Threat modelling is broader than just security, and DevSecOps is more than just secure code. Application Security Advocate, Alyssa Miller talks passionately about the importance of a collaborative approach to security, where implementing a culture of building efficiently and understand security as you go, can help with getting ahead of the game. 0'22 Alyssa Miller - the Application Security Advocate 2'20 What is threat modelling? 4'32 Where do you begin with threat modelling? 9'45 Continuous imp...
Oct 22, 2020•39 min
Mobile Device Management increases security, reduces risk and plays an important role in Government certified assurance models. Holly Grace discusses the role of device management for Cyber Essentials, and the challenges that come with employees using their own devices at work. Key points: 1'08 What is Mobile Device Management (MDM)? 3'05 Device Management for Cyber Essentials 8'27 Bring your own device (BYOD) 11'30 Passwords, pass codes and pin numbers Listening Time: 14 minutes Hosted by: Holl...
Oct 15, 2020•14 min
We speak to fellow co-worker and Senior Security Consultant at Secarma, Joe Thorpe, who specialises in app testing. He gives us the low down on hacking mobile apps, how they're similar to web apps, which vulnerabilities are most common and how to choose the right testing for your mobile app. Key points: 0'43 What is mobile application testing? 3'43 Similarities to web application testing 4'49 Finding vulnerabilities in mobile apps 7'21 Hacking mobile apps with Frida and bypassing root detection ...
Oct 08, 2020•17 min
In September's Month in Review, Holly Grace is delighted to announce that this month's hacks aren't just all about ransomware! From political motivation to notoriety, she discusses the different kind of motives a hacker may have, and the kind of attacks they might use to get what they want. Key Points: 0'55 Financially Motivated: KuCoin Hack 3'07 Insider Threat: AT&T Hack 7'09 Politically Motivated: Op Payback 12'00 Different types of attacks Listening Time: 16 minutes Hosted by: Holly Grace Wil...
Oct 01, 2020•16 min
There's more to firewalls than simply installing them and leaving them to it! WatchGuard's Senior Sales Engineer Martin Lethbridge, joins Holly Grace Williams to discuss common firewall misconceptions, and how to get the most out of your firewall to ensure your organisation is safe. 0'22 Guest introduction 2'10 Firewall misconceptions - they aren't just for your network perimeter 6'52 Protecting your laptop on 'dirty networks' - working from home or remotely 11'59 Security vs convenience 17'43 T...
Sep 24, 2020•58 min
Although perimeter breaking vulnerabilities are quite rare they're certainly not unheard of - Firewalls aren't perfect systems and they can have vulnerabilities too. In this week's episode, Holly Grace looks at some previous critical vulnerabilities in firewalls and tries to highlight some key lessons learned. 4'37 The firewall vulnerability 'BEIGNCERTAIN' 7'22 Protecting your organisation against threat actors gaining internal network access 10'47 How to protect firewall interface Useful link: ...
Sep 17, 2020•15 min
Our latest 'Intro' podcast takes a look at Firewall Security. Holly discusses different types of firewalls, the importance of network segmentation and Firewall Configuration Security Reviews, and how firewalls are targeted during a pentest. 1'30 How firewalls are they targeted during a Penetration Test? 8'29 Network segmentation 11'08 How threat actors jump between networks 13'56 Next Generation Firewalls 19'14 Web Application Firewalls Useful links: Firewall Configuration Security Review - http...
Sep 10, 2020•24 min
From bribery to bug bounties! In August's Month in Review podcast, Holly Grace discusses the failed social engineering attack on a Tesla employee, and the uproar off the back of Slack's minimal payout to a researcher for a critical security bug. Key points: 1'20 The failed social engineering attack against Tesla 3'05 How to test your organisation against bribery 8'21 Critical security bug discovered through Slack's bug bounty program 10'06 How much is a bug worth? Let us know your thoughts on th...
Sep 03, 2020•15 min
Whilst Secarma perform Penetration Testing which is in-depth approach to security testing, organisations can get additional assurance through ongoing automated security scanning Nick Blundell, AppCheck's Head of R&D, joins us on our podcast to discuss how vulnerability scanners work, their pros and cons, and how they compliment Penetration Testing to achieve a balance of depth and frequency. 0'20 Nick's background 2'00 How do you map web applications? 4'52 How do scanners work 22'29 Making scann...
Aug 27, 2020•1 hr 6 min
The OWASP Top 10 is a list of the 10 most common web application vulnerabilities. This podcast provides an introduction to this awareness document, and why it's so beneficial to organisations and their journey to better security. Key Points: 1'00 Who are the Open Web Application Security Project? 2'18 What is the OWASP Top 10? 7'55 The current OWASP Top 10 list 9'04 Why it's such a useful document 10'19 Other 'Top 10' lists 11'27 The OWASP Top 10 isn't the be all and end all! Listening time: 17 ...
Aug 20, 2020•18 min
This podcast provides an excellent introduction to vulnerability scanning, covering how it works and what it tests. It discusses the benefits of vulnerabilities scanning and how alongside penetration testing, can provide an organisation with a more continuous testing model. Key points: 1’34 What is vulnerability scanning? 2’16 What does vulnerability scanning test 9’09 How a scanner grades a vulnerability 11’47 Pentesting v vulnerabilty scanning 14’40 The benefits of vulnerability scanning 24’09...
Aug 13, 2020•26 min
In July it was revealed that travel company CWT paid $4.5 million in ransom to cyber criminals. Whilst shocking, ransomware is unfortunately not new and not uncommon. Secarma’s MD, Holly Grace Williams, discusses why ransomware is such a popular option for cyber criminals and how companies can prepare for potential attacks with incident response training. Key Points: 1’05 Paying ransoms 2’00 Why is it always ransomware? 2’40 CWT’s ransom negotiation conversation 5’15 Incident response training f...
Aug 06, 2020•18 min
After a brief break, the Hacked Off Podcast is back! If you missed our MD’s Trusted Tech Talks webinar last week, Holly Grace Williams summarises the key points of her presentation, Encryption isn’t Magic: Hackers Can Break It. She discusses why encryption is a little more complex than being on or off and the importance of configuring it correctly. Key points: 0’33 Introduction 4’20 Cyptography lasts a long time 7’44 Grading cryptographic weaknesses 11’30 How quickly can you crack passwords and ...
Jul 30, 2020•28 min
In today's episode we talk about penetration testing realism versus efficiency, and why sometimes aiming for a security test that exactly matches the options available to criminals isn't always possible and why sometimes it isn't always desirable. It's all about the context. Key points: 1'05 The motiviation behind an assessment is key 2'10 When realism is key 3'45 when total realism isn't possible 8'40 Technique-orientated vs goal-orientated 14'40 Fix the fundamentals first Listening time: 19 mi...
Jun 18, 2020•19 min
Privacy is a right and it is important to protect that right, but operational security it hard. Mike Jones joins us again to talk all things OpSec and we cover some things to check to make sure your privacy is protected. Key Points: 1'30 Why is Privacy important? 4'20 Photos, GPS and Geotagging 10'15 Social Media settings 12'15 Removable Media 14'15 Communications security and Leaks 18'00 Privacy and Adult Entertainment 24'30 Balancing operational security and convinience 29'00 Cleaning up Data ...
Jun 11, 2020•46 min
In today's episode we talk about incentivising your Security Team and making sure that the defensive team are getting praise for a job well done. As well as noting that the red team's job isn't over when they find a high impact vulnerability. Key Points: 0'49 There's more to staff retention than bonuses 1'40 The problem of the romanticisation of the red team 3'30 Measuring progress in security improvement 4'25 Purple Teaming may help reduce the gap 11'00 Empowering the defensive team 15'15 Measu...
Jun 04, 2020•18 min
Adam Louca joins us today to talk about how to get the most out of security products, and how to cut through the marketing to find out what works for you! Key Points: 0'30 What is a technologist? 2'05 Why do we have to cut through vendor noise? 4'21 How you can determine the truth of products 9'25 Planning for the unknown 12'00 How to know products are working 19'50 Network segmentation, antivirus, and other specifics 22'40 Gaining internal visibility 31'00 Blame: Users vs Products 34'00 The Sec...
May 28, 2020•42 min
Kevin Fielder joins us today discussing building security and building security teams. We talk risk appetite, balancing likelihood and impact, and team culture! 1'20 Where to start 4'00 Risk Appetite and moving quickly 11'13 Balancing appetite, likelihood and impact 15'15 Keeping the security team happy 18'45 Team Culture 25'45 Team Development and building Careers 38'25 How DevOps affects building security 48'12 Handling staff retention Listening Time: 54 minutes Hosted by: Holly Grace Williams...
May 14, 2020•53 min
Today we have a Marc Avery, Kevin Fielder, and Sean Atkinson discussing how to build a business security strategy. We talk about cyber insurance, operational security, and building security in companies. As well as detours to talk about Equifax getting hit by Hurricane Irma, the problems of working from home, and company culture. Key Points: 01'00 Guest Introductions 05'10 The security risk of the new baseline 15'00 Real-world attacks vs Click-bait News 18'22 Security Awareness Training for the ...
May 07, 2020•1 hr
Mike Jones is a former member of anonymous, a former confidential informant, and is here to talk about building better security. We talk about everything from Cyber Prevent programmes to help people avoid becoming cyber criminals to becoming a better penetration tester. 01'12 Working with Anonymous 03'25 Meeting with the Suits 04'18 Working as a Confidential Informant 16'50 A hacker's impression of the legal system 20'40 Cyber Prevent Programme 25'50 Developing PenTesting Skills 32'20 Covering u...
Apr 30, 2020•44 min
Many security guides out there presume that you're implementing security on an existing system or an existing product; look at what has been missed and improving things incrementally - but what if you're building something completely new? If it's a new product or a new company, things can be a different. When you're struggling with security many experts will tell you that you should have started sooner - but where exactly do you start? You can't PenTest a product before you've written your first...
Apr 23, 2020•25 min
In this episode we follow up on recent news events including the Travelex Ransom payment, fraud linked to Covid-19, and US-Cert Guidance on the cyber risks from North Korea - plus Secarma announce a Charity Support Fund. Key Points: 2'45 Travelex: Paying the Ransom 4'28 Business Continuity and Getting Through Lockdown 5'25 FTC report on Covid-19 Fraud 8'35 Blurring nation states and organised crime 11'10 Cryptojacking Attacks and the ICO 13'33 Extortion Campaigns 16'43 Charity Support Fund Links...
Apr 16, 2020•19 min
We look into the importance of protecting user privacy and the difficulty of anonymising data - both in regards to COVID19 as well as broadly for businesses. Key Points: 0'45 The benefits of location-tracking 3'15 The risks of location tracking 6'36 Reducing risk through pseudonymisation 10'07 The risk of sharing data 12'00 Balancing benefit and protection 14'10 The 5 Data protection questions Listening time: 20 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma
Apr 09, 2020•20 min
In Lockdown Episode 2 we're talking about video conferencing vulnerabilities, staff complacency, and security awareness risks brought on by job role changes. Key Points: 2'00 Zoom under security researcher scrutiny 6'03 Stealing passwords from video-conferences 9'30 Network architecture and working from home 13'05 Staff complacency and risk 14'35 Job role changes and risk 16'12 Attack surface reduction Listening time: 18 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma
Apr 02, 2020•18 min
For this episode we're starting a new mini-series, investigating how recent news events are impacting companies; in part 1 we're looking at performing effective internal infrastructure tests, remotely. Key points: 5'08 Assessing VPN security 6'41 Differences with remote testing 8'30 Our (VOT) Virtual Onsite Testing Solution 9'30 Hackers hacking home WiFi 11'00 Making remote-internal testing effective Download on iTunes: apple.co/2Ji61Ek Listening time: 13 minutes Hosted by: Holly Grace Williams,...
Mar 26, 2020•13 min
What do you do when a pandemic hits and you are forced to send your entire workforce to work from home? Is your business ready for the technical and security risks that comes with that? What have you missed? COVID-19 is presenting organisations with new challenges and testing their business continuity plans. Holly Grace Williams talks about these challenges and a few things you may not have already considered. 1'58 The challenges of working from home 8'43 The perfect time to be hacked 10,27 Phis...
Mar 19, 2020•19 min
Secarma's Technical Director, Holly Grace Williams, discusses how threat actors could bypass your wireless security through guest WIFI, pre shared keys, or even enterprise wireless security. She talks about the benefits of network segmentation and how your networks may not be as separate as you think! Key Points: 1'20 Network segmentation 3'38 Technologies to protect wireless networks 5'56 Open wireless networks 11'12 Pre shared keys(PSK) 13'12 Cracking hashes 19'57 Enterprise security Download ...
Mar 12, 2020•27 min
There seems to be a colour for all the different types of cybersecurity teams these days, but is there any value behind these marketing buzzwords and what do they really mean? Holly Grace Williams takes us through the different 'team' definitions and how to look beyond their colourful names! Key Points: 1'41 The difference between penetration testing and red teaming 3'25 Red Teaming and Blue Teaming 4'13 Purple Teaming 9'04 White Teaming 9'56 Gold Teaming 11'19 Looking past the marketing buzzwor...
Mar 05, 2020•20 min
On Saturday 8th February 2020, Redcar & Cleveland Council was hit with, what is thought to be, ransomware. Holly Grace Williams discusses the wider impact of hacking a council, and the brand damage that can come from this kind of attack. Key points: 1'27 What happened to Redcar & Cleveland Council? 1'50 Do people really understand what ransomware is? 4'll The timing of ransomware attacks 6'44 Why restoring from backup is not always as simple as it sounds 8'17 The wider impact of councils being h...
Feb 27, 2020•26 min
Is your antivirus working for you? It wasn't for James Mckinlay, the Group Information Security Officer at Barbican Insurance, so he made the controversial decision to switch it off! James discusses why he made this decision and infrastructure he built to replace it. Key points: 1'18 The decision to turn off antivirus 2'35 Alternatives to antivirus 4'10 Application whitelisting 13'28 Cyber Essentials 16'53 To patch or not to patch 23'00 Other things we turned off 34'50 Not everyone should switch...
Feb 20, 2020•44 min
