Why communication in infosec is important - Part 2

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

  • How important is it for the company to take security seriously

  • How would someone get started improving communication?

  • Why we have a communication problem in infosec

  • Where should people start

More resources:

Why communication in infosec is important - Part 1

In this communicative episode of the Exploring Information Security podcast, Claire Tills joins me to discuss information security communication.

Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team at Tenable. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.

In this episode we discuss:

  • What Claire’s experience is with communication and infosec

  • What’s ahead for communication in infosec

  • Why do people do what they do?

  • What questions to ask

More resources:

Why contributing to the infosec community is important

In this giving back edition of the Exploring Information Security podcast, why contributing to the infosec community is important.

I'm taking a different approach to solo episodes and the podcast. I am going to blog about the solo episode before recording it. This will allow me to collect my thoughts. As a result of this, I hope, that it'll make the solo episode much more smoother. Usually, I write down some points and then just riff off that. Because I'd like to write more I figured this would be one way to improve quality of the podcast, while also providing some more elaborate show notes. With that, let's get to the topic at hand.

My origins as a contributor

When I started my IT career, I wasn't much of a contributor. I came in did my work and went home. In the evenings I played a lot of video games. Mostly, World of Warcraft and Counter-Strike mods like Day of Defeat. I raided. I played in competitive leagues. I had a lot of fun. I started college about a year after I got out of the Navy. I was doing it because I had the GI Bill and figured I might as well use it.

A few semesters in the government changed how the GI Bill worked. If I went back to school for six or more credit hours, I would not only get the courses covered, but also get basic housing allowance. College quickly became a part-time job. I bumped up from one class a semester to three. The wife and I started a family with our first child. Somehow I managed to balance work, school, a child, and my gaming habit.

In 2010, (for whatever reason) I started blogging about the Astros. A year later I started up a podcast for the site. I enjoyed the blogging and podcasting. At some point I explored the possibility of making a career out of my media arts degree. Things were fine at work, I just didn't really care for being a network administrator.

In 2012, I got my first opportunity to work in security. By this time I had realized that going into the media arts field would be a struggle for myself and my family. I still did the blog and podcast because I enjoyed it and was starting to make a little money from it ($100 a month). I would continue to do it until May 2015.

In November 2013 I went to my first BSides in Charleston.  I went with a buddy. He and I had such a great time going to the conference that nine months later we started our own local security user group in Columbia, SC called ColaSec. That was my first contribution to the infosec community.

Check that my second contribution was ColaSec. My first was this podcast. I produced seven episodes of EIS during the summer of 2014. I didn't release them to any podcast directory, because I wasn't sure I wanted to do it or not. I was still doing the Astros blogger/podcaster thing.

Check that again my third contribution was ColaSec, my second was the podcast, and my first was shooting pictures at BSides Nashville 2014. I've since shot several security conferences. You can check out my photography page for the conferences (plus some non-security events) I've shot.

In May 2015, I graduated from the University of South Carolina with a bachelors in Media Arts. I decided it was time to take the effort I was putting into the Astros and put it into the infosec field. By this time I realized infosec was where I wanted to be career wise. I was reading and listening to everything I could. ColaSec was becoming more and more popular. Another thing I realized was that blogging and podcast for the Astros opened up opportunities for me.

It allowed us to get interviews with players and front office personnel. Through these interviews we found out that people in the organization were reading our stuff. I even got to meet some of these people along with several of the writers on staff. I got to travel to Spring Training and ball parks. I got to know members of the media. I've been interviewed on TV, other podcasts, and been quoted in the Houston Chronicle. If I took that effort and applied it to my career similar opportunities were bound to happen. And that's what happened.

Why it's beneficial

Networking is one of the biggest benefits. Through shooting pictures, I've been able to get to know several conference organizers. Through the podcast I've gotten to know several infosec practitioners with something interesting to say. Through ColaSec I've gotten to know fellow peers and those looking to get into the industry. All these have led to getting to know other people in the industry.

I am in a dream job right now. That is a combination of knowing someone who I started the OWASP Columbia SC chapter with and knowing someone who helps organize BSides Nashville. The job I got previous to this one was because I meet the South Carolina state CISO at ColaSec. Networking with others in the industry is one of the best ways to land a new opportunity.

New skills is a result of networking with people. I have a large network of people I can go to if I have a question about something. Even when I don't have a question about something I'm learning new things by engaging with people. I'm learning about new techniques and tools. Speaking and teaching is a great way to solidify a learned topic. It can also help in day-to-day meetings where you have to present something.

Career advancement is the result of the benefits above. New opportunities led to new challenges. New challenges led to gaining new skills that help your progression as an infosec professional. I was hired into my current role, because of my contributions to the community. The development director I work with told me that what impressed him the most was my contribution section of the resume. I was volunteering at conferences. I was speaking. I was doing podcasts. Those impressed him more than anything else on my resume.

Contributing makes the community better. I've heard from several people about how the podcast helped them with a topic. I've heard that the con specials help humanize some of the high profile pros you see on Twitter or speaker circuit. How they seem more approachable now. I've been told my pictures help conferences get sponsors. ColaSec (my greatest contribution) has helped people get Security+ certified. It's helped people land jobs in our field. It's helped people get in front of others and teach something. It's helped people learn.

When we started ColaSec we expected to network with our peers in the field, around town. It turns out a lot of people showed up because they wanted to get into security. We also had people show up who didn't necessarily want to get in, but had an interest in security. We've had a couple developers show up because they believe security is important.

Contributing opens up a lot of opportunity. It also creates opportunities for others around us to get better.

How to get started contributing

Find something you're interested in that can add value to the infosec community. Shooting pictures and podcasting is something I enjoy doing. It makes contributing easier. I've also just simply volunteered at events. It's a great opportunity to feel special because you get a different color shirt and badge and get to walk in "restricted areas."

Speaking is a great way to contributor. Most conferences really really like first time speakers. I believe one of the reasons why I got to speak at DerbyCon in 2015 was because I was a "first time" speaker (BSides Augusta was actually my first time) and because I had EMET in my talk (Dave Kennedy loves EMET). I'm still learning as a speaker, because it's a tough skill to master. There are a lot of resources and people available to help someone get started.

I've seen people make a quilt that was auctioned off. The proceeds went to charity. Some people create music. Others put on capture the flag (CTF) events. Blogging is a great way to improve your writing skill and help research a topic. I find it strangely therapeutic and extremely satisfying when I finish. Speaking of, I've run out of ideas off the top of my head and I think you get the point.

Takeaway

Contribute to the infosec community. It can open up a lot of great opportunities for you and your career.

What is Converge and BSides Detroit?

In this Motor City edition of the Exploring Information Security podcast, Ryan Harp, Kyle Andrus, and Kate Vajda join me to discuss the conferences Converge and BSides Detroit.

Ryan (@th3b00st), Kyle (@chaoticflaws), and Kate (@vajkat) help put on one of the best conferences. Last year was my first year at the conference. I was not disappointed. They had a workshop on application security; a room set aside to get resume feedback; Ham radio exams; and much more. They also had three days of wonderful talks with some really great speakers. At lunch there are multiple treks to go grab a coney dog.

The call for papers is currently open. They're looking for speakers and to add more workshops this year. Tickets are also available now. Make sure to grab yours and I'll see you at Converge and BSides Detroit May 10-12.

In this episode we discuss:

  • How the conference got started.
  • Where the conference is at and what's new this year for the layout.
  • What's unique about the conference.
  • Coney dogs.

Why we need to get outside the infosec echo chamber

In this bouncy edition of the Exploring Information Security podcast, I talk about getting outside of the information security echo chamber.

Getting outside of the infosec echo chamber is something I've wanted to do for the past year. Spending time at infosec events is important for a career. It's great for networking and knowledge sharing. We need to do those same things at non-infosec events. For me that means getting out to developer events. I am speaking at Nodevember at the end of November 2017 and also at CodeMash in early January 2018. For better security I think it's a crucial activity.

In this episode I discuss:

  • What is the echo chamber?
  • Why it's important to get outside of it
  • Who should get outside the echo chamber
  • Where to get outside the echo chamber

What's happening at DerbyCon?

In this legacy edition of the Exploring Information Security podcast, Ben Miller (@securithid) , Cliff Smith (@BismithSalamandr) , Paul "BubbaSec" Coggin (@PaulCoggin) , Dave Chronister (@bagomojo), Sean Peterson (@SeanThePeterson), and Jimmy Byrd (@Jimmy_Byrd) (and briefly @aprilwright ) join me to talk security.

 This is likely the last podcast conference special of the year. It's a good one. We had quite the crew to record this one and got very in-depth and deep on topics related to infosec. Big shout out and thanks again to Dave for bringing the mics and participating in the podcast.

I've been pleasantly surprised with how this and the other podcasts have turned out. I've gotten some great feedback and I plan to do more of these in the future. It was also floated to me that we record one of these as a panel at one of the conferences. We'll see.

In this episode we discuss:

  • The legacy of DerbyCon and what the future holds.
  • What it's like at a developer conference?
  • Is there security fatigue?
  • Patch your shit.

Resource we discussed:

What is isolated browsing?

In this contained edition of the Exploring Information Security podcast, Danny Miller joins me to discuss isolated browsing.

Danny, is the Director of Product Marketing for Ericom (@EricomShield). He came on the show to talk about isolated browsing. Which is a technology that I've never heard of before. It's similar to virtual machines and technology like Citrix, which provide solutions that help isolate a user. Isolated browsing is different. It uses containers (like Docker) to provide a user with a browser that is completely separate from the computer. This has the advantage of keeping things like malware of user computer and in a contained environment.

In this episode we discuss:

  • What is isolated browsing?
  • How does it work?
  • Where the solution is located
  • How is the technology different from Citrix?

More resources:

Why getting into infosec is hard

In this Han Solo edition of the Exploring Information Security podcast, I discuss my experience on why getting into infosec is hard.

This is a solo episode where I share my thoughts on why it's hard to get into infosec. I've been on both sides of the interview process. In this episode I share my own personal experience (where I failed), as well as what I've seen on why people didn't get the role they wanted. This topic deals with the skills shortage topic often discussed on Twitter and other media. It's a very nuanced topic. I wanted to focus on what those applying could do better to apply and interview for an opportunity.

In this episode:

  • Why people don't apply?
  • Why requirements can limit job opportunities
  • Why your resume sucks
  • How are you preparing for the interview?
  • What are you doing to improve your chances of getting an offer?

How to prepare for the OSCP - Part 2

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • How Chris' second attempt went
  • How to study for the OSCP
  • What the hardest part of the exam was for Chris
  • How the pointing system works

More resources (h/t @KrvRob):

How to prepare for the OSCP - Part 1

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • What is the OSCP and OSCE
  • Why someone should pursue the OSCP
  • What is the test like
  • How Chris' first attempt went

More resources (h/t @KrvRob):

What are the steps to secure application development?

In this getting started episode of the Exploring Information Security podcast, Jim Manico joins me to discuss the steps (or rather phases) to secure application development.

Jim (@manicode) is an active member in the application security field. He's been a board member for OWASP. He's a regular speaker at OWASP conferences and he provides appsec training nine months out of the year. I recently had the opportunity to tune into a webinar put on my Jim discussing the steps to secure application development. He's got a wealth of knowledge and provides actionable advice for anyone wanting to move in that direction.

In this episode we discuss

  • How Jim got started in appsec
  • Why secure application development is important
  • What the steps are to get started
  • Who should be implementing application security

Why is passion an infosec requirement?

In this strong episode of the Exploring Information Security podcast, Chris Sanders CEO of Applied Network Defense and founder of the Rural Technology Fund joins me to question why passion is an infosec requirement.

Chris (@chrissanders88) recently put up a blog post titled, The Cult of Passion. In this post he discusses the concept of passion being a requirement in information security. This is something I've railed against in the path. Like Chris I think it sets the bar higher for those trying to get in. They feel like they have to spend 18 hours of their day doing infosec related things. That is in fact not the case and there are plenty of successful people in infosec that don't eat, sleep, and breath infosec.

In this episode we discuss:

  • What is passion?
  • What is some of the psychology around passion?
  • Why passion isn't a reliable measure for hiring managers.
  • What should people be focusing on instead of passion?

How to join the infosec community - part 2

In this inclusive episode of the Exploring Information Security podcast, Micah Hoffman, a certified SANS instructor, joins me to discuss how to join the infosec community.

Micah (@WebBreacher) gave a talk at BSides DC last year on joining the infosec community. For Micah it took him a while to get involved. He jumped right into the deep end by going to DEFCON. Several years later he decided to get more involved in the community and quickly discovered several of the benefits from doing that. I had a similar experience, attending DEFCON in the early 2000s. I wouldn't attend another security conference until 10 years later.

There are a lot of benefits to getting involved in the infosec community. You get to contribute and make the community a little better. You get to meet some awesome people. You will have more job opportunities open up. Community engagement shows initiative and allows you to meet people looking to fill roles.

In this episode we discuss:

  • How to meet people
  • What are some of things to watch out for in the community
  • Other resources available for getting invovled

More resources:

How to join the infosec community - part 1

In this inclusive episode of the Exploring Information Security podcast, Micah Hoffman, a certified SANS instructor, joins me to discuss how to join the infosec community.

Micah (@WebBreacher) gave a talk at BSides DC last year on joining the infosec community. For Micah it took him a while to get involved. He jumped right into the deep end by going to DEFCON. Several years later he decided to get more involved in the community and quickly discovered several of the benefits from doing that. I had a similar experience, attending DEFCON in the early 2000s. I wouldn't attend another security conference until 10 years later.

There are a lot of benefits to getting involved in the infosec community. You get to contribute and make the community a little better. You get to meet some awesome people. You will have more job opportunities open up. Community engagement shows initiative and allows you to meet people looking to fill roles.

In this episode we discuss:

  • How Micah got into the community
  • What is the infosec community?
  • Why it's important to get involved
  • Where can someone get involved?

More resources:

What is threat intelligence? - Part 2

In this smart episode of the Exploring Information Security podcast, Rob Gresham formerly of McAfee joins me to explain threat intelligence.

Rob (@rwgresham) previously served as a practice lead in McAfee's security operations. I had the opportunity to meet Rob in person. He is deeply involved in the many things information security related in South Carolina. Including the National Guard and Palmetto Cyber Defense Competition. Threat intelligence is a topic he thoroughly enjoys discussing. Which is why this topic will be a two parter.

In this episode we discuss:

  • What is threat intelligence
  • How threat intelligence is useful
  • What are the benefits of threat intelligence
  • What needs to be done before threat intelligence

Resources:

What is threat intelligence? - Part 1

In this smart episode of the Exploring Information Security podcast, Rob Gresham formerly of McAfee joins me to explain threat intelligence.

Rob (@rwgresham) previously served as a practice lead in McAfee's security operations. I had the opportunity to meet Rob in person. He is deeply involved in the many things information security related in South Carolina. Including the National Guard and Palmetto Cyber Defense Competition. Threat intelligence is a topic he thoroughly enjoys discussing. Which is why this topic will be a two parter.

In this episode we discuss:

  • What is threat intelligence
  • How threat intelligence is useful
  • What are the benefits of threat intelligence
  • What needs to be done before threat intelligence

Resources:

How Macs get Malware

In this installed episode of the Exploring Information Security podcast, Wes Widner joins me to discuss how Macs get malware.

Wes (@kai5263499) spoke about this topic at BSides Hunstville this year. I was fascinated by it and decided to invite Wes on. Mac malware is a bit of an interest for Wes. He's done a lot of research on it. His talk walks through the history of malware on Macs. For Apple fan boys, Macs are still one of the more safer options in the personal computer market. That is changing though. Macs because of their increased market share are getting targeted more and more. We discuss some pretty nifty tools that will help with fending off that nasty malware. Little Snitch is one of those tools. Some malware actively avoids the application. Tune in for some more useful information.

In this episode we discuss:

  • How Macs get malware
  • What got Wes into Mac malware
  • The history of Mac malware
  • What people can do to protect against Mac Malware

More resources:

What is ShowMeCon?

In this show me episode of the Exploring Information Security podcast, Dave Chronister managing partner at Parameter Security (@ParameterHacker) and organizer discuss ShowMeCon.

I can't say enough good things about Dave (@bagomojo). Last year was my first opportunity to attendee and speak at ShowMeCon (@ShowMeConSTL). He and the organizers did a tremendous job taking care of the speakers and attendees. There was great content, activities, food, parties, and the venue was top notch. This is one of the most well run and classiest conferences I've had the opportunity to attendee. I am excited to have the opportunity to speak again at the conference.

The conference has a different feel than other security conferences. It has more of a business feel. Which is a nice change of pace. This gives businesses in St. Louis an opportunity to tap into the vast knowledge of infosec community. It gives speakers of the infosec community an opportunity to show businesses how deep the infosec rabbit hole goes. I highly recommend (and often do) this conference to everyone in IT security.

ShowMeCon is June 8 and 9, 2017, at the Ameristar Casino and Resort. Tickets are available until May 15, 2017.

Other Details:

If you need to contact the organizers of ShowMeCon their phone number is 314-442-0472. If you would like to volunteer send an email to info[@]showmecon[.]com

In this episode we discussed:

  • What is ShowMeCon
  • How the conference got started
  • Who should attend ShowMeCon
  • What can attendees expect
  • A Saturday morning cartoon party

What is the OSINT Framework?

In this knowledge filled episode of the Exploring Information Security podcast, Justin Nordine joins me to discuss the OSINT Framework.

Justin (@jnordine) is the creator of the OSINT Framework. The page is a spider web of tools and other OSINT resources that you can get lost in for days. It's a fabulous tool for those just getting in or those who use OSINT on a daily basis. He created it as a way to keep up with all the OSINT resources out there.

In this episode we discuss

  • How he got started in OSINT
  • What is the OSINT Framework?
  • How should the framework be used?
  • What he has in store for future iterations

What is the internet of things?

In this excessive episode of the Exploring Information Security podcast, Ed Rojas joins me to discuss the Internet of Things (IoT).

Ed (@EdgarR0jas) has recently switched roles. In that role he's researching the internet of things. The internet of things is everywhere and it's starting to become an issue for the security community. From baby monitors to IP cameras to fridges, everything in the home is becoming connected. The issue comes in with the security being embedded in these device. There isn't any and it's allowing malicious people to create massive bot armies for distributed denial of services (DDoS). It's a tough problem to solve. Luckily, Ed is on the case.

In this episode we discuss:

  • What is the internet of things?
  • Why is an IoT an issue?
  • What should organizations be worried about?
  • What are the dangers of IoT?

More resources: