What's happening at DerbyCon?

In this legacy edition of the Exploring Information Security podcast, Ben Miller (@securithid) , Cliff Smith (@BismithSalamandr) , Paul "BubbaSec" Coggin (@PaulCoggin) , Dave Chronister (@bagomojo), Sean Peterson (@SeanThePeterson), and Jimmy Byrd (@Jimmy_Byrd) (and briefly @aprilwright ) join me to talk security.

 This is likely the last podcast conference special of the year. It's a good one. We had quite the crew to record this one and got very in-depth and deep on topics related to infosec. Big shout out and thanks again to Dave for bringing the mics and participating in the podcast.

I've been pleasantly surprised with how this and the other podcasts have turned out. I've gotten some great feedback and I plan to do more of these in the future. It was also floated to me that we record one of these as a panel at one of the conferences. We'll see.

In this episode we discuss:

  • The legacy of DerbyCon and what the future holds.
  • What it's like at a developer conference?
  • Is there security fatigue?
  • Patch your shit.

Resource we discussed:

What's happening at BSides Augusta?

In this masters edition of the Exploring Information Security podcast, Adam Twitty, Robert Preston, Jeff Lang, and myself discuss security things.

This is another EIS podcast special at BSides Augusta. I have some close friends joining me for this one. Adam, Jeff, and Robert all part of a local user group in Columbia, South Carolina, aptly named ColaSec. I also worked with Adam and Robert at my first security gig.

BSides Augusta is one of my favorite BSides events. It's really well run. It has a great facility and there's so much to do. In fact, I took part in my first conference capture the flag (CTF) with some of the guys from ColaSec. It was quite the experience and a lot of fun. I highly recommend the conference for those free in mid-September.

In this episode we discuss:

  • What it's like to be on a good team
  • What you need to know to get into the field?
  • What paths are available to get into infosec
  • What is ColaSec?

How to setup a pineapple?

In this fruity edition of the Exploring Information Security podcast, Kate Vajda joins me to discuss how to setup a pineapple.

Kate (@vajkat) is a senior security consultant at Secure Ideas. She recently wrote an article on setting up a targeted pineapple. In the article she walks through setting up a pineapple. What I really enjoy about the article is that she walks through some of the issues she runs into setting up the pineapple. It's a really good example of how to work through problems using troubleshooting techniques.

In this episode we discuss:

  • What is a pineapple
  • Where to get a pineapple
  • How to set one up
  • What are the use cases for a pineapple

What is isolated browsing?

In this contained edition of the Exploring Information Security podcast, Danny Miller joins me to discuss isolated browsing.

Danny, is the Director of Product Marketing for Ericom (@EricomShield). He came on the show to talk about isolated browsing. Which is a technology that I've never heard of before. It's similar to virtual machines and technology like Citrix, which provide solutions that help isolate a user. Isolated browsing is different. It uses containers (like Docker) to provide a user with a browser that is completely separate from the computer. This has the advantage of keeping things like malware of user computer and in a contained environment.

In this episode we discuss:

  • What is isolated browsing?
  • How does it work?
  • Where the solution is located
  • How is the technology different from Citrix?

More resources:

Why getting into infosec is hard

In this Han Solo edition of the Exploring Information Security podcast, I discuss my experience on why getting into infosec is hard.

This is a solo episode where I share my thoughts on why it's hard to get into infosec. I've been on both sides of the interview process. In this episode I share my own personal experience (where I failed), as well as what I've seen on why people didn't get the role they wanted. This topic deals with the skills shortage topic often discussed on Twitter and other media. It's a very nuanced topic. I wanted to focus on what those applying could do better to apply and interview for an opportunity.

In this episode:

  • Why people don't apply?
  • Why requirements can limit job opportunities
  • Why your resume sucks
  • How are you preparing for the interview?
  • What are you doing to improve your chances of getting an offer?

What it's like in the SECTF soundbooth

In this on a whim episode of the Exploring Information Security podcast, Michelle joins me to discuss here time participating in the SECTF.

Michelle (@MlleLicious) was one of the contestants who competed on Friday in the Social Engineering Capture The Flag (SECTF). This year the SECTF focused on video game companies and Michelle (happily) pulled Disney. Getting up on stage in front of hundreds of people is already a nerve racking proposition. Now add in that you have to interact with another human being to try and get them to divulge information for points. As you'll hear this was Michelle's first year at DEFCON. She dove right in to the event and walked away from the even with an amazing experience.

In this episode we discuss:

  • What is the SECTF
  • Why apply to the competition
  • What was her preparation for the contest
  • Where could she have improved

What are memory forensics?

In this investigative episode of the Exploring Information Security podcast, Kyle Andrus joins me to discuss memory forensics.

Kyle (@chaoticflaws) is someone I've started to get to know this year. He's an organizer of Converge and BSides Detroit. He's also an organizer for MiSec. Talking with him I noticed a strong interest in memory forensics. This allowed us to geek out a bit on the topic considering I have experience with performing memory forensics as part of incident response. It was one of the more interesting things I've done in security.

In this episode we discuss:

  • How Kyle got into memory forensics
  • What tools are available to perform memory forensics
  • Why memory forensics are useful to an organization
  • What skills are needed for memory forensics

What does Chris Maddalena, Kyle Andrus, and Daniel Ebbutt think about security at DEFCON?

In this crazy edition of the Exploring Information Security podcast, I am joined by Chris Maddalena, Kyle Andrus, and Daniel Ebbutt for another conference podcast special. This time it's DEFCON 25.

Chris (@cmaddalena), Kyle (@chaoticflaws), and Daniel (@notdanielebbutt) join me at DEFCON to discuss various topics ranging from conferences like DEFCON, Blackhat, and BSides Las Vegas to bird feeders. We read a couple passages from the POC||GTFO bible available from no start press.

In this episode we discuss:

  • The death of LineCon
  • Blackhat swag
  • BSides Las Vegas
  • Converge and BSides Detroit
  • Saying yes and knowing when to say no
  • Report writing
  • Macros
  • Bird feeders

What is BSides Bordeaux

In this exquisite episode of the Exploring Information Security podcast, Allan Liska and Tim Gallo join me to discuss a brand new BSides in Bordeaux.

Both Allan (@uuallan) and Tim (@TimJGallo) are in the Unite States. This makes starting a BSides in France challenging and intriguing. Both organizers love wine and saw an opportunity to put France on the BSides map. BSides Bordeaux (@BsidesBDX) is October 21, 2017, in Bordeaux France. The venue is Mama Shelter (which has a wicked video). Tickets are limited so be sure to grab one soon.

In this episode we discuss:

  • What inspired them to start BSides Bordeaux
  • The challenges of organizing a BSides on another continent
  • What makes the conference unique
  • What are some of the things to do in Bordeaux

How to prepare for the OSCP - Part 2

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • How Chris' second attempt went
  • How to study for the OSCP
  • What the hardest part of the exam was for Chris
  • How the pointing system works

More resources (h/t @KrvRob):

How to prepare for the OSCP - Part 1

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • What is the OSCP and OSCE
  • Why someone should pursue the OSCP
  • What is the test like
  • How Chris' first attempt went

More resources (h/t @KrvRob):

What are the steps to secure application development?

In this getting started episode of the Exploring Information Security podcast, Jim Manico joins me to discuss the steps (or rather phases) to secure application development.

Jim (@manicode) is an active member in the application security field. He's been a board member for OWASP. He's a regular speaker at OWASP conferences and he provides appsec training nine months out of the year. I recently had the opportunity to tune into a webinar put on my Jim discussing the steps to secure application development. He's got a wealth of knowledge and provides actionable advice for anyone wanting to move in that direction.

In this episode we discuss

  • How Jim got started in appsec
  • Why secure application development is important
  • What the steps are to get started
  • Who should be implementing application security

Why is passion an infosec requirement?

In this strong episode of the Exploring Information Security podcast, Chris Sanders CEO of Applied Network Defense and founder of the Rural Technology Fund joins me to question why passion is an infosec requirement.

Chris (@chrissanders88) recently put up a blog post titled, The Cult of Passion. In this post he discusses the concept of passion being a requirement in information security. This is something I've railed against in the path. Like Chris I think it sets the bar higher for those trying to get in. They feel like they have to spend 18 hours of their day doing infosec related things. That is in fact not the case and there are plenty of successful people in infosec that don't eat, sleep, and breath infosec.

In this episode we discuss:

  • What is passion?
  • What is some of the psychology around passion?
  • Why passion isn't a reliable measure for hiring managers.
  • What should people be focusing on instead of passion?

How to join the infosec community - part 2

In this inclusive episode of the Exploring Information Security podcast, Micah Hoffman, a certified SANS instructor, joins me to discuss how to join the infosec community.

Micah (@WebBreacher) gave a talk at BSides DC last year on joining the infosec community. For Micah it took him a while to get involved. He jumped right into the deep end by going to DEFCON. Several years later he decided to get more involved in the community and quickly discovered several of the benefits from doing that. I had a similar experience, attending DEFCON in the early 2000s. I wouldn't attend another security conference until 10 years later.

There are a lot of benefits to getting involved in the infosec community. You get to contribute and make the community a little better. You get to meet some awesome people. You will have more job opportunities open up. Community engagement shows initiative and allows you to meet people looking to fill roles.

In this episode we discuss:

  • How to meet people
  • What are some of things to watch out for in the community
  • Other resources available for getting invovled

More resources:

How to join the infosec community - part 1

In this inclusive episode of the Exploring Information Security podcast, Micah Hoffman, a certified SANS instructor, joins me to discuss how to join the infosec community.

