What I learned about information security in 2014

PVCSec Podcast logo

PVCSec Podcast logo

On New Years Eve the PVC Security podcast had a very impromptu recording session. We decided, on Twitter, five hours before the New Year to record our weekly podcast and discuss what we learned about security in 2014. I was hosting a party at the exact same time of the recording so I didn’t pipe in with what I learned in security last year, so instead I’ll write about it here.

The biggest thing I learned about security in 2014 is that it’s very important to have a solid background in IT. Understanding how a network is put together and how computers and servers work goes a long way in helping to secure them.

It is also extremely helpful in getting security implemented in an organization. Implementing security should not be about telling people their systems or applications are broken and that THEY need to go fix them. It should be about working together to finding the best most secure way of doing things. Understanding the limitations of a network, computer or server is going to help in finding the best solution to an insecure problem.

I’ve been working in information technology since 2002. I’ve done everything from moving phone lines to pulling cable to soldering to workstation troubleshooting to inventorying to server management to network management to now security. I’ve got a very broad IT background and I’m starting to realize that it is helping me become a good security professional. That’s not to say that one can’t jump into security or take another route to security, but I think I’ve benefited from having experience in the areas that I now find myself trying to secure and keep secure.

Happy New Year! I am looking forward to all the new things I will learn in 2015.

This post first appeared on Exploring Information Security.

Productivity vs. Burnout

I recently read an article that talked about the amount of time you should work every day.

One of the findings from a study done on people working is that the people with the most productivity are the ones that work for 52 minutes and then take a 17 minute break. Now, these aren't people that sit at their desk and surf Facebook or Twitter or the internet during their break; these are people who get up and get away for a break or read a book for their break. Another point of the article is that we only have so much psychological energy each day.

I've been thinking about the article the last day and trying to put into perspective my own work habits. I think that breaks are important, but 17 minutes is only an average and I think some people are going to be more productive with a five minute break and some are going to work better after a 30 minute break. We're all different. I also think that we can condition ourselves to be more productive with less of the break.

What constitutes work? Is something you're passionate about constituted as work? I think that can play a factor as well. I've had a full day of work and then had two college classes. One of which was a Spanish course. I only had about a 15 minute break at lunch, as the other 45 minutes were spent on Spanish homework. Yet, here I am writing a post for my site, because I forgot to do it last night. But this doesn't feel like work. Some people might view maintaining a website as work, but not me. I enjoy this. It makes me feel like I'm being productive and not just sitting around on my ass.

Last year I was putting out two to three articles a week on The Crawfish Boxes (TCB). At times it felt like work, but for the most part I enjoyed what I was doing. This season I've taken a step back. Partly because of some of the things that transpired with the Astros; partly because I wanted to focus on advancing my career in information security; and partly because I was burned out. One post a week of 300-500 words is a lot work. I was doing three of those, plus two weekly podcasts, a breaking news podcast and eventually I spun up a monthly podcast and bi-weekly podcast. It was a lot of work, but came to me easy, because I enjoyed it. Still I burned myself out and I've been having some trouble refocusing my productivity towards information security.

I want be as productive for the infosec community as I was for TCB, but I also don't want to burn myself out. Burnout seems to be a small issue within the infosec community and I already feel it at my day job. I think there's a balance to be struck; I just need to find it.

This post first appeared on Exploring Information Security.

Impressions from BSides Augusta

Simply awesome!

What a great BSides event. Not only was it a short drive for me, but the event itself was top notch, all at the fantastic price of free. I can't gush enough about how great of an event this was. Excellent talks, great location and wonderful people. I volunteered for the event and you can read my experience from that as well as a rant about how awesome volunteering is by clicking <------- this link.

I love that this BSides decided to go with a blue team and a red team track. It helped define some of the talks that might not have been apparent in the title or in the abstract. Full disclosure: I'm a blue team guy and thus spent most of the day in the blue track. I hear there were some fantastic red team talks like Tim Tomes', The Adobe Guide to Keyless Decryption:

But there were also some fantastic blue team talks like Tim Crothers', Techniques for Fast Windows Investigations:

Or Chris Campbell's, Using Microsoft's Incident Response Language:

What I loved in particular about this talk was the Chris spent the majority of his talk going over actual code and techniques, which is not something I see a lot of talks doing. If you're interested in PowerShell, have it up while you're watching this talk.

