Thursday, August 11, 2016

My Biggest Weakness

Most job interviews ask the question "What is your biggest weakness". Some can give answers that aren't really weaknesses at all, but reworded strengths to get around answering the actual question. After working not only in infosec, but the technology industry for so long, I know exactly what my biggest weakness is. For the most part I can not speak in absolutes (see what I did there). I can't tell a customer "Yes our product will catch this ransomware", "Our customer service will handle your case this way each time", or "This blinky box will fix this issue". The only way I can speak in absolutes is when I have all of the data from a specific incident and can prove that it would happen with hard facts. Science yo.

Part of me thinks that this behavior is one of the larger results of my lack of self confidence in what I do day to day. The other part of me stands firm and says "No, that's bullshit. You don't KNOW for a fact that it will do X, because you don't have all of the data. Telling the customer that is being honest and not blowing smoke up their asses". We all constantly have Sales Engineers giving us flashy sales presentations on how their tech is the best in the market and always been, while we attempt to disseminate the actual technology from the sales and marketing pitch.

I've always been trusted by my peers and leadership to offer up point blank and blunt honesty when asked. I've given that on interviews as my biggest weakness before. Honestly it can be a weakness and not speaking in absolutes is a subsection of that. I'm not going to tell you a lie to make our company or myself look any better than we are in reality. I've turned down some amazing career opportunities due to the lack of confidence I have in a company or product. I knew that I wouldn't be right for the role because I'd have to bullshit my way around the true facts of the technology too often.  Giving the answer of "I can be too honest sometimes." in an interview can steer the conversation in a few ways. I've been asked to give an example of times when I was too honest and it bit me in the ass. Actually that doesn't happen extremely often, but it can rub people the wrong way or make them think I'm not as good at what I do as the next person. I may or may not be better than the next person, but at least you'll know what I'm telling you isn't sugar coated.

I'd like to think I'm not too harsh or a ballbuster when stating the facts, but I do know that I can come off like that to certain personality types. I've been told to speak in absolutes for everything before, and the first time I've felt comfortable doing so is when writing my book. The reason? Because I've researched the hell out of every piece of it. My biggest fear is letting other's down or misinforming someone that is reading it. I am able to speak authoritatively because I've had the time to do the research and come up with enough information to put it forth in the writing. This is something I constantly struggle with, as well as overwhelming self doubt on a regular basis, but continue to work on daily.

Either as a customer or practitioner, where do you stand on the matter? If you're paying for a service or looking to get a service, do you have red flags that appear when someone guarantees you a product will do something? I think in this day and age you should. Every piece and part of our moving industry changes daily, there isn't a piece of software or hardware out there that is guaranteed to work 100% of the time. When there is a 100% is when I'll be comfortable phrasing sentences with "This WILL" or "EVERY TIME".

Wednesday, July 20, 2016

Security for the Masses

Not long ago I was talking to my mom a little about what I do. I explained to her the intricacies of implementing solutions, securing large organizations, and some of the overall struggles we face day to day. After this conversation she came to me and said that I should write something about how the average person should be mindful and protect themselves day to day on the internet and on their computers. While this won’t be super technical content, I do hope that it will be an article you can share with your family members, friends, and coworkers on how to better keep themselves protected.
This is going to be a sort of laundry list of ways that the average computer user can better secure their life day to day. Being in the information security industry, I see super scary hacks and ways that bad attackers can take advantage of everyone. While I won’t go into what all of the scary things are, I’ll list the top 5 categories that will give the biggest bang for your buck.

Password Security

    Password security can be difficult depending on how you handle it. You have a hundred things that you need to use passwords for, there is no way that you’ll be able to remember them all, right? Wrong! That’s something that we all have to deal with in this day and age. There is a type of software called a password manager that you can install. This software will allow you to have a strong, unique password for each website or service that you use, without you having to remember it. It is securely stored in the application, and the only password you will need to remember, is for the application itself. A few reputable password managers include, KeePass, LastPass, PasswordSafe, and 1Password.
    You also should remember not to trust others with your password. Not only people, but never ever save your passwords in your internet browser. It is very easy for malware or viruses to steal that information.
    Since you’ll be using a password manager now, make sure your passwords are strong. An 8 character password will take anywhere from 30 seconds to 24 hours to crack with a free piece of software from the internet. At least for your important accounts (banking, amazon, ebay, paypal, anything connected to something money related) you should use a 10 character passphrase. Doing this correctly will make your password almost impossible to crack. One way of making secure passwords easier to remember is using phrases from books, songs, expressions, etc, and substituting characters. The phrase

    “You Are My Sunshine” == You@reMySunsh!n3. 

    This passphrase would take over several hundred years to crack because it contains a 10 character string with upper & lower case letters, a number, and a symbol. Here are the top passwords from 2015 that you should never use:


Enable Multi-Factor Authentication/MFA (or Two-Factor Authentication/2FA) on sensitive accounts

    2FA takes your login and password for a website or service and gives you a very high increase in protection. Many banks provide it as an option, as well as Facebook, Twitter, other popular social media accounts, Gmail, etc. 2FA adds another step in the form of a PIN or code to your login process by either texting it to your cell phone, emailing it, using an application such as Google Authenticator or Duo Security, or a physical device such as a key fob or token generator.
    On the website https://twofactorauth.org/ you can search for services and it will list who does and doesn’t offer it as a service. More than likely you will be able to find your 2FA setup in your account security properties on each individual site.


Learn to be suspicious

    You should be suspicious of any email, link, popup, or phone call that tries to create a sense of urgency. There are scammers out there everywhere. Many times they try to specifically target residents of retirement villages, but most will try their tactics on anyone. They come in many forms and here are a few:
  • A fake email (called phishing) that may look exactly like a service that you use. These emails are very easily created and are attempting to direct you to a malicious website or infect your computer. If you have concerns from an email, never click on a link directly in it. Instead open up the website in a browser and type in the address manually. If there is any problem with your account you can either find it there, or call the company directly.
  • A pop-up telling you that you have a virus or system slowness, and clicking *here* will fix everything. Do not click on it! It’s a malicious ad or pop-up on a potentially infected website that is trying to spread the infection or steal your information.
  • A phone call from “Microsoft”, ”Dell”, or another well known company asking for access to your computer. No one, ever, at any point in time, will call you at home to request access to your computer or information from you. If at any point in time you believe that it is a legitimate request, get their name and call back number. Don’t actually call them back at that number, but look up the service that you use, whether it be financial, medical, or otherwise and call that number instead to inquire about your possible account issues.

Perform Routine Maintenance

    Perform routine maintenance, such as updating your anti-virus (don’t let the renewal pass), and running anti-malware software monthly. There are several anti-spyware and anti-malware companies that are reputable. Download the software directly from their website and not from an ad elsewhere. www.Malwarebytes.org is a great piece of software that will find and remove security risks from your computer. Update and run Malwarebytes once a month, and remove everything it finds. There is a free and paid version.
    More than likely you are running a Microsoft Operating system of some type. You should always apply updates monthly. There are going to be many other pieces of software on your computer that you should keep up to date as well. Things like Adobe Reader, Firefox, Chrome, etc that will have constant security bugs that need fixed. A free piece of software called Secunia (www.secunia.com) will let you know what pieces of software are vulnerable to an attacker. Also, please, if you’re reading this and have Windows XP you need to do everything in your power to get onto a newer operating system. Just trust me.

Protect your browsing

There are a large amount of websites out on the internet that are infected, compromised, or  just plain bad news. Here are a few things you can do to mitigate this:

  • Use a web browser other than Internet Explorer (IE). www.google.com/chrome or www.getfirefox.com are both exceptional browsers that have the ability to be more secure than the default IE.
  • Install extensions on your new browser. Two extensions specifically, one named Ad-blockerPlus and another called No-Script, will turn off a large portion of very bad things displayed on websites.



I hope that all of the above tips can be something that you would handout to the circle of people that you know. Security is everyone’s responsibility and the more we all work towards a common goal, the safer we all become!

Wednesday, May 25, 2016

Getting your foot into the infosec door

Time and time again I have the discussion with my peers about mentoring and a starting a career in infosec. I’ve been asked my opinion, what I’ve personally done, and what others can do to be successful. Recently there was a panel discussion held on the subject of infosec careers at a Michigan Security group called #MiSec. It covered a large range of information such as mentoring, networking, contributing, and attitude. For a good write up on the session itself you can visit  https://blog.greenjam94.me/path-dark-side/.

It is said that the lazier the tech worker, the harder they work to automate tasks. My goal is to put down my thoughts in this article to point others to for a beginner guide of my recommendations. While it’s only driven by my personal experience and observations, it seems valuable to enough people to warrant it’s own automation.
So a fast primer on how I got here. Like most people I wasn’t born into information security. I’m what you would consider a late bloomer to technology compared to most. I had plans on joining the Marines and when that didn’t pan out for personal reasons I thought to myself “Hey I’m decent with computers, I’ll do that!”. I didn’t have my first tech job until I was almost out of college. I had gone for my 2 year “Helpdesk” degree at a local tech college and honestly had no idea what I had just learned or how to apply any of it to the real world. After 5 years at various helpdesks and another 5 as a network/systems admin I was finally introduced into the world of infosec. I had no idea that it was an entire subculture.

My first toe step into infosec had come from a project that a friend had gotten me involved in. Being an overachiever, I had jumped in right away and started to work on this project. Bi-monthly skype meetings, shared documents, collaborating with people I barely knew. I was loving it! Shortly after that the project owner killed it but I had already started the ball rolling in my mind. I knew that I wanted to be a part of more than just a 8-5 job. I cared immensely for the work I was doing day to day and I wanted to continue and expand upon that to help out as many people as I could. Even being involved in a project that didn’t go anywhere gave me the drive and experience I needed to realize that there was so much more out there that I could be involved in. So that is my first piece of advice. Find or create a project. It doesn’t matter what your skillset is, there *will* be a project out there that needs help. Documentation is needed on 99% or more of the open source projects out there. If you’re good at scripting or programming find a need and fill it. It may help you in your day to day job, or maybe it’s just a fun project that you do on the side. Either way you are spending your time on something useful that could end up helping save time for someone.

My second piece of advice is volunteer and participate at an information security conference and attend local meetups. There are hundreds of them across the US and they almost always need volunteers. Just attending a conference has it’s benefits, but truly immersing yourself will push you further to learn and experience more. Maybe you saw someone give a talk or training on something or overheard an interesting conversation. Many careers have been started by having a simple conversation about a passion over lunch or a beer. Remember those projects that I talked about working on before…...a great ice breaker. Networking is a game changer in our industry. I’m not saying that it’s the silver bullet for everyone. You can network all you want, but unless you are a desirable candidate it won’t matter. Having a willingness and desire to learn, listen, collaborate, and the ability to think for yourself are all ideal traits in such a fast paced industry. Others will want to work with you if you are a positive person that they can rely on and trust. You can also join a team for a capture the flag (CTF) or other competition, attend training, or maybe even create your own event. CTFs are a great way to challenge yourself and build problem solving skills. You can learn by watching and competing with others.

Another item to add to your “to-do” list should be to either find or be a mentor. Mentorship can come in many forms but is not just going to be solutions and information handed to you on a silver platter. If someone is offering to mentor you, they are doing it for free with their extra time, so don’t screw it up. Remember, they don’t owe you anything. Mentoring can be extremely rewarding for both parties and also can occupy a lot of time depending on the level of commitment. Try to find someone in a different company so you can bounce ideas off of each other from different perspectives. You don’t have to have a strict career path to be mentored. With so much information in infosec having a broad understanding of any piece of it will help you down the road.

While a career in information security could be an 8-5 job, to excel in it won’t be. I think it’s safe to say any career can be made into an 8-5 without personal and professional drive and commitment. You are going to get a return on investment only on the work that you put into it.

Wednesday, January 20, 2016

Information Security Podcast List

Some of my favorites:
southern fried security (http://www.southernfriedsecurity.com/) w/ Steve Ragan
brakeing down security (http://www.brakeingsecurity.com/) w/ Bryan Brake

Down the Security Rabbit Hole (http://podcast.wh1t3rabbit.net/) w/ Rafal Los
Defensive sec (http://www.defensivesecurity.org/) w/ Andrew Kalat and Jerry Bell
Hurricane labs (https://hurricanelabs.com/podcasts/) (obviously have to put this here) with Bill MathewsKelsey Clark, and other awesome people I work with
PVC sec (http://www.pvcsec.com/) w/ Edgar Rojas
TrustedSec, LLC podcast (https://www.trustedsec.com/podcast/) w/ lots of their awesome people