Exploring Information Security - Exploring Information Security

From Combat Zones to Corporate Lobbies: A Guide to Physical Security with Josh Winter

Summary:In this episode, host Timothy De Block dives into the often overlooked but critically important world of physical security with Josh Winter. Josh shares his unique journey from serving in combat infantry with the 82nd Airborne Division to running executive protection for high-net-worth individuals and conducting physical penetration testing for major corporations. They discuss the glaring differences between corporate security and residential security, how to spot the illusion of safety (like unplugged cameras and empty lobby desks), and why human behavior is always the most unpredictable variable in any security plan.Key Topics DiscussedJosh's Background: How Josh transitioned from military service (82nd Airborne, PSD work in Afghanistan) to state security, executive protection for a wealthy family in San Diego, and eventually physical pen testing for a major firm.Corporate vs. Residential Security: The stark contrast between the static, often complacent environment of a corporate office and the highly dynamic, unpredictable nature of securing a private residence.The "Illusion of Security": Why lobby attendants without actual access control or security training are merely "decorations" and how unmonitored or broken cameras create a false sense of safety.Physical Pen Testing Tactics: Josh explains how simple confidence, observation, and exploiting human nature (like tailgating or holding the door) are often more effective than sophisticated hacking tools.The "Catch Me If You Can" Approach: How acting like you belong—much like Frank Abagnale Jr.—is the most powerful tool for bypassing physical security measures.Practical Security Upgrades on a Budget: Why $500 spent on motion-activated lighting, a simple ring camera, and upgraded door hardware is far more effective than a multi-million dollar system that isn't properly maintained.The Insider Threat: The reality that disgruntled employees, not shadowy hackers, often pose the greatest physical threat to an organization, and how to assess that risk.Security Culture: How to shift an organization's mindset so that challenging an unknown person in the hallway is seen as a sign of respect and vigilance, rather than rudeness.Memorable Quotes"A lobby desk attendant with no actual access control... is probably just decoration.""You have to train yourself to get away from that 'I'm supposed to be here' confidence... if you're an attacker, you're going to use that against them.""You're dealing with the anesthetic of familiarity." (On why employees become complacent in their daily routines.)"The antithesis of security is convenience. I don't want to wear a seatbelt, but I do because it could save my life."Support the Podcast:Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.Contact Information:Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn. Check out our services page and reach out if you see any services that fit your needs. Social Media Links:[RSS Feed] [iTunes] [LinkedIn][YouTube] Subscribe Sign up with your email address to receive news and updates. Email Address Sign Up We respect your privacy. Thank you!

[RERELEASE] What is a SIEM?

In this most excellent edition of the Exploring Information Security podcast, I talk with Derek Thomas a senior information security analyst specializing in log management and SIEM on the topic of: "What is a SIEM?"Derek (@dth0m) has a lot of experience with SIEM and can be found on Linkedin participating in discussions on the technology. I had the opportunity to hang out with Derek at DerbyCon in 2015 and I came away impressed with his knowledge of SIEM. He seemed to be very passionate about the subject and that showed in this interview.In this episode, we discuss:How to pronounce SIEMWhat is a SIEMHow to use a SIEMThe biggest challenge using a SIEMHow to tune the SIEMUse cases, use cases, use cases.More Resources:Applied Network Security Monitoring: Collection, Detection, and Analysis by Chris Sanders and Jason SmithNetwork Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff and Jonathan Ham.Logging and Log Management: The Authorative Guide to Understanding the Concepts Surrounding Logging and Log Management by Anton A. Chuvakin and Kevin J. SchmidtAnton A. Chuvakin Gartner blogUltimate Windows Security [RSS Feed] [iTunes]

[RERELEASE] What is threat modeling?

Originally posted August 13, 2014.In the fifth edition of the Exploring Information Security (EIS) podcast, I talk with J Wolfgang Goerlich, Vice President of Vio Point, about threat modeling.Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec (@MiSec) projects and events. In this interview Wolfgang covers:What is threat modeling?What needs to be done to threat modelWho should perform the threat modelingResources that can be used to build an effective threat modelThe life cycle of a threat model [RSS Feed] [iTunes]

[RERELEASE] What is cryptography?

Originally posted July 30, 2014.In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.In the interview Justin talks aboutWhat cryptography isWhy everyone should care about cryptographyWhat some of it's applications areHow someone would get started in cryptography and what are some of the skills needed [RSS Feed] [iTunes]

[RERELEASE] What is a Chief Information Security Officer (CISO)

Originally July 9, 2015.In the third edition of the Exploring Information Security (EIS) podcast my infosec cohort Adam Twitty and I talk to the Wh1t3 Rabbit, Rafal Los, about what exactly a Chief Information Security Officer, otherwise known as CISO, is.Rafal Los (@Wh1t3Rabbit) is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog. I would highly recommend both if you're in the infosec field or looking to get into it.In the interview Rafal talks about:What a CISO isWhat role does a CISO fill in an organizationWho skills are needed to be an effective CISOThe different types of CISOs [RSS Feed] [iTunes]