Podcast
Exploring Information Security - Exploring Information Security
Hosted by Timothy De Block · EN
The Exploring Information Security podcast interviews a different professional each week exploring topics, ideas, and disciplines within information security. Prepare to learn, explore, and grow your security mindset.
25episodes
Episodes
Newest firstAll episodes
[RERELEASE] What is the perception of information security - part 2
4w ago00:29:21Tap to summarizeIn the second episode of the refreshed edition of the Exploring Information Security (EIS) podcast (wow, that's a mouthful), I talk with Chris Maddalena about the perception of information security.Chris recently gave a talk on FUD at BSides Detroit and CircleCityCon this past Summer, prompting me to explore the topic of information security perception with him. I think perception is something very important to the infosec community, especially, now that it is becoming more relevant in the public eye.In part two of this two part series we talk about perception:Security can be a friendly face.The word hacker.Developers vs. security. What is the perception of information security - part 2 With Chris Maddalena [RSS Feed] [iTunes]
Transcribe →[RERELEASE] What is the perception of information security - part 1
Apr 2800:23:08Tap to summarizeIn the second episode of the refreshed edition of the Exploring Information Security (EIS) podcast (wow, that's a mouthful), I talk with Chris Maddalena about the perception of information security.Chris recently gave a talk on FUD at BSides Detroit and CircleCityCon this past Summer, prompting me to explore the topic of information security perception with him. I think perception is something very important to the infosec community, especially, now that it is becoming more relevant in the public eye.In part one of this two part series we talk about perceptionWhat is the perception of infosec in business?How do we change the perception of security?We start getting into where security fits in an organization What is the perception of information security - part 1 With Chris Maddalena [RSS Feed] [iTunes]
Transcribe →Exploring the Quantum Horizon: Why We Need CBOMs Today
Apr 2100:26:17Tap to summarizeSummary:In this episode, host Timothy De Block sits down with John Morello to dive into the world of Cryptography Bill of Materials (CBOM) and the looming transition to Post-Quantum Cryptography (PQC). They discuss why tracking cryptographic assets is becoming a critical security requirement, how CBOMs are being integrated into existing SBOM standards, and why organizations need to start future-proofing their encrypted data against quantum computing threats today.Key Topics DiscussedWhat is a CBOM? A Cryptography Bill of Materials provides a trustworthy, structured, and machine-readable way to represent what cryptographic components exist in your software and how they are configured.Beyond the Basic SBOM: While a standard SBOM might tell you that a component like OpenSSL is present, a CBOM details the specific algorithms, key lengths, and operational modes in use.The Consolidation of Standards: CBOMs are actively being merged into broader SBOM frameworks like CycloneDX and SPDX. Over the coming months, CBOM data will simply become a subset of the tags and artifacts within standard SBOM files, reducing complexity for developers and security teams.The Post-Quantum Threat: The mathematical foundations of common encryption algorithms like RSA, DES, and SHA will eventually be defeatable by quantum computers."Harvest Now, Decrypt Later": Adversaries may already be recording encrypted traffic today with the intention of decrypting it years down the line once quantum computing becomes viable.NIST and Regulatory Standards: NIST has been running a Post-Quantum Cryptography (PQC) project for several years and is expected to finalize approved algorithms soon. This guidance will likely be codified into future standards, such as a FIPS 140-4 update.Who Owns the CBOM? DevOps and developer teams should be responsible for creating and maintaining the CBOM data alongside their existing SBOM processes. Security teams will then consume this data to understand exposure, measure adoption of quantum-resistant algorithms, and prioritize risk mitigation.Memorable QuotesOn the need for CBOMs: "It's less about dealing with cryptographic based vulnerabilities. It's more to help you inventory what you've got to find whether you have weak algorithms in weak key links in place and to be able to do that discovery in a consistent way."On preparing for the future: "If you wait to move to postquantum or quantum resistant algorithms only after those quantum computers are widely available or at least available to your adversaries... basically everything that you've encrypted before with these non-resistant algorithms is subject for decryption in the future."Resources & Links MentionedNIST Post-Quantum Cryptography (PQC) Project: The central hub for NIST's ongoing work to standardize quantum-resistant algorithms.Link: csrc.nist.gov/projects/post-quantum-cryptographyMinimus.io: John Morello's company, which provides hardened container images that automatically build CBOMs and integrate post-quantum capabilities out of the box.Link: minimus.ioMinimus CBOM Blog Series: Check out the articles mentioned in the episode for a deeper dive into Cryptographic Bill of Materials:From SBOM to CBOM: Why Container Security Needs Cryptographic VisibilityHow to Use CBOMs in Containerized Environments: Data Formats, Tools, and Use CasesSupport the Podcast:Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.Contact Information:Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn. Check out our services page and reach out if you see any services that fit your needs. Social Media Links:[RSS Feed] [iTunes] [LinkedIn][YouTube] What are CBOMs? John Morello Subscribe Sign up with your email address to receive news and updates. Email Address Sign Up We respect your privacy. Thank you!
Transcribe →Exploring the Risks of Model Context Protocol (MCP) with Casey Bleeker
Apr 1400:34:52Tap to summarizeSummary:Timothy De Block sits down with Casey Bleeker from SurePath AI to demystify the Model Context Protocol (MCP). They discuss how this emerging standard allows Large Language Models (LLMs) to interact with external tools and why it represents a significant, often invisible, exposure risk for enterprises. Casey explains why MCP should be viewed like the HTTP protocol—ubiquitous and fundamental—and outlines the critical security controls needed to prevent data exfiltration and malicious code execution without blocking AI adoption.Key Topics DiscussedWhat is MCP?MCP is a standard for creating a "natural language definition" of an API, allowing an LLM to intelligently determine when to call a specific tool rather than just generating text.It acts as a translation layer between a REST interface and the AI model, enabling the model to execute tasks like updating a CloudFormation stack or querying a database.The "HTTP" Analogy & Exposure Risk:Casey argues that MCP should be thought of as a protocol (like HTTP) rather than a specific tool. It is being implemented broadly across many open-source tools and providers, often hidden behind the scenes when users add "connectors" or extensions.Because it functions as a protocol, it creates a broad exposure risk where users grant AI agents permissions to create, update, or delete resources on their behalf.Vulnerabilities to Watch for in the MCP:Malicious Payloads: Downloading an external MCP resource (e.g., via npm) can lead to unvalidated code execution on a local machine before the model even calls the tool.Data Exfiltration: Users effectively grant their identity permissions to untrusted code controlled by external third parties (the LLM), allowing the AI to act as a proxy for the user on internal systems.Defense Strategies:Central Management: Organizations need a central MCP management gateway authenticated via Single Sign-On (SSO) with role-based permissions to control which tools are authorized.Deep Payload Inspection: The only true control point is the interaction between the user/agent and the AI model. Security teams must inspect the payloads in real-time to steer usage away from unapproved resources or prevent destructive actions.Authentication Specs: DCR vs. CIMD:Casey warns against the Dynamic Client Registration (DCR) flow, citing complexity and vulnerabilities in many implementations.He highly recommends demanding vendors support the CIMD (Client-Initiated Management Data) specification, which allows for proper validation of destinations and enforces valid redirect URIs.Resources MentionedModel Context Protocol Spec: modelcontextprotocol.io SurePath AI: surepath.ai (Blogs and webinars on MCP risk) Support the Podcast:Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.Contact Information:Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn. Check out our services page and reach out if you see any services that fit your needs. Social Media Links:[RSS Feed] [iTunes] [LinkedIn][YouTube] Exploring the Risks of Model Context Protocol (MCP) Casey Bleeker Subscribe Sign up with your email address to receive news and updates. Email Address Sign Up We respect your privacy. Thank you!
Transcribe →From Combat Zones to Corporate Lobbies: A Guide to Physical Security with Josh Winter
Apr 700:41:45Tap to summarizeSummary:In this episode, host Timothy De Block dives into the often overlooked but critically important world of physical security with Josh Winter. Josh shares his unique journey from serving in combat infantry with the 82nd Airborne Division to running executive protection for high-net-worth individuals and conducting physical penetration testing for major corporations. They discuss the glaring differences between corporate security and residential security, how to spot the illusion of safety (like unplugged cameras and empty lobby desks), and why human behavior is always the most unpredictable variable in any security plan.Key Topics DiscussedJosh's Background: How Josh transitioned from military service (82nd Airborne, PSD work in Afghanistan) to state security, executive protection for a wealthy family in San Diego, and eventually physical pen testing for a major firm.Corporate vs. Residential Security: The stark contrast between the static, often complacent environment of a corporate office and the highly dynamic, unpredictable nature of securing a private residence.The "Illusion of Security": Why lobby attendants without actual access control or security training are merely "decorations" and how unmonitored or broken cameras create a false sense of safety.Physical Pen Testing Tactics: Josh explains how simple confidence, observation, and exploiting human nature (like tailgating or holding the door) are often more effective than sophisticated hacking tools.The "Catch Me If You Can" Approach: How acting like you belong—much like Frank Abagnale Jr.—is the most powerful tool for bypassing physical security measures.Practical Security Upgrades on a Budget: Why $500 spent on motion-activated lighting, a simple ring camera, and upgraded door hardware is far more effective than a multi-million dollar system that isn't properly maintained.The Insider Threat: The reality that disgruntled employees, not shadowy hackers, often pose the greatest physical threat to an organization, and how to assess that risk.Security Culture: How to shift an organization's mindset so that challenging an unknown person in the hallway is seen as a sign of respect and vigilance, rather than rudeness.Memorable Quotes"A lobby desk attendant with no actual access control... is probably just decoration.""You have to train yourself to get away from that 'I'm supposed to be here' confidence... if you're an attacker, you're going to use that against them.""You're dealing with the anesthetic of familiarity." (On why employees become complacent in their daily routines.)"The antithesis of security is convenience. I don't want to wear a seatbelt, but I do because it could save my life."Support the Podcast:Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.Contact Information:Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn. Check out our services page and reach out if you see any services that fit your needs. Social Media Links:[RSS Feed] [iTunes] [LinkedIn][YouTube] What is Physical Security Josh Winter Subscribe Sign up with your email address to receive news and updates. Email Address Sign Up We respect your privacy. Thank you!
Transcribe →[RERELEASE] What is a SIEM?
Mar 3100:23:27Tap to summarizeIn this most excellent edition of the Exploring Information Security podcast, I talk with Derek Thomas a senior information security analyst specializing in log management and SIEM on the topic of: "What is a SIEM?"Derek (@dth0m) has a lot of experience with SIEM and can be found on Linkedin participating in discussions on the technology. I had the opportunity to hang out with Derek at DerbyCon in 2015 and I came away impressed with his knowledge of SIEM. He seemed to be very passionate about the subject and that showed in this interview.In this episode, we discuss:How to pronounce SIEMWhat is a SIEMHow to use a SIEMThe biggest challenge using a SIEMHow to tune the SIEMUse cases, use cases, use cases.More Resources:Applied Network Security Monitoring: Collection, Detection, and Analysis by Chris Sanders and Jason SmithNetwork Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff and Jonathan Ham.Logging and Log Management: The Authorative Guide to Understanding the Concepts Surrounding Logging and Log Management by Anton A. Chuvakin and Kevin J. SchmidtAnton A. Chuvakin Gartner blogUltimate Windows Security What is a SIEM? With Derek Thomas [RSS Feed] [iTunes]
Transcribe →[RERELEASE] What is threat modeling?
Mar 2400:22:56Tap to summarizeOriginally posted August 13, 2014.In the fifth edition of the Exploring Information Security (EIS) podcast, I talk with J Wolfgang Goerlich, Vice President of Vio Point, about threat modeling.Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec (@MiSec) projects and events. In this interview Wolfgang covers:What is threat modeling?What needs to be done to threat modelWho should perform the threat modelingResources that can be used to build an effective threat modelThe life cycle of a threat model What is threat modeling? With Wolfgang Georlich [RSS Feed] [iTunes]
Transcribe →[RERELEASE] What is cryptography?
