How to focus on learning

So it seems that since my move life has been a bit of a blur. I’ve had to figure out where things are in the area, what vet to go to, get my license & plates changed over, and not the least of all, make sure all the bills get paid on time from the old house or the new apartment. While stressful, none of this is work related. I’ve been struggling to get time to sit down and learn new things like python scripting to plug into the API for the tool we use, or even get better with Linux to broaden my technical skills.

I even have an idea kicking around in my head for a talk the about the information security field and our constant thirst for knowledge but I haven’t had time to sit down and flesh it out. While some of you may be saying “yep, that’s life”, I wonder about those who struggle with time management and how they can continue to learn. When you have a long commute, or take care of a loved one (child or senior) in your off time, how do you manage to stay on top of things and remain relevant? Do you mainline espresso and forego sleep? Read articles when you’re on the train? Give up hobbies you loved in the past to keep up in the industry?

If you could leave a note and let me know what tips or tricks you can impart I’ll make them part of the talk I’m putting together regarding Infosec knowledge sharing.

Greetings from Michigan

Sorry for the long delay between posts. Life has been a little up in the air lately. I am now living near Detroit, Michigan working for VioPoint as a Senior Security Consultant. I had always said I didn’t want to be a consultant because of the travel required but this job seems to fit the requirements of “less travel”. I haven’t had to travel at all yet thankfully so we shall see if that continues.

The team I’m working with is awesome and many of you know them. @ZombieTango, @Dthom, @B31tf4c3, and @JimmyVo are all here and we’re headed up by @jwgoerlich. I’m slowly getting myself settled in my new apartment, house was sold in short order and the only problems I’ve had are with crapcast, so all-in-all it’s been a decent transition. I will be posting periodic work-related blogs on the VioPoint blog at http://www.viopoint.com/blog/. You can catch my first one there regarding auditing automation, and look for new ones coming later. As for this personal blog I just got it back up and running so I will assume that I will be posting more in the coming weeks/months. Keep checking here or Twitter to see if I can keep that up.

Until then I’ll be taking in the fall colors in Michigan and trying to learn as much as I can about the consulting gig.

THOTCon & Bsides Chicago

Well I’ve had a few days to recover from the awesomeness that is the Chicago Con Weekend. This year I was able to ride/stay with a friend from GrrCon who was attending with some coworkers, meaning the base for operations was in the city. This proved to be good for location but only average for room quality.

Friday morning we headed to THOTCon for networking, beer, food, talks, and just all-around awesomeness. Although I didn’t see all the talks I wanted, or the people I wanted to meet, I was able to catch the keynote, Ben Ten’s “Creating A Powerful User Defense Against Attackers”, James Arlen’s “The Message and The Messenger”, Cyberwar” with Josh Corman & Jericho, PhreakingGeek’s “Y U No Sanitize bro?” and David Schwartzberg’s “Fun with Exploit Kits for Tech Support”. You can find the information (but no recordings) at www.thotcon.org

Most of the talks I was able to see were good (the ones that weren’t don’t read my blog anyway). The information presented was relevant, and the speakers held their own on stage. James’ talk about presenting will help when I speak at GrrCon later this year, but I think the Cyberwar talk was by far my favorite. So much information was condensed into an hour talk it was hard to take it all in. What I did like was the discussion about the audience being a “cyber militia”. You do have to wonder if we all had to “fight” online, how many casualties would there be?

Saturday morning had us on the way to Bsides Chicago. This was set to be my first CTF experience and I wasn’t sure what to expect. I brought pretty much every piece of electronics I own with me and the weight of it tore my backpack. Learning how a CTF works and banging my head against the wall for most of the day was ironic when Nicolle Neulist’s talk about how to start with a CTF was at the end of the day 🙂

The CTF itself was not only brain-draining but a lot of fun! The challenges were set out in groups based on easy/hard/etc. When you get so close to solving one without knowing exactly what they are looking for, it can be frustrating, but seeing the points go up on the board makes it worth it. I was able to capture 8 flags total in what I feel was a respectable showing for a first-timer!

The THOTCon after-party was in downtown and had good food and drinks as well as DualCore on the mic for a short period. More people were met, more hands shaken, and more networking all the people!

All-in-all it was a great weekend and I’m glad I was able to see/make friends and most importantly learn a lot! Looking forward to Source Conference Dublin in a few weeks so I will see some of you again soon!

DLP and Business Needs

Well it’s been a while and I wanted to write an entry about something that I’ve been dealing with lately. Data Leak Prevention or DLP.

Most non-IT people know about DLP only when the IT organization contacts them to let them know they did something they shouldn’t have. For those of us that have to deal with the policies, the alerts, and sending those notices, it can be more complicated. You start with crafting the policies based on corporate standards, other organization requests, and maybe some good ideas. The alerts start coming through, and you take action where appropriate.

The issues start to happen when something triggers an alert-only policy and you notify the appropriate group, and they ask “well why was this not blocked?”. You begin to describe what policies monitor items versus the ones that block. You try to explain that you can’t block everything, the business still needs to get work done! An example of this is where you block a Word document from being sent from the company. Someone takes that document, scans it to create a .tif file and sends that out. The other organizations that don’t understand the technology will expect that file to be blocked as well…”Well it’s the same document!” Other issues can arise if someone is authorized to use USB devices, but you’re expected to block them from taking specific data that you’re notified about after the fact.

Like other security solutions, the promise of “Data Leak Prevention” is not perfect. The business expects DLP to work flawlessly and as those of us in the infosec community know, there is always a way around any restriction. Implementing DLP requires someone who understands the business needs to set up the policies and tweak them as appropriate. It also requires someone to monitor the alerts and either send a notification, escalate as appropriate, or update policies to catch something that was not getting the visibility it should. What can be the most difficult is trying to translate this process to business customers who tell us what they want to see or know about.

Has anyone had any success explaining the nuances of DLP software to the business? If so please note and share some suggestions.

Security Job Titles Revisited

So I had an another thought along the lines of Security Job Titles. I threw out a tweet regarding the “Team Lead” title. There are a number of people that I’ve discussed this with at my day job and the opinion varied between a manager-in-training and the most technical of the team. While I think my coworkers are pretty knowledgeable, they don’t necessarily know what goes on outside our company so I thought I’d ask what others thought: “Team lead: top techy on the team or manager in training…and why?” Here are a few of the answers I’ve gotten from followers on Twitter:

While they left off the “…and why?”, I can understand the line of thinking. Others were definitely in a similar mindset but provided some additional detail:

  • @securityninja – “For us it is generally management as well as lead techy, we are line managers for the team and all others in it”

Two people came close to what I would assume when someone tells me that they are the “Team lead”:

  • @rogueclown – “manager in training. i’m surely biased, but i’d still like to spend my time dealing with cranky computers, not managing people.”
  • @georgiaweidman – “id say the one with the best skills for managing regardless of whether job title is tech or business side. case by case basis”

There were also those that pointed out that someone else shouldn’t choose for the individual and I completely agree:

  • @jjarmoc – “either, sometimes both. But forcing good techies into management roles is often a mistake.”
  • @DSchwartzberg – “I believe it’s up to the individual. Why-because any role you take can be what you make of it. Criticism comes with the outcome”

I think that when it comes down to it, the title is going to vary based on the company. Some organizations may see it as the most technically capable person on that team, where others may see it as a mid-level management layer to keep the day to day operations going. One suggestion I can offer is to split the title in two: Tech Lead / Team Lead. One for the most seasoned/knowledgeable, the other for the area manager.

The one thing that I’m getting out of all this is that a job title can’t tell you what a person is capable of or what they do day-to-day. Leave me a note and tell me what you think. Are job titles a convoluted jumble of words or something you should fight for and own as part of your career?

Security Job Titles

I was seeing job postings the other day through one of my email blasts that I receive and it got me thinking. Who comes up with these job titles? When I worked for a small CPA firm and I was allowed to choose my own title, I chose “LAN Administrator”. It fit my job fairly well, I was responsible for the servers, the network, the PCs, etc. I moved to the helpdesk, and for a while I was a “Helpdesk Analyst”. A title that also makes complete sense. After a year or so though, HR decided to change our titles in IT. I got changed from the “Helpdesk Analyst” to a “Systems Software Engineer Analyst”. I had never engineered anything but a good case of loathing for users at that point.

When I moved to the Security Administration area, my title changed to a “Systems Software Engineer Specialist”. Again, complete and utter nonsense. I was a security administrator. Create accounts, grant rights, revoke rights, delete accounts, rinse, repeat. The only thing I was specializing in was creating copy/paste emails to send to users who were impatiently waiting to get Microsoft Visio.

Within a couple years I get promoted to a “IT Security Specialist”. Hmm…ok, at least this is a little closer. We were no longer called “IT Security” but working in Information Security, I at least had “security” in my title! Then HR comes in and says they are going to change things again. They were going to have “HR Titles” and “Internal Titles” because HR titles needed to match other jobs in the industry while our internal titles would closer match what we actually do. I was skeptical and it turns out it was warranted. It took them until I was promoted again to finally take hold. My HR title became “IT Security Sr Specialist”, while my internal title became “Vulnerability Management Senior Specialist”. While I’m trying to get more into the Vulnerability arena, it’s a very small part of what I do. I still do governance of the Security Administration area, I do some vulnerability scans, some security awareness, and a host of other “who can we get to do this” tasks. Someone who is a level above me at our company is listed as a “IT Security Sr Tech Specialist” yet my job is much more technical than that person.

I considered consulting our HR group on this issue but I didn’t think I would get very far, so I reached out to my friend @HackerHuntress and asked for her opinion on my confusion. She talks with job seekers as well as hiring managers on a daily basis. Her response cemented my opinion that job titles are really not geared towards what a user does and more on being able to gauge a salary band the user can fit into.

I asked her a couple questions including if she saw the title discrepancy and if so where, any tricks for our friends out there trying to find a job and deciphering the job postings, and if she thinks HR would ever get in the game and match titles to what we actually do. Her response was very informative in that she has seen the job title game played mostly at companies with internal security practices. (Think F-500 companies that do their own security but don’t do security as a service). Her comment to this was “Most companies, though, go the “security specialist” or “security analyst” route. In my experience a security analyst can be anything from a firewall engineer to a QSA.” She doesn’t hold out any hope that HR will ever get to the point that they are lining up with what the security individual is doing because most don’t know what the user’s responsibilities even are.

On the topic of how to assist our friends still looking for jobs, she said to talk to recruiters & hiring managers. Getting as close to the person as you can who is doing the hiring will help you in determining what you are getting into at that company. You may be listed as the ‘Security Guru’ in a large company but if all you’re doing is making sure everyone is swiping their ID badge as they walk in, it may not be the job for you.

Secureholio
-Chief Cook & Bottle Washer

GrrCON & DerbyCon

Although this is quite late, I think I need to write a post on the amazing time that I had at GrrCON and DerbyCon.

Well I started out the long weekend with a trip up to the speaker dinner for GrrCON (They actually wanted me to present something! Joke was on them! 😉 hehe). Grand Rapids is around two hours from my house so it wasn’t a long trip to start. Dinner was good, and I had some good conversations with David Schwartzberg, Nick Percoco, and Rafal Los in addition to the organizers & presenters of the conference. What I was not aware of was that the person I was staying with that evening lived an hour outside of the Grand Rapids area. We didn’t leave the dinner until after midnight local time so sleep was hard to come by for the day of my talk.

When I got to GrrCON and finally downed enough coffee and sugar to stay alert the rest of the day, I proceeded to wander the floor. I spoke to a few vendors, said hi to some friends, and even caught a few talks before it was time for me to speak. My talk on Infosec Flameout seemed to go over well, and although I didn’t quite make the times that I did in practice sessions, I hit a respectable 17 minutes for a 25 min talk. This left time for some audience participation & questions, and there were quite a few great comments from some of the attendees. I not only was able to reconnect with some people I knew, but create some new friendships that have been really beneficial as well.

I took the lazy way out that evening and drove home to sleep in my own bed before heading down to Derby for the remainder of the weekend. The ~4 hour drive wasn’t too difficult and I was there in time for some of the talks on Friday evening. The two conferences definitely had some differences also. Where GrrCON was held in a conference center and had a more traditional feel, DerbyCon felt more like a bunch of friends hanging out at a hotel. Derby also seemed a little more hectic because of the amount of people in the setup at the hotel lobby.

The talks that I was able to catch at both events were pretty decent and I only walked out on one. I’ve listed each (except for the one I walked out on to protect the innocent) below if you want to watch them when they’re posted. Next year the organizers have also ensured that the two conferences are on different weekends so you can attend both. I will definitely be trying to go to both if possible. Guess that depends on if I can save enough pennies!

As I stated in my talk at GrrCON, networking with the community is incredibly important. You need to have friends, contacts, whatever you want to call them. They are invaluable for advice, help with finding a job, or just someone to bounce an idea off to see if you’re on the right track. So next time a conference is near you, get out there and get involved!

Talks at GrrCON:

  • House of Cards – How not to Collapse when Bad Things Happen – Rafal ‘Wh1t3Rabbit’ Los
  • Punch and Counter-punch with .Net Apps – J Wolfgang Goerlich
  • Mobile Attacks: What will the future bring? – Nick Percoco

Talks at DerbyCon:

  • Jayson E. Street – Securing the Internet: YOU’re doing it wrong (An INFOSEC Intervention)
  • James Arlen – Doubt – Deceit -Deficiency and Decency – a Decade of Disillusionment
  • Robert (Arch3Angel) Miller / Boris Sverdlik (JadedSecurity) / Rafal Los / Heather Pilkington /Krypt3ia – Bring your own doom or sane business decision
  • Michael Schearer – Flex your right constituion and political activism in the hacker community
  • Benjamin Mauch – Creating a powerful user defense against attackers
  • Boris – You Can’t Buy Security. Building an Open Sourced Information Security Program
  • Andy Cooper: Why Integgroll sucks at Python..And you can too
  • Chris Jenks: Intro to Linux system hardening