My Social Engineering Village (DEFCON) experience

August 3, 2017

This was my second time going to DEFCON. I was previously at DEFCON in the early 2000s. At the time information security was not my sole focus. I was serving in the Navy as an Electronics Technician. I did a little bit of everything.

Being stationed in San Diego, California, allowed me the opportunity to be dragged out to Las Vegas in August by a first class petty officer. At the time I had no idea what I was getting into. I just knew I was going to Vegas (baby!). I attended some talks and was fascinated by the capture the flag competition. The weirdest thing that happened to me was crashing at a hotel with on of the speakers my friend knew. I expected them to show up at some point in the wee hours. After waking up, I realized no one had come back to the hotel room we just stayed in. Odd.

You might think this sparked my desire to get into the field. Nope, I was more interested in playing black jack, hitting some slot machines, and taking in the complimentary drinks. It would be another eight years before I knew I wanted to get into infosec. After I got in I had no desire to go to BlackHat (too vendory) or back to DEFCON (been there done that). Instead I started hitting the smaller cons like BSides, CircleCityCon, ShowMeCon, and DerbyCon. Those conferences (much more affordable) satisfied my desire to contribute and network in the community.

That all changed in early May. While attending Converge and BSides Detroit my friend Dan asked if I wanted to go to DEFCON and volunteer at the Social Engineering Village. I was interested, but needed to check the logistics. After getting approval from my wife and manager, I started working on hotel and transportation. Last Tuesday I found myself in Las Vegas for the first time in over a decade. The TL;DR version is that I had a blast.

The crew running the Social Engineering Village (SE Village) are some of the most friendly people I've met in infosec. I not only got to know Chris Hadnagy and Michelle FIncher, but I also got to know their wonderful family and friends. They couldn't have been any more welcoming to a new person (I'm tearing up a little bit). I spent the entirety of DEFCON in the SE Village (HallCon was not an issue for me).

On Wednesday we grabbed a truck and loaded it up with everything needed for the village. We then started setting up and didn't finish until well into the evening. For dinner I had my first taste of Thai food (ever!). The next day Mission SE Impossible began.

Mission SE Impossible involved contestants picking their way out of hand and leg cuffs. Then they had to pick a door lock. After that they had to make their way through a laser field. The first dude (looked like military) literally jumped through the big hole we left at the top of the field. The hole was easily 4-5 feet off the ground. Unfortunately, he hit a laser and it didn't count. It was still cool to see him do it. Then they had to run through a micro-expression exercise. Finally, they picked another lock. They had 15 minutes to complete all these tasks. The guy that won did it in just over three minutes.

Friday and Saturday the village had the capture the flag (CTF) during the day and talks in the evening. I was exhausted by the end of both days. I showed up around 9 a.m. and didn't finish at the village until 9:30 p.m. that night. Most of that was on my feet helping with crowd control. Which by the way, if you're reading this and you were at the SE Village and you complied with any of our requests to move seats or move out of doorways, thank you. Most people complied with our request to push people around, which I appreciated.

Want to hear the @humanhacker talk about his favorite SE stories? Head to the #SEVillage. Emperors ballroom @defcon pic.twitter.com/OpBtYtDbrG
— Social-Engineer, Inc (@SocEngineerInc) July 27, 2017

The village was packed practically all weekend. DEFCON really needs to try and get them a bigger room next year. The first two days we had people packed into every seat and standable space and still had a line outside the door. Saturday was a different experience, because it came down that anyone in the room had to have a seat (did I mention they needed a bigger room). This moved any fire hazard from the room into the hallway, where people were lining up down to the end of the hall. A goon came in and asked if I could estimate wait time. I told him an hour plus, for anyone near the end of the line. Side note, the goons were very friendly and nothing like the jerks I had heard stories about the last few years. They were absolutely fantastic to work with.

Half the time I didn't know what was going on the room, because anyone that left we had to fill their spot in the room. This meant either pushing people down or directing someone to the vacated seat. What I did catch was awesome. The talks were talks. I don't have many takeaways, because I usually only got to listen to bits and pieces. Things did start winding down when talks got started and I was thankfully to be sitting down. The calls were easily the most interesting part of the village (and the most popular).

The SECTF (calls) consisted of contestants calling various video game companies. They would try to get points by getting the person on the phone to divulge bits of information. These were basic things like browser or third-party software information (think Flash version). The success of contestants seemed to hinge on how well they did their research. Leading up to the competition each contestant was given a target and about two weeks time to find as much information as they could. This allowed them to collect numbers to call and pretexts to put together. The ones who did better research got live people on the phone. The CTF was on a Friday and Saturday, which meant the contestants had to get creative with their numbers.

Here is the list of flags for the #SEVillage CTF pic.twitter.com/52YDMEsNZF
— Dylan Hailey (@TibitXimer) July 28, 2017

For about half of the contest we had the pleasure of listening to ringtones and voicemails. The other half varied. Some companies were very good about not divulging information. While others were more helpful. The winner of the competition, Chris Kirsch, got a couple people on the line who provided him with almost every flag. Each call started a new set of flags, so contestants could rack up points with multiple calls. He had individuals going to thismachine.info and had them reading from the website, which just allowed him to rack up point after point. We didn't have many people leaving the room during his calls. Our biggest challenge was keeping the laughter down from all the information he was getting (yes, there was potential for the other person on the line to hear the room). I walked up and down the aisle trying to help shush the room. I watched as the look of humor turned to anguish as Chris raked up points. It was epic. At the end he got a standing ovation from the room. The dude straight crushed the competition. During Q&A he mentioned that he spend 40-60 hours doing research, in a two week period. This was the highlight of the competition.

On Sunday, Chris and Michelle recorded a podcast with Tim Larkin. I didn't get to listen to it all. What I did get the opportunity to listen to was fantastic. Tim talked a lot about situational awareness. After that we packed up and I headed to the airport. I took with me a bunch of new swag and hugs from everyone who worked the SE Village. The experience is one of the highlights of my infosec career. I can't wait for next year!

This blog post first appeared on Exploring Information Security.

How to join an online infosec community

July 17, 2017

I had an interesting follow up question to the most recent Exploring Information Security podcast, how to join the infosec community. Here’s the question:

Tyler Neeriemer:

Any advice for those of us in incredibly rural areas. Are there active online communities you can recommend?

This a great question, because I imagine there are a lot of people in a similar situation. My response was to join CitySec meetups remotely. Both MiSec and ColaSec stream and record the talks that they have. They would both love people to get involved online. Those are two groups that I know do this, there may be others (please hit me up if there are others).

I just started GamerSec, which is an infosec user group for those interested in video games. You can contact me directly to get added (my Twitter DMs are open or email, timothy.deblock[@]gmail[.]com). Again, there may be other online specific groups.

I also asked Micah for his input and he recommended checking meetup.com. If there’s nothing there you can get involved via listservs or slack channels. I am part of the OWASP, security metrics, ColaSec and GamerSec listservs. These are usually Google Groups that people with the same interest members can join to discuss an infosec topic. Slack is more of a chat channel (AKA IRC). I’m part of three slack channels: DevelopSec, MiSec, and ColaSec. I know there is also a channel for OSINT and Network Security and many others.

My final bit of advice is to start your own CitySec. You only need two people to start one. I've done a two-part podcast series on this topic. I would love to hear other suggestions.

This blog post first appeared on Exploring Information Security.

Petya/NotPetya ransomware outbreak thoughts and links

June 28, 2017

While I wait for Nashville traffic to clear (picture above), I decided to take this as an opportunity to write up some thoughts and provide links for the current “ransomware” outbreak. I became aware of this on Tuesday and started monitoring the situation via Twitter. I thought it a good idea to create a list and add people who are providing the most useful information about the current outbreak. I figured it would be useful for future security related events.