Micah (@WebBreacher) gave a talk at BSides DC last year on joining the infosec community. For Micah it took him a while to get involved. He jumped right into the deep end by going to DEFCON. Several years later he decided to get more involved in the community and quickly discovered several of the benefits from doing that. I had a similar experience, attending DEFCON in the early 2000s. I wouldn't attend another security conference until 10 years later.

There are a lot of benefits to getting involved in the infosec community. You get to contribute and make the community a little better. You get to meet some awesome people. You will have more job opportunities open up. Community engagement shows initiative and allows you to meet people looking to fill roles.

In this episode we discuss:

  • How Micah got into the community
  • What is the infosec community?
  • Why it's important to get involved
  • Where can someone get involved?

More resources:

What does Jayson E. Street, Dave Chronister, Johnny Xmas, April Wright, and Ben Brown think about security?

In this epic episode of the Exploring Information Security podcast Jayson E. Street (@jaysonstreet), Dave Chronister (@bagomojo), Johnny Xmas (@J0hnnyXm4s), April Wright (@aprilwright), Ben Brown (@ajnachakra), and surprise guests Adrian Crenshaw (@irongeek_adc) and Kevin Johnson (@secureideas)all join me to discuss various security related topics.

ShowMeCon is one of my favorite security conferences. The organizers are awesome and take care of their speakers like no other conference. The venue is fantastic. The content is mind blowing. I can't say enough good things about the even that Dave and Renee Chronister put on every year in St. Louis, Missouri. They know how to put on a conference.

Regular listeners of the podcast will note that I recorded an episode with Dave on ShowMeCon several weeks ago. After that recording he asked if I was interested in doing a recording at the conference. I said yes and thus the birth of this epic episode. This format is experimental. First, it is marked as explicit, because there is swearing. Second, It's over 90 minutes long. I didn't think breaking it up into four or five pieces would serve the recording well. Send me your feedback good or bad on this episode, because I'd like to do more of these. I would really like to hear it for this episode.

In this episode we discuss:

  • Certificates
  • Hiring
  • Interviewing
  • Where to get started
  • Soft skills
  • ShowMeCon and other conferences
  • Community and giving back
  • Imposter syndrome
  • Irongeeks impact on those in attendance

What is malware analysis - part 2

In this analyzed episode of the Exploring Information Security podcast, Daniel Ebbutt joins me to discuss malware analysis.

Daniel (@notdanielebbutt) is a malware analyst at a fortune 500 company. I recently caught up with Daniel at Converge and BSides Detroit. We had a great conversation about malware analysis. Talking about the topic with him you can tell he is very passionate and excited about the subject. Which is why I decided to have him on the podcast for a little chat.

In this episode we discuss:

  • What types of anti-malware Daniel has seen
  • How to perform malware analysis
  • What skills are useful for malware analysis
  • What resources are available

More resources:

What is malware analysis - part 1

In this analyzed episode of the Exploring Information Security podcast, Daniel Ebbutt joins me to discuss malware analysis.

Daniel (@notdanielebbutt) is a malware analyst at a fortune 500 company. I recently caught up with Daniel at Converge and BSides Detroit. We had a great conversation about malware analysis. Talking about the topic with him you can tell he is very passionate and excited about the subject. Which is why I decided to have him on the podcast for a little chat.

In this episode we discuss:

  • What is malware analysis
  • How to get malware
  • How to handle malware
  • What the different classes of malware are

More resources:

Why social skills are important - part 3

In this final part of a three-part series of the Exploring Information Security podcast, Johnny Xmas joins me to discuss why social skills are important.

Johnny (@J0hnnyXm4s) has presented talks and performed training on the topic of social skills at various conferences. He told me it's the topic he gets the most feedback on from people in attendance. I was first introduced to one of Johnny's talks at BSides Nashville 2015. He was presenting on networking with people at conferences. Which I immediately identified with. I was there shooting pictures, because it was an easy way to meet people at conferences.

Social skills are important in organizations, because it allows us to build better relationships with people to improve security. It's a topic that Johnny can talk about for hours (as evident by this three-part series).

In this episode we discuss:

  • Why it's important to never eat alone
  • How to improve your social skills
  • How to start a conversation
  • Why it's important to practice

More resources:

Why social skills are important - part 2

In this second part to a three-part series of the Exploring Information Security podcast, Johnny Xmas joins me to discuss why social skills are important.

Johnny (@J0hnnyXm4s) has presented talks and performed training on the topic of social skills at various conferences. He told me it's the topic he gets the most feedback on from people in attendance. I was first introduced to one of Johnny's talks at BSides Nashville 2015. He was presenting on networking with people at conferences. Which I immediately identified with. I was there shooting pictures, because it was an easy way to meet people at conferences.

Social skills are important in organizations, because it allows us to build better relationships with people to improve security. It's a topic that Johnny can talk about for hours (as evident by this three-part series).

In this episode we discuss:

  • Why it's important to never eat alone
  • How to improve your social skills
  • How to start a conversation
  • Why it's important to practice

More resources: