Exploring Information Security Archive 1

Ed (@EdgarR0jas) is the creator of Tactical Edge (@Tactical3dge), which runs October 24 - 27, 2016, and PVC Security podcast co-host. For listeners of that podcast, I apologize. You've heard about about Tactical Edge extensively. However, I managed to get a little more out of him in this episode. We discuss origins and what makes this conference unique.

Valerie (@hacktress09) is an executive consultant for Securicon. She uses many techniques to pentest an organization via social engineering. One of the techniques she uses the most is phishing emails. In this episode we discuss what is social engineering and why it's important.

Chris (@_Lopi_) has some interesting thoughts on mentorship and how the infosec community can be better at it. Here is the tweet from Chris that caught my attention, "What do I want? To get more folks interested in infosec and help them break into the industry. We need better mentors." Upon further investigation I noted that Chris is creating a game for people trying to break into information security. How this applies? You will have to listen to the episode.

Steven (@ZenM0de) is a principal security strategist at eSentire. Part of his role is implementing, and even sometimes creating, security frameworks for organizations. We define what a security framework is and then discuss the process for choosing a framework.

Chris (@cmaddalena) and I were asked the question on Twitter, "How do you make time for a home lab?" We answered the question on Twitter, but also decided the question was a good topic for an EIS episode. Home labs are great for advancing a career or breaking into information security. To find the time for them requires making them a priority. It's also good to have a purpose. The time I spend with a home lab is often sporadic and coincides with research on a given area.

Chris (@cmaddy) and I have submitted to a couple of calls for training at CircleCityCon and Converge and BSides Detroit this summer on the topic of building a home lab. I will also be speaking on this subject at ShowMeCon. Home labs are great for advancing a career or breaking into information security. The bar is really low on getting started with one. A gaming laptop with decent specifications works great. For those with a lack of hardware or funds there are plenty of online resources to take advantage of.

Rob (@Mubix), recently had a post titled "Friendly Fire." In the post he talks about the red vs. blue dynamic and some of the pitfalls of that attitude. I knew of the red vs. blue dyanmic, but I never thought it would be hurting the security industry. I decided to have Mubix on to discuss the topic a little bit more. We discuss maximizing a pentest and CTFs.

Rob (@Mubix), recently had a post titled "Friendly Fire." In the post he talks about the red vs. blue dynamic and some of the pitfalls of that attitude. I knew of the red vs. blue dyanmic, but I never thought it would be hurting the security industry. I decided to have Mubix on to discuss the topic a little bit more. We define red team vs. blue team and then talk about working together.

Johnny, (@J0hnnyXm4s), helps organize four monthly meetups in the Chicago area called BurbSec. Starting a CitySec is a unique challenge but one that is easily doable. CitySec's provide an opportunity for security professionals and enthusiasts to get together to network, learn, and improve their security mindset. Johnny will be presenting this topic as a talk at BSides Nashville April 16, 2016. In this episode we discuss location and websites.

Johnny, (@J0hnnyXm4s), helps organize four monthly meetups in the Chicago area called BurbSec. Starting a CitySec is a unique challenge but one that is easily doable. CitySec's provide an opportunity for security professionals and enthusiasts to get together to network, learn, and improve their security mindset. Johnny will be presenting this topic as a talk at BSides Nashville April 16, 2016. In part one we discuss the origin story of BurbSec, marketing, and the people who attend.

Wolf (@jwgoerlich), recently produced an interesting PVCSec episode at CodeMash on the challenges of getting into infosec. One of the interesting notes from that podcast was learning how to attend a conference. It was such a great point that I invited Wolf back on EIS to discuss how to get the most out of attending a conference.

Kai (@kairoer), is a speaker, trainer, consultant, and the creator of the Security Culture Framework (SCF). The framework deals with embedding a security mindset into the entire organization. It takes security awareness training to the next level by not only performing the training, but then measuring it's effectiveness. The Security Culture Conference is a result of that idea. It brings the brightest minds in security and gives them a platform to share ideas on the security culture in an organization. The conferences is June 14 - 15 in Oslo, Norway. We discuss why to attend the conference, motivation for the conference, type of content, and activities for attendees.

Kai (@kairoer), is a speaker, trainer, consultant, and the creator of the Security Culture Framework (SCF). The framework deals with embedding a security mindset into the entire organization. It takes security awareness training to the next level by not only performing the training, but then measuring it's effectiveness. The Security Culture Conference is a result of that idea. It brings the brightest minds in security and gives them a platform to share ideas on the security culture in an organization. The conferences is June 14 - 15 in Oslo, Norway. In this episode we focus on the security culture framework. How it's applied, the four items for success, metrics, and more.

Javvad Malik (@J4vv4d) doesn't need much introduction. He's done a video on the benefits of being a CISSP. He's also done a music video with his Host Unknown crew on the CISSP. There's also The CISSP companion handbook he wrote. which has a collection of stories and experiences dealing with the 10 domains of the CISSP. Check out his website at j4vv4d.com and his YouTube channel.

Michael Santarcangelo, AKA The @catalyst, joins me to explain why answering the question is key to better security. The question, "What is the problem we're trying to solve" is the first step in identifying whether or not the problem at hand is worth addressing at this time. Essentially, is this what we should be working on right now and what will this gain us. This is a question to be answered by leadership. Michael has two decades of experience in security and working at the executive level. He's a regular on the Security Weekly and Down the Security Rabbithole podcasts. He's also launching his new program Straight Talk on Security. We discuss what the question means, risk catnip, why the it's important, how to answer it, and the three perspectives.

I continue my conversation with Tazz on OSINT: why it's importnat; skills needed to perform OSINT; and the tools used.

My first interaction with Tazz (@GRC_Ninja), was at CircleCityCon. I quickly became aware that if I got out of line at the conference Tazz was very likely to be the one to put me in my place. I also ran into her at DerbyCon where she kept people in line while waiting for talks to start. She also happens to be a speaker and this past year presented, "ZOMG Its OSINT Heaven" at BSides Las Vegas. Which is how I became aware that Tazz knew her stuff when it came to OSINT. She also writes about OSINT on her blog osint.fail. All of these interactions prompted me to have her on for a discussion on what is OSINT.

Paul Jorgensen of IBM joins me to discuss how to build a SOC. In part 3 we move into the next step and discuss resources for building an effective SOC.

Fellow co-host of the PVC Security podcast, Paul (@prjorgensen) spends most of his day thinking about socks. Once he's decided on a pair, he goes out into the world to help organizations build a SOC or security operations center. He's got extensive knowledge of how to put one together and that showed in the recording. For the first time in EIS history, we have a three part series.

Fellow co-host of the PVC Security podcast, Paul (@prjorgensen) spends most of his day thinking about socks. Once he's decided on a pair, he goes out into the world to help organizations build a SOC or security operations center. He's got extensive knowledge of how to put one together and that showed in the recording. For the first time in EIS history, we have a three part series.

Derek (@dth0m) has a lot of experience with SIEM and can be found on Linkedin participating in discussions on the technology. I had the opportunity to hang out with Derek at DerbyCon in 2015 and I came away impressed with his knowledge of SIEM. He seemed to be very passionate about the subject and that showed in this interview. We discuss: How to pronounce SIEM; what it is; how to use it; the biggest challenge; how to tune; and more.

Chris (@chrissanders88) is the co-author, along with Jason Smith, of Applied Network Security Monitoring: Collection, Detection, and Analysis. I recently finished the book and found it a valuable book for those operating within a SOC or those looking to start network security monitoring. Chris and Jason walk through the basics of network security monitoring including low-cost tools, snort, and how to investigate incidents. I highly recommend the book for those wanting to learn more about network security monitoring. In this episode we discuss: What is network security monitoring; what is needed to implement it; steps on how it should be applied; how to tune; and much more.

I recently read Data Driven Security: Analysis, Visualization and Dashboards by Jay Jacobs (@jayjacobs) and Bob Rudis (@hrbrmstr). The book is easy to read and a very good introduction into the world of data and security. Both Jay and Bob were kind with their time when I had questions about exercises in the books. After reading the book I decided to have Bob on to talk more about data driven security.

Frank (@en0fmc) has a lot of experience with application security. His current role is the director for web application security and product management at Qualys. He's also the chapter leader for OWASP Columbia, SC. He lives and breathes application security. In this episode we discuss: what application security is; why it's important; where it should be integrated; and resources.

In this exciting edition of the Exploring Information Security podcast, Steve Ragan of CSO joins me to discuss how information security professionals should interact with the media. Steve (@SteveD3) prior to becoming an InfoSec Journalism Wizard for CSO he spent 15 years as an IT contractor. Last year Steve gave talks on how to interact with the media at conferences such as CircleCityCon and DerbyCon. With information security getting more play in the media recently it's important that we all have a basic understanding of how to interact with the media. In this episode we discuss: interacting with different types of media; contacting media to make a correction; the difference between on-the-record and off-the-record; not being afraid of the media; and a bonus story.

Steve (@SteveD3) prior to becoming an InfoSec Journalism Wizard for CSO he spent 15 years as an IT contractor. Last year Steve gave talks on how to interact with the media at conferences such as CircleCityCon and DerbyCon. With information security getting more play in the media recently it's important that we all have a basic understanding of how to interact with the media. In part one we discuss: Who is the media? Where someone will interact with the media; reaching out to the media; and what does a bad interaction look like?

Johnny (@J0hnnyXm4s) is a penetration tester for Redlegg and an accomplished speaker at security conferences around the United States and Iceland. One of Johnny's more recent talks is titled "That's not my RJ45 Jack" which covers, among other topics, how to interact with people. I saw this talk in April when I went to BSides Nashville and it has a lot of good information that can be applied to networking with people in general. In part two we discuss resources for getting better at networking.

Johnny (@J0hnnyXm4s) is a penetration tester for Redlegg and an accomplished speaker at security conferences around the United States and Iceland. One of Johnny's more recent talks is titled "That's not my RJ45 Jack" which covers, among other topics, how to interact with people. I saw this talk in April when I went to BSides Nashville and it has a lot of good information that can be applied to networking with people in general.

David (@dacoursey) is one of the organizers of the Charleston ISSA chapter. At DerbyCon 2014 he experienced his first CTF. He had such a good time that he decided to put together the CTF for BSides Charleston two months later. Through those experiences he has learned a lot and has participated in many more CTFs this past year.

Jerry recently had a blog post on his site (malicious link) titled, "Dealing With The Experience Required Paradox For Those Entering Information Security." It is a wonderful article with actionable items on what people can do to overcome that stipulation on job postings. Jerry is also a co-host for the Defensive Security podcast.

Ralph (@Optimus__Prime) holds many infosec related certifications and is also an instructor of courses meant to help people get certified. Certifications are not a finish line for professionals. They are, instead, more of starting point for professionals. Getting certified means that a certain level of knowledge has been achieved.

I had the wonderful opportunity to speak at DerbyCon this year. The overall experience was amazing and I am thankful and honored to speak at such a great event. I was placed in the stables track with a 20-25 minute talk, which makes the recording perfect for this podcast. A huge shoutout and thanks to Adrian Crenshaw for all his work in recording talks for conferences. The information security community would be lesser without him.

In part two of this part two series Chris and I talk about security being a friendly face, the word hacker, and developers vs. security.

In part one of a two part series we talk about the perception of infosec in business, how we change it, and where security first in an organization.

Both Grap3 Ap3 and Dr. BearSec are organizers for the wonderful event. In this episode they talk about the origins of the conference, some of the challenges of putting the conference together, the atmosphere of the conference, and what attendees can expect for next year. Follow Grap3 Ap3 (@grap3_ap3) and DrBearSec (@drbearsec) and of course the conference (@CircleCityCon) on Twitter.

Amanda was charged with setting up a security awareness program for her company from scratch. Setting up a security awareness program is hard work, making it effective is even harder, but Amanda rose to the challenge and came up with some creative ways to help fellow employees get a better handle on security.

Simon is the project lead for ZAP an OWASP Open Web Application Security Project. He has a developer background and originally built the tool to help developers build better applications. The tool was so good that it caught the eye of the security community and is now used by developers, people just getting into security and veteran pen testers. You can follow him on Twitter @psiinon and find out more on the tool by going to the project site on OWASP.

Matt Johnson has spoken at conference's like GrrCon and DerbyCon on using PowerShell for security. He also has his own podcast titled, Leveled up Infosec Podcast and he's the founder of PoshSec. You can catch Matt tweeting about security on Twitter @mwjcomputing. In this interview we cover: what is PowerShell; how to get started; how to best utilize it for security; resources; and what mistakes made using it.

2015 will be the third year for the security conference and it looks to be even bigger and better than last year. This year the conference features a two blue team tracks, a red team track, CTF challenge, a lock pick village, and much more. Doug also talked about his own conference that leads into BSides Augusta, the Security Onion conference. BSides Augusta is sold out, but the Security Onion conference still has tickets available.

Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec projects and events. In this interview Wolfgang covers: what threat modeling is; what needs to be done to get started; who should perform it; resources; and the lifecycle of a threat model.

Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. In the interview Justin talks about: what cryptography is; why everyone should care; some of its applications; and how to get started with cryptography.

Rafal Los is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog. I would highly recommend both if you're in the infosec field or looking to get into it. In the interview Rafal talks about: what a CISO is; the role of a CISO; the skills; and different types of CISOs.

Ed Rojas is a Master Consultant for HP Enterprise Security and the creator of Security Zone information security conference in Columbia and the organizer of the BSides Nashville security conference. I had the pleasure of attending BSides Nashville this year and got the opportunity to snap a few pictures. Ed was a very accommodating and passionate host for the event. In this interview Ed talks about: the first step to organizing a security conference; time and effort it requires; picking the right date; challenges; mistakes and more.

An interview with VioPoint consultant and roundhouse master Jimmy Vo. We covered how he got into information security and also talked about some of things people on the outside looking in can do to get into information security.