There are already some good blog posts out there with what we currently know. SANS Internet Storm Center and Symantec Security Response have really good information. What I’d like to focus on is the idea that this is outbreak is a cover up for a nation-state attack. As I watched Twitter it seemed like a very particular set of organizations were getting hit by this ransomware. There were reports in several different countries and different types of organizations, but something didn’t feel right. I didn’t know anyone experiencing this event or see reports of local government or schools getting hit with this stuff. If there is truly an outbreak I would expect to hear about outbreaks in those areas. They run IT (let alone security) on a shoestring budget. All the reports seem to focus on those areas in Ukraine.

On my ride into work this morning the Risky Business podcast floated the idea that this was a targeted attack by a nation-state (Russia) at Ukraine (don’t call it “The Ukraine). Based on what I’ve seen it makes sense. Furthering the idea is Matt Suiche who wrote up an article on Petya as a wiper not ransomware he dug into the code for the malware and found that some of it had changed. This makes things much more difficult to recover from. If this is a cyber attack on another nation then the goal is certainly destruction. Crafting malware to look like ransomware but make things irrecoverable is a good way to accomplish that goal. It also helps with creating disinformation (something Russia does).

Then there’s the article from the grugq. He tracks down the MeDoc connection, which is considered the starting point for the infection. MeDoc is an accounting software package. The malware was sent through it’s update service. Now, if I’m a criminal trying to make money of this thing I use phishing emails to send this thing out to as many places as possible. Targeting a software vendor to deliver ransomware seems like way too much work for not a lot of payout. In fact the email address for payments has already been shutdown. Even if you wanted your files back you’re not getting them, because communication with the attackers is gone. Last check of the bitcoin wallet is $10,296.2 USD, according to @petya_payments on Twitter.

The problem with news like this is that there’s a lot of information flying out there. Not all of it good. It’ll take a few days to sort through everything, even then we won’t have a clear picture. In several weeks US intelligence will have their say. Like they recently did with WannaCry (it was North Korea). I think this is a targeted attack involving countries. There will be collateral damage, but it’s unlikely to affect a majority of us. In fact it looks like the initial attack has long since passed. Again, it’s early and some of this information is likely misguided or incorrect or new information will come out. There are some researchers saying that it’s not a wiper. The link in the post is another good resource for information and a good example of the community working through early information. He does agree that the malware's purpose is destruction, he's just not sure it's a wiper. I'm not versed enough in malware analysis to make a distinction either way. Wiper or ransomware are minor details, both will cause a lot of destruction. We should have a clearer picture in the next few days.

Suggestions for defending yourself are in the SANS and Symantec articles. Simple answer is to patch your shit and evaluate SMBv1 needs. I also took this event as an opportunity to email some internal folks and ask questions about our systems and see how they responded. When people talk about war gaming a security incident, these are good opportunities, even if you’re not impacted.

Resources:

I think traffic got worse.

This blog post first appeared on Exploring Information Security.

Pragma and Cache-Control

June 26, 2017

I’d like to start posting more on my website. One of the ideas I had for doing that is to write about some of the more obscure things in application security. My career has been almost entirely on the job training. This comes with the challenge of trying to understand explanations that sometimes don’t state obvious ideas and concepts. I’d like to cover some of those obscure topics and really dig into them. In the process I’d like to try and answer them in a way that my younger self can understand. I’m hoping this will provide others with a simpler explanation while helping me to better understand the concept.

To kick it off, I’d like to cover pragma and cache-control. The reason why is because I see this regularly in reports from ZAP, “Incomplete or No Cache-control and Pragma HTTP Header Set.” It’s a low or information finding and it usually shows up in a lot of places. I did some research to better understand the finding several weeks ago.

What is pragma and cache-control?

Both are header settings for the browser. Before we get to far, I guess I should explain what are HTTP header settings. These are settings that the application will communicate to the browser to determine how they interact together. In the case of pragma and Cache-control the application is telling the browser not to cache any content or don’t keep any content pulled down in the browser after leaving the site. The reason is so that sensitive information doesn’t get stored in the browser for a malicious actor to take advantage of if the person’s computer is compromised. For a more in depth explanation on HTTP headers check out this article, HTTP Headers for Dummies.

Pragma is an older header setting for HTTP/1.0. Cache-Control is the newer header setting for HTTP/1.1. What that means is that pragma is used to control cache for older browsers. If older browsers are being supported by the website or application then setting that is important to ensure sensitive information isn’t being stored. If older browsers are not support then just cache-control is used. In some cases you may have both. The Mozilla Developer Network has a pretty good explanation. There’s also a good explanation and discussion on Stack Overflow if that’s your thing.

How and where to set pragma and cache-control?

Where the header settings will depend on the application and what is being sent as content to the browser. The only setting for pragma is no-cache. Cache-control has more directives to set for flexibility. Max-age and revalidation are two directives that can be set. The browser will have to stick to those settings. The recommendation I’ve seen is to set pragma with no-cache and cache-control with no-cache, no-store, must-revalidate, and private.

These settings are set in either code or on the server. How implementation is done depends on the language and technology used by the application. Google is a good place to look for how to set these settings based on those factors.

Simple as that.

Hopefully, this clears up some confusion for people. Writing this down has helped me understand it a little better. I hope to do more of these types of articles in the future. I would love feedback on this post. Also feel free to drop a comment if I missed something in the explanation.

References:

This blog post first appeared on Exploring Information Security.

To cover letter or not to cover letter

May 30, 2017

TL;DR

Yes, write a cover letter. They will help you standout and express things about you that bullet points can not.

There is one scenario in which I don't write a resume. If I'm working through the process with someone I know or have an acquaintance with. Any other opportunity I am writing a cover letter to go along with a resume.

Why cover letters are important

Cover letters are a great opportunity to stand out from the pile of resumes sitting on a hiring managers desk. I recently heard some chatter that cover letters aren't relevant anymore. I would argue that they're rare. Which is exactly why you should write a cover letter for a job posting.

I used to not write cover letters. Writing a cover letter is hard. It requires inner reflection and an ability to write coherent sentences. For a non-writer that can seem daunting. I'll walk through how I write a cover letter below. I took chances in my cover letter and I was rewarded with at the very least a conversation. That's all we are looking for from a resume and cover letter, a chance for a conversation.

Cover letters are a great opportunity to show what you know and why you would be a good fit. Here are my two most recent cover letters.

Example one

You have to be very careful about pointing out issues in a website. It's like telling someone their baby is ugly. I ended up getting a call anyway. It was a short call. They were looking for someone who would jump in and start writing secure code. I was not that person. We both agreed it wasn't a great fit for them or myself.

Example two

In this example, I went much further in the interview process. I did several interviews and even made it to the sample security assessment on an application phase. This example is a little more standard. It highlights my desire to get into the appsec field and the activities I'm doing to accomplish that goal. I didn't get this role either. They were looking for someone more senior and I was looking for something closer to junior. Going deep into the process, though, was a valuable experience.

How to write a cover letter

Hopefully, those two examples are useful and provide ideas for writing a cover letter. Walking through both examples the first part of the cover letter is all the contact information. Your information and the companies information and the date.

If you have a name for the person who will review the cover letter address it to that person. I recommend not using "To whom it may concern," because there's something about the phrase that can rub people the wrong way. I like "Hiring Authority," because it empowers the person reading the letter. It provides them with a sense of importance that "to whom it may concern" doesn't.

My first paragraph focuses on the role I'm applying for and what makes me a good fit for the role. In the first example, I'm focusing more on recommendations I can make in the role. The second example, I'm trying to say that I have a strong interest in appsec, despite a weak background in development. Re-reading both first paragraphs makes me want to throw up. However, I'm keeping them (and the rest unedited) to show that a cover letter doesn't have to be an amazing thing. Try to provide a little insight into your personality. Take chances.

The middle paragraphs I'm focusing on me. What makes me a good candidate. What experience do I have. What activities I'm doing to help improve my skills in the field.

The final paragraph I focus back on the position and highlight what makes me a good fit for the role. Sort of summarizing the whole thing. Then finally sincerely your name. In example two I misspelled sincerely, which simply highlights making sure to re-read your cover letter for mistakes.

Write a cover letter to stand out

When I talk to people trying to fill a particular role, one of my questions is how many cover letters were submitted. The numbers I get from those people are very low. Cover letters give you an opportunity to standout and highlight your strengths as a candidate. Resumes are bullet points of accomplishments and responsibilities. They say very little about you as a person.

Cover letters are frustrating to write. The more you write them, the easier they become to write. I would avoid using a template. For each job you're submitting to, write a fresh cover letter. Cover letters show a willingness to go the extra mile. Which is why you may be surprised to find more calls from potential employers.

This blog post first appeared on Exploring Information Security.

Converge and BSides Detroit talks and slides

May 21, 2017

I had a great time at Converge and BSides Detroit.

This was my third attempt at going and I'm happy I finally got the opportunity to do so. The last two years I've had to cancel my plans due to life reasons. I did two talks this year. One at Converge and one at BSides. Both are linked below along with the slides for both talks.

How to kick start an application security program - Converge Detroit

I've given this talk at three other BSides prior to Converge. I feel like this is my best presentation of the talk so far. I will be giving it again at ShowMeCon in June.

Slides

The AppSec Starter Kit - BSides Detroit

This was my first time giving this talk. I thought it went well for it's first attempt. It still needs polish. It will probably be a while before I give this talk again at a security conference. I made this talk to present at developer conferences. It hasn't been picked up, yet. I'm hopeful it will for some talks later this year.

Slides

This blog post first appeared on Exploring Information Security.

HipChat's Security Win

April 25, 2017

I was disappointed not to find any of the HipChat coverage in my Feedly reader this morning from the infosec news sites. It hit plenty of main stream sites like engadget. I'm sure there is coverage on some infosec sites. It's just not as wide spread as I see for other breaches. Why is this?

Well it might have to do with HipChat having a good response to their incident. Most of the detail for the breach comes from their own blog. Over the weekend the detected a security incident affecting their servers. The incident was the result of a vulnerability in a popular third-party library. The attacker may have accessed user account information for everyone using the service. Because of that they invalidated everyone's password and asked them to setup a new one via the forgot password link.

They were reaching out to 0.05% of their users who were more seriously impacted by the breach. For those users messages and room content may have been accessed. For everyone else it was just (potentially) account information.

While this is an unfortunate incident to occur, this is a security win for HipChat.

They detected the incident and within days made an announcement. This led to a very small percent of users being impacted. They went ahead and invalidated everyone's password. I logged out and tried to get back in with my old password and it wouldn't work. I had to use forgot password. This meant that password didn't need to be changed immediately if people were still work or hadn't heard of the breach yet. Unfortunately, I don't think they accounted for the demand on their forgot password page. The page was essentially denial of serviced causing some frustration among users. I'm sure there will be plenty of lessons learned this week.

I wanted to write this post because I think we should highlight more security wins in our industry. The sites I use to keep up on infosec are focused on NSA backdoor detection, BrickerBot, among other nasty things. All still relevant and scary. However, we are seeing some positive things in security. HipChat is a good example of that and I applaud them.

This post first appeared on Exploring Information Security.

BSides Knoxville - May 5, 2017

April 14, 2017

Only 3 weeks left till #BSK2017, official poster finished and going to print, amazing design by Joshua Marc Levy at https://t.co/wy9Fng8DDd pic.twitter.com/rBFXS0Vlze
— BSidesKnoxville (@BSidesKnoxville) April 13, 2017

I love BSides events. It's the simplest idea that has a tremendous impact on the information security. A lot of work goes into each BSides event and there are over 200 of them worldwide. I've been to two this year already in Huntsville and Indianapolis. It was my first time attending each of those conferences (one of the perks of moving to Nashville). I had an outstanding time at both. I was afforded the opportunity to speak and make some new connections with people in the industry. I will be attending Nashville next weekend and speaking at two more next month. Detroit and Knoxville.

What I love about BSides is that each one is unique. Huntsville is in rocket city. It is one of the simplest and well run conferences you can go to. The area is a lot like Augusta. Not much around, but a lot of really smart people. Indianapolis is similar in nature and a quite possibly the most laid back. It's located at a culinary school and I ate pastries all day. Nashville feeds its attendees with catered (YES CATERED!) barbecue from Martin's BBQ. I'd put the lunch up against any conference anywhere. I will be heading to Detroit next month for that BSides which coincides with Converge Detroit. I've bailed on the organizers two years in a row due to life changing events. Not this year, though! Flight and hotel are booked.

Knoxville is another new conference for me this year. It's already turning out to be quite the unique experience for me. I am speaking at the event. Which is a bit of an outlier for me. I've submitted to three different conferences in Tennessee and BSides Knoxville is the only one that accepted my submission. It's fulfilling that dream and my dream to have a walk up song.

I'm a big baseball fan. My dream of coming out to a walk up song in professional baseball died a long time ago. In my adulthood, I've thought about what walk up song I would choose if I were given the opportunity. That day has arrived! Along with my presentation acceptance email were instructions on sending in my preferred walk up song. I only get 20 seconds, but that's all I need.

I started thinking about all my favorite songs. There were too many to make a choice from. I decided to take to Twitter to ask for suggestions. I got some really great responses. I also took the question to ColaSec a security user group in Columbia, SC. My talk is on kick starting an application security program, so I took the question to the development team I work with. I got some really weird and interesting response. I had about 20 potential songs, so I made a survey. From there I picked the top three and created a Twitter poll.

Final vote: What should my walk up song be for @BSidesKnoxville? Got some great suggestion. These are the top 3 based on survey.
— Timothy De Block (@TimothyDeBlock) April 14, 2017

If you have Twitter I'd love for you to vote and share. I like all three songs in the poll, so I will absolutely use the poll winner for my walk up song. If you're going to BSides Knoxville I would highly recommend planning your schedule. It helps the organizers place talks in rooms and time slots. From talking to several organizers of security conferences scheduling is one of the most frustrating things. This will make scheduling easier for the organizers of Knoxville. They're putting on an awesome conference at a ridiculously good price. It's the least you can do.

If Knoxville is in your plans May 5, 2017, hit me up on Twitter and let me know you're attending. Or walk up and say "Hi!" (I don't Twitter at conferences anymore). I'm really excited for the conference and hope to see you there.

This post first appeared on Exploring Information Security.

Recommended resources for information security

February 20, 2017

“What are some good materials you would recommend on InfoSec?” -Kenneth Reavis

This is such a great question and one I thought worth a post. My short answer is podcasts, blogs, and videos. These are what I use to help improve and stay relevant in the information security field. I listen to podcasts on my ride into work. I read Feedly to stay up with news events and people in the industry. I watch YouTube and Pluralsight when I need to pick up a complicated concept or technical topic.

Podcasts

I love podcasts. I love them so much that I produce my own. Security Weekly is the first podcast I started to listen to when I got in the field. Each episode contains a news, interview, and demo segment. I found the interview segment to be the most useful. This is a good first podcast to start with. The show has been around for years. It has a lot of good content and it’s a good crash course to the hacker culture of the field.

Risky Business is the best podcast in the infosec field. The production quality and content are top notch. The show starts with a news segment. That leads into two interview segments. The first usually deals with a current topic being discussed in the field. The other is a sponsor interview, which is usually just as useful as the other interview. The show is usually 50-65 minutes long.

Peerlyst has a long list of podcasts. Look for a few that are of interest. Give the podcast about three episodes before making a decision. Podcasters do sometimes have “off” shows. Here are some of the other podcasts with good content.

Down the Security Rabbit Hole - Leadership and business

Defensive Security podcast - Blue team focused

Data Driven Security - Data scientist focused

DevelopSec - Application security focused

On my ride home I listen to hobby and interest focused podcasts. I found that when I listened to infosec podcasts both ways I started to get burned out on podcasts. I now listen to infosec or business related podcast on my drive in. This helps me get focused. On the ride home I listen to hobby podcasts. This helps me transition from work to home much easier.

My last recommendation is to pick up podcasts that don’t have an infosec lean but focus on improving the self. I listen to both Manager and Career Tools for business etiquette guidance. I also listen to the Art of Charm for relationship building and self-improvement guidance. Both have helped tremendously in my day-to-day interactions at work.

Blogs

I use Feedly to collect RSS feeds from the sites and blogs I have an interest in. I follow ars-technica for news. Their articles are both informative and usually a quick read. I also follow Steve Ragan at CSO for news.

I work in the application security field. Troy Hunt is one of the bigger names in the field that produces content regularly. He also runs Have I Been Pwned which is a very useful tool for incidents involving a breach.

Brian Krebs is the man when it comes to reporting on breaches and criminal activities involving digital technology and ATMs.

Bruce Schneier is one of the top names in the cryptography and encryption field. He also tends to focus on the bigger picture and ramifications of security in society.

I add and prune my feed pretty regularly. If I get too far behind on my feed I’ll look to simplify it and get rid of the blogs. I look for blogs that aren’t providing as much value or report on stories I see from other feeds.

Get an RSS reader setup (it doesn’t have to be Feedly). Start adding to it and adjust if necessary. Feeds are also good for keeping up with alerts and vulnerability databases.

Video

I am a visual learner. The two resources I use extensively are YouTube and Pluralsight. I add a lot of conference talks to my Watch Later list. That list has 48 videos as of this writing. I don’t get on YouTube as much as I would like, but it’s still a useful tool for research. And every once and a while I'll create a playlist. It’s a valuable resource for better understanding a technology or infosec technique. Pluralsight requires a subscription. The content is top notch and provides a more indepth look at technology or security topics. It's $300 a year. I've had my place of employment pay for the last few years. It's usually an easy sell.

Conclusion

Those are the resources I use on a daily basis to learn and keep up with information security. There are a lot of other great resources out there. I just haven't found them or don't get as much value out of it. There are a lot of great digital forensics and incident response resources. I just don't work in that field. Find what gives the most value. If it's giving very little, ditch it.

Blogs allow me to keep up with daily news and read interesting new content. I have several hobby feeds setup in there so I get a nice mix throughout the day (I sometimes need a break from infosec). I listen to podcasts almost daily. There are general podcasts and more focused podcasts. Some have varying degrees of quality, but most have really good content. Finally, videos provide a visual opportunity to learn and research topics. I don’t use these on a daily basis. Instead I use them when I need to dig deeper into a topic.

There are a lot of great resources out there. Ask around. Find what type of medium you prefer and fits best into your lifestyle. Try something. If it provides value, great! If not, get rid of it. I just realized I didn't even touch on boxes. I may save that for another post.

This post first appeared on Exploring Information Security.

How to find your niche in information security

November 28, 2016

How to find your niche

Relax. It can take time to figure out what really engages you. Appreciate some of the skills you learn along the way. Ignore the advice to follow your passion. You may find work in security that you enjoy doing but aren't exactly passionate about. That is okay. You can be passionate about other things and still be happy in the work you do.

Explore. Try all the things. If your role allows it, take on security projects or initiatives in different areas. Research different areas. Go to security conferences and checkout various talks. Some of the best ones for exploring are single track conferences like BSides. Find a local security meetup. Follow a bunch of people on social media in the infosec field. Listen to security podcasts. There are a ton of them.

Play. Build a home lab. One of the great things about our industry is that there are a ton of free tools that do some amazing things. Some of my favorites are:

Redline a memory forensics tool
Zed Attack Proxy a dynamic analyzer for applications
EMET a windows hardening tool
PDQ Deploy third-party patch management and software deployment tool

Ask questions. Talk to people in various fields. Do this at work and at conferences and local meetups. Social media is also a great place to ask questions.

Evaluate your strengths. If you love math or a good puzzle, cryptography might be your thing. Do you love solving mysteries like a detective? Then maybe incident response or forensics might be your thing. Liking a little bit of everything may lead down a generalist path and into a management or CISO role. Whatever the strength try to match it to a different field in information security.

My story

I didn't really have a plan for what I wanted to do coming out of high school. The one thing I was sure of was that I was heading into the military. I didn't want to head to college not knowing what I wanted to do and put myself in debt. The military would give me an opportunity to figure that out and earn money for college when I did.

Prior to graduating I had looked at a number opportunities in the Army. Helicopter mechanic was one I remember. The other one I remember is paralegal, because that's what I ended up signing to do. That plan ended up falling through and I ended up working at Blockbuster for six months. I eventually signed on with the Navy and tested into the electronics technician role.

As an electronics technician I dealt with anything that had a circuit. Computers, phone lines, printers, communication equipment, and so on. I learned a lot about troubleshooting. I honorably discharged from the Navy after six years still without an idea of what I wanted to do. This lead to contract jobs pulling cable on and off for six months. Eventually, I landed an IT role as a tier two technician. The IT field was alright. I was good at it, but it wasn't exactly inspiring me.

At this point I started going to college part-time as a media arts undergraduate. Why media arts? I enjoyed movies and video games. I had an interest in possibly building websites. The biggest factor, however, was that the offered night classes. The computer science department did not. Plus, I had worked as an electronics technician for the past several years. I would only be gaining a little benefit in going back to school for that.

A year into my tier two technician role I got hired as a network/system administrator for a small state agency. This is where my interest in security really started to manifest. The first appliance I touched was the Sourcefire intrusion prevention system (IPS). I started tuning it and setup a process where I reported computers that needed to be grabbed because they were talking to places like China. This was a juvenile detention facility, there is no reason to talk to China. Despite starting to gain an interest in security, I had aspirations to move into the media arts field for a few years. I was blogging and podcasting about baseball and enjoying that opportunity. I even started making a little money from it. I didn't know what I wanted to do, but I started looking at opportunities in the field.

The problem with the media arts field is that it doesn't pay well and it's highly competitive. The money I started making wasn't anywhere close to feeding myself, wife, and child. I was also putting in a lot of hours after work just to maintain that extra source of income. After a few years of exploring the possibility of a career in media arts, I nixed it for practical reasons. This is when I started to gain clarity on the information security field.

After gaining some network and system, as well as security, administration experience, I was hired into my first security role. This role had me wearing several different hats in the security field. I managed AV, the webfilter, email spam filter, incident response, web application firewall, and much more. All these different areas intrigued me more than network or server administration had ever.

I thought I was good. Security was my niche. Done.

Then I found out I was supposed to find a niche within my niche. I had to pick a field in security. Really? I was enjoying doing it all in security. Can't I be a generalist. Well depending on who you talk to you can or you can not be a generalist. I think you can be a generalist and I was heading down that path as my niche. I had a wide range of experience in not only security but IT in general. I could walk into a network or server discussion and talk basics.

One day my manager came to me and said, "We need to setup an application security program." Off I went to figure out what I need to do. What I discovered in my research was that I had a strong interest in application security. Reading about the field was keeping my interest more than the other fields. Some of my strengths started to show themselves. I've also had an interest in web design. I know HTML and XML pretty well. Plus, I was wrapping up a degree in media arts that gave me more experience with websites. I also started to discover that I had a knack for working with other departments. Which came in handy when setting up security programs that involved other departments. I had found my niche.

Nearly, three years later I am working as senior software security engineer. I work with the development team to get security in the software development life cycle and I am loving absolutely every minute of it. I know I wouldn't be happy as a security operations center (SOC) analyst, because I was in that role for eight months and disliked it a lot. I think I would be happy working as a generalist in information security. For a time I thought I would have to be generalist. The "requirement" to get into application security is to have a programming and development background, which I don't have. That didn't stop me from perusing those types of roles and should probably be left to another blog post.

I shared this story, because I want to show people that it can take time to figure out what you want to do. I didn't know I wanted to be in security until my late 20s. I didn't get into security until after my 30th birthday. It was another two years from that point that I figured out what I wanted to do. Relax, explore, play, ask questions, and evaluate your strengths. Then you'll find your niche.

This post first appeared on Exploring Information Security.

Leveraging the security mindset of others

November 21, 2016

I am over six months into my new role as a senior software security engineer. My role has me embedded with the development team. I go to meetings and interact with the team on a day-to-day basis. My desk is in there area. I go to lunch and conferences with them. As I’ve gotten more familiar with the environment and team, my task list has started to grow.

One of my co-workers noticed this and while leaving a meeting the other day asked if security had plans to hire another security person. I responded that I thought they might in the future, but that I wasn’t counting on it. It took two years to fill my role. With the current “talent shortage” it may take another two years to fill a similar role.

My strategy for getting security into the software development life cycle is to leverage the skills and knowledge of the developers. They are really smart people, so I put a focus on improving the security mindset of the developers. In meetings, I let them to talk through security issues and find their own solution. Just me being there the developers know that security needs to be taken seriously. For the most part they choose the right path.

I also recognize when security issues are identified and addressed by the development team without my involvement. The development team is already doing a lot of good things from a security perspective. By recognizing that in a meeting or one-on-one I am amplifying and encouraging that type of behavior. Using that strategy, I’ve started to see improvements in the development team in regards to security. The other person I was discussing this with agreed. They were seeing more focus being made on security.

Do we need more people in security? I don't know. What I do know is that the security industry is having a tough time finding the right people. Maybe we need a different strategy. I think that strategy should include leveraging the security mindset of others. I've had some encouraging results so far. It will be interesting evaluate the strategy a year from now.

This post first appeared on Exploring Information Security.

Rethinking the security team

November 5, 2016

What if security teams placed their people into each department, instead of their own?

This is the position I currently find myself in. Four out of five days I sit with the development team with the goal of improving security in the software development life cycle (SDLC). It is going really well. It's going so well in fact that I've started to wonder why we don't do this more?

There would still be a security operations center and some other roles, like pentesters, working in a security space, but why not place a person in network or the server team?

Being in the room with the developers I'm able to build strong relationships within the team. I'm a security resource for them to bounce ideas off of and gain clarification on various security ideas and concepts. This makes things tremendously easier when I look to establish security processes and practices for the dev team. They see me daily and know that security is a priority. They also know that I see their successes and their struggles and that my goal is to help them be successful.

I believe this can apply to other departments. If security is involved the day-to-day operations of a team we are seen more as a resource instead of someone holding them accountable. We are still holding them accountable. The difference is that they can ask us questions. Why are we doing it this way and not this way? I'm finding people are much more amenable to security initiatives when we can explain why it's important and it benefits them.

This post first appeared on Exploring Information Security.

How to start a podcast

November 3, 2016

I can remember the exact moment I decided I would start a podcast. I was mowing my lawn. It was several months after recording a podcast at the Crawfish Boxes. It was our first podcast where we ranked the players in the Houston Astros' minor league system. I didn't produce that episode but I was excited to take part in more. When more didn't happen I decided to take initiative. I decided to produce the podcast my self.

Five years later I've produced over 200 hours of baseball podcast content. I'm well on my way to replicating that in the information security space. Consistency has been the biggest thing for me. I've managed to produce content on a regular basis. I've done that by getting my process down to a few hours. I prepare, produce, edit, and then release episodes in just a few hours. Getting started took quite a bit more time.

If your week is slammed with different obligations and hobbies reconsider starting a podcast. Starting a podcast is easy. Have an idea and then record it. The challenge starts with distributing and maintaining a podcast. With an emphasis on maintaining the podcast. If there are several obligations that take up time then it will be hard to make a podcast a priority. And that's the key to a successful podcast. The willingness to make it a priority. If you're there, (or at least think you're there) read on.

Have an idea

It took me a couple years before I had my own idea for an infosec related podcast. I didn't want to be like the other security podcasts out there. Talking about the latest news and ideas in infosec. I wanted something different. That's not to say you can't do what others are doing. Your voice is unique enough to do the same thing as others. For me I wanted something that was timeless and would provide value to others.

Once an idea has presented itself, I would recommend writing down the idea and format for the podcast. What is the duration of the podcast? What sections will it have? Is there a co-host? What do you want to cover? Is it focused on a specific topic or more general? What is the description of the podcast? What is the tagline? Who is this podcast for? Answering these questions will help get a clearer picture of what's needed.

Record it

My podcast setup is low-cast. I record using a soundcard that has a "What U Hear" function. With this input I record every sound made on the computer. The one sound that doesn't get recorded is my microphone, because it's a separate input. Which is why I use two Skype accounts and hook my microphone up to my laptop when recording guests. An alternative to this is getting a mixer. I've never used one so I can't provide any tips on using that instead.

A solo podcast is much easier to produce. A microphone and audacity is all that is needed. I use the ATR-2100 microphone and Audacity to record audio. The ATR-2100 is a $35-75 microphone that will provide 7 out of 10 quality. The more expensive professional microphones will provide a 9 out of 10 quality. The ATR-2100 provides a 7 out of 10 quality. The ATR-2100 is well worth the money.

Audacity is free and gets the job done. Software is available with a price tag for editing. That decision usually involves improving workflow.

Edit it

Audacity is where most of my editing occurs. While recording I will use the marker hot key to mark any points I need to review after recording. The default key mapping is CTRL + M. It took me a little time to get used to using it. Once I got used to it, I was able to edit without having to re-listen to the entire recording again. I could just go to the marker and make my edits. When working with markers you have to edit from the end of the episode to the front. Editing from the front will move all the markers.

Of course there is value in listening to the entire episode again. When I first started I would pick-up on things that needed improving on. Some examples include, improving the transition from topic to topic. Do things like reducing "uh" and "um" in our speech.

After editing, export the audio into a .wav file. Then run it through Levelator2. This tool will normalize levels and clean up the audio a bit. This makes listening to the podcast a little more enjoyable for the listener.

Once that's done the convert the .wav file to a .mp3 file for storage reasons. Wav files are big. MP3 files not so much. This will help with storage and improve download times for the listener. I use iTunes to convert my .wav files to .mp3 files. After that's done upload it to storage for distribution.

Store and distribute it

Storage is a cost. There are free options, but those are trickier and add complexity. I've used Libsyn and would recommend them. For me I discovered that I could host and create the RSS feed for my podcast on my own personal site. This made things much easier for me.

The last thing to do is get the podcast setup in a distribution platform. There are a lot of them. The most popular one is iTunes. This will be where you'll see most of your download traffic. Other podcast distributors include Stitcher, BluBrry, and many others. My current podcast is only on iTunes. That is the biggest distributor. I gain a much smaller amount of listeners submitting to other podcast directories. If a listener were to request another podcast directory then I'd submit there.

Submitting to a podcast directory is well documented by each site. You will need an RSS feed. There are many ways to setup one. Most storage providers like Libsyn will create an RSS feed for you. You can also do it yourself. Which is what I did for the four years of the Crawfish Boxes podcast. Currently, I'm using the EIS Podcast page on this site as the RSS feed.

Once submitted it usually takes a few days for the podcast to show up. I recommend having three episodes in the RSS feed before submitting.

Numbers to care about

If a podcaster got past 7 episode he is more likely to stick with podcasting and produce it on a regular basis. I'm not sure how true that is, but I feel like it there is some truth to it. In my experience podcasts stop because they're complicated to produce. Which leads me to my last bit of advice. If you want to keep at it, make the process as simple and as efficient as possible.

Resources:

This post first appeared on Exploring Information Security.

JavaScript, PowerShell, and GitHub

September 12, 2016

It's been a while since I've updated the blog. I've gone through a pretty big transition. I've not only switched jobs but also moved the family to a new state. My new rule is a dream job in application security. To improve my programming skills I've begun populating my GitHub page (which I started in 2015) with some personally crafted code.

JavaScript

I've been working on learning JavaScript the last few months. I've gotten to the point that I really need to start writing code to get a better understanding of it. The only problem is coming up with an idea. While I'd love to create an infosec related tool, nothing is jumping out at me. One idea that did come to mind is an app for the Blizzard's Overwatch.

I sometimes like to play a random character when it comes to a game like Overwatch. Unfortunately, Overwatch doesn't have a random character selector feature. I decided to create my own with NodeJS.

It's a simple app that requires node be installed on a computer. I hope to make it into an actual desktop app with expanded functionality. I'd like the app to eventually do comp suggestions or counter suggestions for particular characters. For the non-gamers, I want it to give players suggestions for playing certain characters based on different scenarios.

PowerShell

I've uploaded two PowerShell scripts to my GitHub page. The first provides a way for system administrators to disable multiple accounts in Active Directory. This was written back in 2014 when I was tasked with disabling 800 accounts in AD. It's three lines of code that takes a .csv file input of account names and disables those accounts.

More recently I was tasked with helping the development team find hardcoded IPs in a code base. I spent a couple hours on Friday doing some research on existing PowerShell code. I found a couple promising leads.

The first looks in a specific file for IP addresses.

$input_path = ‘c:\ps\ip_addresses.txt’
$output_file = ‘c:\ps\extracted_ip_addresses.txt’
$regex = ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } | > $output_file

SOURCE

This works if you only need to look in one file. I needed to look into a large repository with multiple files. During my research I also had found this:

The code can be found at this link. This got me most of the way to where I needed to be. This specific code was looking for hardcoded IP addresses in system files for a user account. I needed to specify a path for the directory I wanted searched and also needed to get it exported to a .csv file for me to share with the dev team.

First, I changed $Root to $Input_Path and then defined the $input_path under in try{}.* Then I got the results exported to a .csv file by adding "Export-Csv C:\ps\extracted_ip_addresses.csv" to the end of the last line.

*Worth noting that the "I" needs to be captalized in the function FindFilesWithContent.

I also refined the regex a bit by changing what was in $pattern to this bit of regex found at this link:

(?:(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)\.){3}(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)

It only reduced the results by about 15-20%, but helps if you don't know what you're looking for. If the IP addresses being searched are known then the simpler regex, "(172\.\d+\.\d+\.\d+)" should work just fine. If the IP addresses being searched aren't know then the results will need to be sifted manually. The regex while good, will pull version and ID numbers from the code.

In all it took about two hours of research and two hours of fiddling with the code to get it to work. I am looking forward to my next coding challenges and sharing those here.

This post first appeared on Exploring Information Security.

Resources for marketing yourself better

July 20, 2016

I was recently asked for the resources I use to help market myself and alsowhy I chose Squarespace for my website. I use podcasts, books, and the content I produce to help improve my marketability. As for Squarespace, I like the convenience.

Podcasts

I listen to two podcasts with the intent of improving myself. I listen to Career Tools for business and professional etiquette. For personal improvement I listen to the Art of Charm.

I mentioned Career Tools in the EIS podcast on writing an infosec resume. Career Tools covers various topics. It gives advice on Looking for a new job. Email usage and relationship building with peers. As well as other basic business etiquette in a work environment. Having a solid resume and interviewing techniques is great for external marketability, but don't forget about marketing yourself in your current role.

To improve my soft skills I listen to the Art of Charm. The tag line of the site is, "Advanced social skills training for top performers." Every guest has accomplished some form of success. The topics range from improving relationships, getting ahead in business, or improving your lifestyle. The podcasts gives me a different angle to think about how I approach life.

These are two of the podcasts I found the most useful and enjoyable to listen to. They are not for everyone. Give them a try, but recognize that if they don't work there are plenty of others to listen to. Find the podcasts that work for you. Maybe podcasts just isn't your thing. Maybe your thing is reading.

Reading

I’ve always loved reading. Several books have had a huge impact on my life. One that I’m reading right now is How to Wow: Proven Strategies for Presenting Your Ideas, Persuading Your Audience, and Perfecting Your Image by Frances Cole Jones. The other I will recommend is What Color is My Parachute by Richard N. Bolles.

How to Wow covers several different topics in the professional world. Presenting, interviewing, managing, and more are all topics covered in the book. It’s helping me refine my approach to different aspects in my professional career. Self-improvement books are a genre of books that I've been reading for a while. I don't think I'd be where I am now without them (which may make for another post).

A more technical option for job seekers is What Color is My Parachute. The book is updated yearly with job-hunting trends and techniques. I used this book to help with writing a resume, performing a job search, and interview techniques. One of the lasting impressions the book gave me was the idea that there is no perfect resume. All that matters is if it results in an interview opportunity.

There are a lot of self-improvement and marketing books available. Asks friends, family, or colleagues for suggestions. Another book I recommend is the Seven Habits of Highly Effective People by Stephen Covey. The book is a classic that helps recognize and change habits in day-to-day life.

Website

I’ve messed around with Blogger and I’ve helped manage a few WordPress sites. I choose Squarespace because all I have to do to maintain the site is post content and pay a monthly fee. The fee is between $9 and $16 a month, depending on how much content you put up on your site. After 20 pages it bumps up to $16. Which is where I’m at (I actually pay yearly for the discount). There’s a two-week trial available for those looking to test the waters.

I wanted a clean simple look for my site and that’s what they offered. I was able to choose my theme and go. I uploaded my content and setup links to all the external content on my site. The toughest part was writing the about me page. I don’t have to worry about patches or any other maintenance that occurs on other platforms.

WordPress experience isn’t a bad thing for someone looking to get into IT. I’ve had to manage (and cleanup) a few WordPress sites during my time. It’s also a good opportunity for those interested in web development. For me I’d rather pay for the convenience than deal with the hassle. I’ve got several other things going on in my life and website maintenance isn’t one of them.

Conclusion

The resources I rely on to help with that are podcasts, books, and a website. The podcasts I use include the Manager/Career Tools podcasts and the Art of Charm. Manager Tools focuses on business etiquette. Art of Charm focuses on self-improvement. There are a variety of books that have helped me better market myself. I’m currently reading How to Wow by Frances Cole Jones. I’ve used What Color Is Your Parachute by Richard N. Bolles for resume and job search advice.

I started a website because I wanted to collect all my content in one place. It also allows me to control how I am presented on the web. When someone searches my name I want them to be able to find my site and find out who I am and what I’ve done. There are plenty of website options available. I chose Squarespace because it gives me a clean look and convenience.

Marketing yourself is an important aspect of a professional career. It can help highlight experiences but also who you are as a person. It is valuable for getting into infosec, but also for advancing your career.

This post first appeared on Exploring Information Security.

How to build a home lab links

June 17, 2016

This past week I presented on getting started building a home lab at CircleCityCon and ShowMeCon. Below are the resources and content Chris Maddalena and I created around the topic.

Google slides - ShowMeCon

Google slides - CircleCityCon

YouTube - BSides Detroit Talk

YouTube - ShowMeCon talk

YouTube - CircleCityCon training - part 1

YouTube - CircleCityCon training - part 2

How to build a home lab - Exploring Information Security podcast

How to make time for a home lab - Exploring Information Security podcast

What is another home lab use case? - Exploring Information Security podcast

This post first appeared on Exploring Information Security.

Josh Huff presenting at ColaSec - March 2016

How Josh Huff got into information security

May 29, 2016

I've gotten a lot of good feedback form the most recent episode of the Exploring Information Security podcast, "How I got into information security." People seem to like the solo podcast. More importantly a lot of people identify with my story. Some had a similar story. Others appreciated the story as they were in the process of getting into information security.

One such person is Josh Huff. Whom I've gotten to know the several months personally. He's a regular at our ColaSec meetings and recently found his own way into infosec. He shared his story with me.

"I was raised on technology. I was computing on Commodore 64 at the age of 5 and playing Atari 2600 video games. So growing up I saw, used and played with most forms of technology as it developed into what it is today. (Does anybody miss Palm Pilots?) I wasn’t sure what I wanted to study in college. Since I was comfortable with technology and I liked math and science mechanical engineering was my choice.

Although I learned some awesome things about the business and manufacturing world being an engineer was NOT my calling. I changed my major to business. I changed colleges a couple of times. Then at some point in my part time college job, I took a promotion into full time retail management. Now my comfort level with technology was used to teach and sell technology to customers and train my sales staff. Retail management wasn’t perfect as a career by any means, but it was a good fit for my skill set and I was good at my job. I was good at it for about 13 years in fact.

As my son grew older and family time became a much higher priority I had to make a career choice that would get me off the retail work schedule. So in May of 2015 I started studying everything InfoSec related I could find. At this point I also quit my job and enrolled in technical college. I realized all my old college credits weren’t far off from an Associate’s degree. In just under 2 semesters I got my degree and started looking into how I could land a job in information security.

Podcasts, blogs, an InfoSec twitter feed and security books were my source of guidance. The biggest challenge with learning this way was “drinking from the fire hose” which means taking in way too much to learn anything. I was reading about pen testing, malware, lock picking, network sniffing and cryptography. I researched coding, firewalls, forensics, open source intelligence, networking, vulnerabilities and social engineering. Everything I read was interesting, but I didn’t know how I proceed to this magical job in security. I needed to network with real people that were working in security and find out what they do and how they got there.

I looked online for local meetups. There were some community groups like a Linux user group, open hack Columbia and something called ColaSec. ColaSec had a meetup 3 days later. Plus they said it was an open invitation group, so I just decided to show up to the September meeting.

I wouldn't call myself shy, but getting out of your comfort zone and just going out to meet new people can be tough. If you are looking to get into security find your local city ‘Sec’ meetup and go! If the people you meet are half of what I found at ColaSec it will be worth your time.

I walked in, introduced myself as a tech and security enthusiast. People said hi and gave me pizza and beer. They were hanging out talking about random security news then a speaker gave a talk about building a security framework. There was a table in the back with practice locks and lock picks and people were drinking an adult beverage or two. I HAD FOUND MY PEOPLE!

Once the meeting was over everybody was kind of hanging out so I introduced myself to a few of them. I met a few people that worked in a Security Operations Center. There was several help desk managers and a technology course instructor present. There were also people on the job search like me. A conversation about security conferences led to an invitation to one in Kentucky called Derbycon. Tickets sold out, but I managed to snag one last minute and headed out of town to my first security conference.

On the way to Derbycon I checked the speaker list. I found that a few authors of my security books plus people from my twitter feed were going to be at this conference. I decided to meet as many of them as I could. Derbycon itself is worthy of its own write up, but in short it was awesome. I got to keep meeting and talking with real security professionals. They were open to answering questions and connecting on twitter and I continue to stay in touch with many of them today. I learned a lot of other people’s career paths that led to information security.

When I got back from Derbycon I felt like I had direction. I started applying to some help desk and technology jobs to try and get my foot in the door. I revised my resume and evaluated my past skills into how they could help me in a security related position. This started a roller coaster process. As applications and interviews started to pile up frustration started to settle in. Repeat… wait… apply… repeat. I had one interview that I thought went well and a few pings on my resume that had placed me into consideration. I felt things were looking up again. The promising job lead fell through. Then the 'under consideration' jobs decided not to fill the position.

This is the point in the story where desperation may have kicked in. I took a hard look at what I wanted from a security job and it wasn’t a help desk spot that I could work my way up from. Open source intelligence (OSINT) was my favorite subject so I decided to find people I could talk to again. It seemed that military or law enforcement background was a prerequisite for a job in OSINT. I thought about who I could talk to about this and I looked up private investigation firms in Columbia, SC. Through the ‘contact us’ part of the PI websites I shot a quick introduction email. I gave a brief description of who I was. I described what I was studying and asked if they were hiring. I also said if they weren't hiring I would be happy to just talk OSINT and find out how they used it as investigators. I got a phone call from a private investigator 1 day later.

I chatted with the investigator for a few minutes and he asked for my resume. It turns out the background in law enforcement or military wasn’t an issue. So a few hours later I was called for an interview. The position wasn’t exactly OSINT, but they had need of a digital forensic analyst. My technical background led me through the interview with ease. 1st interview led to a 2nd interview which led to a tryout in their computer forensics lab. The tryout went well and I am now over 3 months into my role as a digital forensics analyst. I get to work in a forensic lab doing cool stuff with all types of technology and in between cases I talk OSINT with the other investigators.

I’ve listened to a lot of stories about how people got their InfoSec job. There doesn’t seem to be a defined path or perfect guide out there, but this is my path. I hope by sharing my path that somebody finds some facet of my story that they can apply to their own career path. If I could re-iterate just once point of my story it is to go out and talk to people. Information security is about the people that drive the technology. If you don’t know how to apply information security it in real world scenarios go talk to the people that do. It will likely be a fun journey."

This post first appeared on Exploring Information Security.

Getting into information security via military service

May 21, 2016

I see a lot of self-study and going to college advice for those looking to get into information security. I would like to recommend another option. Join the military. People joining the military get training, real world experience, and money for continued education.

Now, the military isn’t for everyone. Yes, there is a chain of command filled with people who give out orders. And yes, those orders need to be complied with. The thing about that is that most people know what they’re doing in the military. It's usually not an issue. And that's because the quality of people in the military is top notch.

Joining the military is no small decision and it shows in the people that serve. I had several really good mentors in the military that helped shape who I am as a person. Not only did I enjoy the benefits below, but I learned a lot from those mentors. I gained a strong work ethic. Learned communication and leadership skills. And I had a lot of fun doing it.

The lifestyle is a lot different. The first couple of years involved moving around quite a bit. Moving from a barracks to a dorm to another dorm to a different base. Then off-base to an apartment. I spent a year in the midwest, three years one the west coast. Then two years on the east coast. If you like traveling there’s plenty to be had in the military.

Then there's the uniform. Sure, I couldn't pick my close, but that made things easier. Each day I woke up and new what I had to wear. I also saved quite a bit of money on doing laundry, because I could wear the same uniform for a few days. Usually, I was just changing my undergarments.

Training

My first military contract had me set to be a paralegal in the Army. That fell through and I ended up joining the Navy as an electronics technician. That contract came with a $7,000 signing bonus. I had two months of basic training. Two months of basic electronics training. Four months of communication electronics training. Three weeks of miniature/microminiature board repair training (2M). All that in my first year. I was also sent to radio, aircraft load out, instructor, Humvee driver and forklift operator training. When it comes to training the military is one of the best.

I joined in early 2001 and IT (let alone infosec) positions weren't as well defined. Now that the digital age has matured, there's a much stronger focus on information security. That means the programs are much more prominent in today's military.

Real world experience

During my time in the Navy I did a little bit of everything. I pulled cable. Moved phone lines. Setup computers. Troubleshooted computer issues. Setup communications for field exercises. Inventoried and maintained radio equipment. Setup switches. Created user accounts. And that was all at my first command.

My second command involved a lot more IT work. I learned how to rebuild a server after it crashed and no backups were available. I trained personnel on email usage. Took part in my first workstation refresh, swapping out old computers with new ones. Patched systems. Updated anti-virus. Troubleshooted more computer issues. I leaned on a lot of that experience when I got out and started looking for a job.

I also got the opportunity to do a lot of fun stuff. Train with Navy SEALS. Face-off against the Canadian Army in multi-nation exercise. Jump waves on the Pacific Ocean in a Zodiac Hurricane. Just to name a few.

Money for continuing education

The GI Bill is one of the best benefits received from joining the military. I paid for school and a Network+ certification with it. Last year I graduated from the University of South Carolina with a degree in media arts. All paid for by the GI Bill. I knew coming out of high school that if I went to college I would be wasting my time and my parents money. I wanted to get some real experience and get college paid for when I was ready to go.

The GI-Bill is even better now then when I first started going to school. A year or two after I started taking classes, the GI-Bill changed. Not only was school paid for, but I was making a little money on the side. As long as I was taking more than half a load of classes I got basic allowance for housing (BAH). Which is a significant amount of money. This really helped when we started expanding our family.

Final thoughts

The military is a great option for people looking to start a career. The military does a great job of training and giving it’s members real world experience. A lot of that training and experience translates to the real world. For those looking to get into information security, the military has some good programs. When I joined, I had no idea of the career I wanted to be in. That was okay, because when I knew what I wanted to do I could lean on a lot of my experience.

Serving the military is a massive commitment. Again, it’s not for everyone. It is a viable option though and one that I recommend exploring.

This post first appeared on Exploring Information Security.

Improve WordPress security in three steps

April 4, 2016

WordPress websites allow individuals or organizations to get a website stood up quickly. With easy customization, WordPress is a flexible and powerful platform for websites. Unfortunately, because they're easy to setup security often times gets overlooked. Outdated and unused plugins can lead to compromised website. That compromise is typically in the form of redirects to malicious sites that try to install malware on a visitors machines. Most of the time an owner is unaware of the compromise.

All hope is not lost. There is a way to securely run a WordPress site.

These three practices will help maximize security on a WordPress site:

Run only the programs needed
Run a security plugin like iThemes
Keep all plugins up-to-date.

The theme here is plugins. WordPress itself is a well built platform. The security issues that arise from the core are minimal. What makes WordPress sites vulnerable are plugins. The reason for that is that anyone can create a plugin.

Only run the plugins needed

I get it. We see a plugin we like and install it on the site to try it out. We forget about it or we deactivate it to try another plugin. That plugin sits there and sits there. And sits there. And sits there. If a plugin has been sitting there for a while remove it. A deactivated plugin is vulnerable to exploitation. If it’s deactivated remove it. It's just as easy to reinstall later.

If this is for an organization the same IT principles apply. Deactivate any active plugins that seem unnecessary or unused. Wait for a period of time to ensure there are no adverse affects, then remove it. A plugin installed on the site, even if it is deactivated, is still vulnerable to a malicious actor.

Run a security plugin

There are plenty of good security plugins available for WordPress. A security plugin will add more features and settings to help make a site more secure. Here is a list of seven courtesy of Infosec Institute . I’ve only used iThemes, so I can’t speak to the quality of the others. Try out a few and see which one works the best. Remember the section above.

Keep WordPress and plugins up-to-date

Most vulnerabilities in WordPress-based sites aren’t from WordPress. They are usually from the plugins installed on the site. The core itself is pretty solid. The plugins are usually what make the site vulnerable. Look for plugins that are kept updated. Then update when a new version is available. It’s as simple as that.

The update process is quick and painless. Make sure to have good backups. Some hosting providers will provide this feature. Login to the site weekly to check for an update. A weekly reminder works wonders.

Conclusion

Only run plugins needed on the website. That means removing all unused plugins. Install a plugin for security. There are several available. I’m the most familiar with iThemes, which is why I recommend that plugin. Try out a few and find one that fits the website the best. Keep all plugins up-to-date. Even if the website isn’t logged into on a regular basis. Set a reminder and login once a week to check for updates.

WordPress sites are one of the most vulnerable platforms out there. One of the reasons for that is that a lot of people use it. A lot of people use it, because it is an easy platform to setup and maintain. That goes for security on the platform as well. Follow the three pieces of advice above and help make the internet a safer place.

This post first appeared on Exploring Information Security.

Success doesn't require following your passion

February 15, 2016

“Follow your passion” is a phrase often given as career advice to people getting into a field. I don’t like the this advice. It sets high expectations for someone trying to break into a field and it has the potential to lead to burnout. Note the second definition about in the image above.

There’s nothing wrong with using passion as motivation, but that same emotion has a dark side. Instead of following a passion, bring it to your daily work. Look for value and unique skill sets that will provide a positive impact.

Following your passion isn't helpful advice

I first started to question “follow your passion” early in 2015. It was while listening to an episode of the NPR TED Radio Hour titled success. In that episode there was plenty of talk about following your passion for success. Well, except for Mike Rowe. For those unfamiliar with Rowe, he had a TV show titled Dirty Jobs. Rowe would go with a film crew to various locations to work for a day doing a less than glamorous job.

In his TED talk he described the people doing these dirty jobs day-to-day as happy. No one follows their passion to be septic tank cleaner or a road kill highway picker upper or a bait seller. Yet, that's what these people did and they were successful. 40-50 of the 200 people he followed around were multi-millionaires. He suggests that instead of following a passion, bring passion to the work.

A recent Art of Charm podcast featured Cal Newport and he has another angle. In the episode he debunks the “follow your passion” advice. The people that give the advice usually give it because they can't explicitly explain why they've been successful. He says, instead of following your passion you should let your passion follow you. He talks about finding the unique skill and valuable skills in your daily work that makes you stick out. What creative solutions can make systems and processes run more efficiently. That's what these successful people have found in the work they do or the content they create.

Reflecting on my career

Coming out of high school I was set to go into the Army as a paralegal. Instead I ended up in the Navy as an electronics technician, after my contract fell through. Would I be more or less happy in that role? I don't know. I'd like to think I would be just as happy in a legal career as I am in my IT career. I've seen people passionate about computers and I can safely say I am not one of them. What I've enjoyed is solving problems. Building new programs and systems and optimizing ones already in place.

In my daily work I've looked for ways to make the most impact and make things run better:

I’ve implemented a remote access and software deployment solution for the help desk. They had to manage computers all over the state. Before the solution they had to travel for the simplest problem.

I also took our unused IDS solution and setup a one-man security operations center (SOC). Computers I found talking to countries outside of the US I had a technician investigate for malware.

I’ve cleaned up content filtering rules and rebuilt servers to interfere with operations less. That led to management tasking me with important projects. Implementing security in the software development life cycle (SDLC) process. Hardening our computers and securing our websites. I didn't follow my passion to any of those areas, I brought it with me. What's allowed me to be successful is following through on tasks and improving what's already in place.

Of all the work I've done, I found that I really enjoyed working in application security. If there’s one area I would love to move into it would be application security. Yet, I also enjoy building new programs and making a positive impact. I currently work in a SOC. It’s not the most exciting experience for me, but I’m learning what I can and trying to improve or build out new processes. I’m trying to learn the nuance of a SIEM and the challenges of being a SOC analyst. I’m bringing my passion with me and learning the skills that provide value to the organization.

Conclusion

It’s okay to be in a field and not be passionate. Success isn't found by following your passion. It's by bringing it with you. If you’re among those that are passionate about a particular field, that's awesome. I know a couple people like that and they live and breath the work day and night. I contest that’s a rare thing.

For the rest of us look for enjoyment and fulfillment in everyday work. Try to identify what can make the most impact in your organization and your career. Bring the passion or let it follow you. Success will be sure to follow.

This post first appeared on Exploring Information Security.