating why you’d choose them, how they work and the benefits of each one. 1’44 What is penetration testing? 3’55 What is a Red Team engagement? 7’42 Summary Download on iTunes: apple.co/2li61Ek Listening time: 9 minutes For more information, follow us on Twitter @secarma or @secarmalabs or email us at podcast@secarma.com Hosted by: Holly Grace Williams, Technical Director at Secarma2019-04-0408 minHacked OffHacked Off008. Software Development and SecurityWhen it comes to software security, prevention is always better than cure. Design flaws can open the door to breaches from the outset and result in millions of pounds worth of losses. It’s vital to have security principles running through the whole software development lifecycle. To discuss this in more detail we spoke to Adrian Thompson, a Consultant Software Engineer and Chair of the British Computer Society (Preston Branch), about the importance of security in software development. He tells the story of how he got interested in security, after an attempted hack on one of his client’s databases. 0’50 From A...2019-03-2835 minHacked OffHacked Off007. Fighting FraudIn 2016 financial fraud losses totalled £768.8 million*. With the ever-growing risk of cybercrime, what can we do as individuals and as a business to reduce the risk to ourselves and others? Jennie Williams, Cyber Protect Officer for the North West Regional Organised Crime Unit (NWROCU) talks to us about how making small changes and taking simple steps towards cybersecurity can make all the difference. Key points include: 3’00 – Joining the high-tech crime unit 11’22 – What to do with your device if you’re a victim of cybercrime 16’30 – Recruiting and training Cyber Special police officers 18’00 – Phishing and fraud 21’00 – Reporting fraud and cybercrime 23’18 – Combating indecent images 31’27 – The ‘Take Fi...2019-03-2142 minHacked OffHacked Off006. An Education in CybersecuritySome say education is the most powerful weapon which you can use to change the world, so we brought together two of the most influential educators in cybersecurity. Manchester University’s Academic Cybersecurity Lead and overall cyber enthusiast, Dr Daniel Gideon Dresner, BSc (Hons), FInstISP and our very own Head of Education at Secarma, Paul Mason to discuss all things cyber. From Danny’s first memories of ‘computers’, to finding his first job, learning technical skills, developing frameworks for the government and what’s next in bridging the skills gap. Paul hears what many students, educators, all the way up CEOs will...2019-03-1448 minHacked OffHacked Off005. Securing the Public SectorThe risk of a cybersecurity attack on the UK’s critical infrastructure, like the one that hit Ukraine’s energy grid in 2015 and 2016, is growing. With the threat landscape constantly evolving it’s vital for public sector organisations to adopt a robust approach to defending key targets from cyber-attacks. In this episode Paul speaks with Stephen Jewell, Director of UKFast Public Sector, which has worked with Government departments and private industry partners, for more than 18 years. Some of the topics of discussion include: 3’00 Why it’s important to understand the potential damage of a security breach. 7’30 How to make individuals more securit...2018-12-2032 minHacked OffHacked Off004. Becoming an Ethical HackerBecoming an Ethical Hacker The cybersecurity industry is working hard to close the skills gap. But, with increasing advancements in technology and a continuously rising number of attacks, the gap is widening. It’s predicted that, by 2022, there will be a shortage of 1.8 million workers in the information security sector. Paul is joined by Gordon, a senior consultant at Secarma, to discuss his path into cybersecurity. Warning – he doesn’t take a direct route! If you're short on time here are some of the key points: 2'46 Hours lost to Command and Conquer! 21'23 What is EternalBlue? 23'41 Metasploit: What type o...2018-12-0639 minHacked OffHacked Off003. Locked Out: The Diversity ChallengeToday, women make up 20% of the global cybersecurity workforce. That figure has increased from 11% in 2013, but the numbers are still desperately low. So, why does cybersecurity have such a gender problem? To discuss the issue of diversity in cyber and how to encourage more women into the industry, Paul is joined by Noha Amin, Information Security Awareness Manager at TalkTalk. The key points: 3’00 The main problems with communicating cybersecurity issues with non-technical staff. 12’20 The challenges of being a woman in cybersecurity. 17’50 How does the industry move away from the image of ‘white men in hoodies eating pizza’? 20’35 Why a healthy business eco...2018-11-2225 minHacked OffHacked Off002. Are your employees opening the door to cyber criminals?Cyber criminals are constantly looking to exploit the weakest link in your chain. Using social engineering, they’re targeting employees, looking to abuse their trust and willingness to help, in order to gain access to sensitive information. Paul Mason is joined by Edward Whittingham, founder of the British Fraud Prevention Partnership (BFPP), to understand how companies can best get to grips with the security risk posed by their staff. Some of the key points of discussion are: 1’48 – The obstacles around staff training 5’00 – What is phishing? 13’37 – The difference between phishing and spear phishing 22’28 – Cybercrime in policing 31’08 – How do you make your employees your stronge...2018-11-0136 minHacked OffHacked Off001: Why it’s never a good idea to reuse passwordsWhen it comes to cybersecurity, can you believe everything you read in the news? In the opening episode of Hacked Off, Paul Mason and David Quinn dissect the recent Superdrug breach. They explore how the breach was reported by the media and delve a little deeper to uncover the real takeaway lessons that need to be learned. The discussion then moves on to the issue of password security. What makes a strong password? How can people effectively manage their passwords? There’s even the discussion of what happens to your accounts after you die. It’s more cheery than it soun...2018-10-1525 min