Mar 1700:24:56Tap to summarizeOriginally posted July 30, 2014.In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.In the interview Justin talks aboutWhat cryptography isWhy everyone should care about cryptographyWhat some of it's applications areHow someone would get started in cryptography and what are some of the skills needed What is cryptography? With Justin Troutman [RSS Feed] [iTunes]
Transcribe →[RERELEASE] What is a Chief Information Security Officer (CISO)
Mar 1000:19:50Tap to summarizeOriginally July 9, 2015.In the third edition of the Exploring Information Security (EIS) podcast my infosec cohort Adam Twitty and I talk to the Wh1t3 Rabbit, Rafal Los, about what exactly a Chief Information Security Officer, otherwise known as CISO, is.Rafal Los (@Wh1t3Rabbit) is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog. I would highly recommend both if you're in the infosec field or looking to get into it.In the interview Rafal talks about:What a CISO isWhat role does a CISO fill in an organizationWho skills are needed to be an effective CISOThe different types of CISOs What is a Chief Information Security Officer With Rafal Los [RSS Feed] [iTunes]
Transcribe →Exploring The Bad Advice Cybersecurity Professionals Provide to the Public
Mar 300:36:56Tap to summarizeSummary:In this episode, Timothy De Block sits down with cybersecurity expert Bob Lord to discuss the dangerous impact of "Hacklore"—obsolete, excessive, and fear-based cybersecurity advice. They explore how bombarding everyday users with spy-thriller scenarios (like juice jacking and evil baristas) leads to security fatigue and inaction. Instead, they advocate for shifting the burden of security away from the user and onto tech companies, while narrowing consumer advice down to the absolute basics: Multi-Factor Authentication (MFA), password managers, and credit freezes.Key Topics DiscussedThe Origins of Hacklore: Bob Lord started the Hacklore website after a CISO friend emailed him a "trifecta" of problematic security advice concerning public Wi-Fi, juice jacking, and restaurant QR codes. The initiative serves as an expert-backed resource to debunk common myths and promote better, actionable security guidance.Rethinking Security Advice: Providing users with excessive or overly complex advice often results in them ignoring it entirely. Security advice needs to be constantly reevaluated to ensure it addresses actual, common crimes rather than unlikely scenarios like an "evil barista" intercepting data.Shifting the Security Burden: The responsibility for digital safety should move away from the end-user and toward internet service providers and tech companies. Companies must adopt "secure by design" practices, such as requiring password changes upon installation or shipping routers with unique default passwords.The Power of MFA: Multi-Factor Authentication (MFA) is essential for protecting vulnerable populations, such as seniors who are frequently targeted by organized fraud. Even SMS-based MFA is far better than having no MFA at all, as it degrades most common attacks according to a Microsoft study.The Hidden Benefit of Password Managers: A major, underappreciated benefit of password managers is their built-in phishing resistance. If a user is tricked into visiting an imposter website, the password manager will not fill in the credentials, effectively stopping the attack in its tracks.Freezing Credit: Implementing a credit freeze is another highly recommended, fundamental security measure. This action builds directly on the basic security practices promoted by the Hacklore initiative.Learning from Near Misses: At the upcoming RSA conference, Bob Lord will discuss the concept of cyber security "near misses". He advocates that the cybersecurity field should learn from incidents that almost went wrong, similar to the safety approach used in the aviation sector.Memorable InsightsSharing obsolete security advice can be considered an "act of harm" because it distracts people from effective measures and can create a fatalistic mindset that no security action will help.Since most people will only dedicate a few minutes a year to security, recommendations must be strictly limited to what is truly feasible for them to implement.Getting a friend or family member to make just one security change, like enabling MFA on their primary email account, is considered a significant victory.Resources MentionedHacklore Initiative: A non-commercial website aimed at replacing obsolete cybersecurity advice with expert-backed guidance (hacklore.org).Hacklore on Bluesky: Follow the movement and join the conversation at @hacklore.bsky.social."How effective is multifactor authentication at deterring cyberattacks?": The Microsoft research paper (arXiv:2305.00945) referenced by Bob Lord detailing the real-world efficacy of MFA: https://arxiv.org/abs/2305.00945.Bob Lord's Updated Cyber Guidance for Small Businesses: Originally written during his time at CISA, Bob has updated this practical security guide on his personal blog: Read on Medium.Methods of Delivery vs. Intrusion (The Hacklore Edition): A blog post explaining why the security industry shouldn't over-index on flashy threats like parking meter QR codes: Read on Medium.PSA: Elevator (un)safety: In addition to his popular seatbelt analogy, Bob explores the concept of built-in safety in this blog post about elevators: Read on Medium.Support the Podcast:Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.Contact Information:Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn. Check out our services page and reach out if you see any services that fit your needs. Social Media Links:[RSS Feed] [iTunes] [LinkedIn][YouTube] Exploring the Bad Advice Cybersecurity Professionals Provide the Public Bob Lord Subscribe Sign up with your email address to receive news and updates. Email Address Sign Up We respect your privacy. Thank you!
Transcribe →