There's also Chris Sanders' talk Defeating Cognitive Bias and Developing Analytic Technique which kicked off the blue team track:

Finally, Mark Baggett closed out BSides Augusta with his awesome talk Crazy Sexy Hacking:

These talks were the ones that impacted me the most. Everyone is going to get something different out of each talk. I would recommend you check out all the talks at the BSides Augusta YouTube channel. I don't think you'll be disappointed.

One other awesome thing happened at BSides Augusta in that the local media showed up announced and took footage of the event as well as conducted interviews with some of the organizers of the event. This is not just a good thing for BSides Augusta, but the infosec community as a whole.

We must present ourselves to the world as professionals and BSides Augusta did that very well. I look forward to more BSides, especially at Augusta.

 This post first appeared on Exploring Information Security.

Volunteering at BSides Augusta

This past weekend I got an opportunity to volunteer for my first BSides event and I did it at BSides Augusta, which is the closest BSides event to me (approximately an hour away). When I initially signed up to volunteer I was happy to find that I was put on a waiting list. It's pretty awesome that an event that doesn't cost anything and relies heavily on it's organizers and volunteers didn't initially need my services.That changes A few weeks later when I was notified that I would in fact be needed.

I left the house just before 6 a.m. this past Saturday to make it to volunteer orientation at 7 a.m. I showed up and was instantly put to work setting up signs and making sure everything was prepared for the blue team track speakers. BSides participant registration quickly followed and soon after that we were off.

After the initial setup we were free to go to any talks and roam around wherever we wanted to. If someone needed a volunteer they would come find us. I was assigned the duties of helping out the blue track team room, but another volunteer expressed interest in helping out in the room as well, so I ended up splitting time with him. He took the morning sessions and I ended up with the afternoon sessions. This gave me the opportunity to spend my morning walking/running between the blue and red team talks.

When I was working in the blue team room I made sure the speakers got the microphone and computer setup and helped with anything else the track organizer needed. After the conference was over, the signs that were put up in the morning were taken down and I ended up walking around making sure everything was collected that needed to be collected

The great things about most security conferences is that they're recorded and BSides Augusta was no different. At this event they were able to acquire the services of Adrian Crenshaw AKA Irongeek to record all the talks. So you really don't need to go for the talks. Instead you can go for the opportunity to make a connection with other security professionals and volunteering, as it turns out, is an excellent way to make those connections.

Doug Burks ran the blue team track and Mark Baggett ran the red team track. Doug is the creator of Security Onion, which is Linux based network security monitoring tool.  Mark is the owner of In Depth Defense, an author and former Chief Information Security Officer (CISO). Both are SANs instructors and I got to work with both of them and even chat with them a little bit. Well, I didn't chat with Mark a whole lot, but he did mention that he had seen my tweets before (WHAAAA???).

Those were two of the many people I got to meet this past weekend. I also got to meet Joanne Sexton (the volunteer coordinator and assistant professor at Georgia Regents University), Lawrence, Phil, Chad, Warren, Don and many others working and participating in the event. Because I got assigned to help out with one of the talk rooms I also got to interact with several of the speakers such as Chris Sanders, Chris Sistrunk, Mike Reeves, Tim Crothers, Chris Campbell and Jeff Murri. All of these guys have a wealth of knowledge and experience within the information security community. I'm not exactly besties with any of them, but I have made a connection and I am following and being followed by several of them on Twitter now.

By the way, Twitter is fantastic for events like this. Not only do you make connections but you can help promote the event and the infosec community by tweeting about some of the cool things happening there. I had over 50 interactions with people via tweets, mentions, retweets and favorites during and hours after the event. If you're an infosec professional (or in any profession, really) you should be on Twitter. You don't have to tweet anything, but there's a lot of smart people you can follow. If you do tweet you can start making a connection with the people you do follow.

Volunteering is something very near and dear to my heart. This was my fourth BSides event, but the first in an official volunteer capacity. The previous two BSides I participated in, Nashville and Ashville, I volunteered my photography "expertise." Those two events benefited me in allowing me to refine my photography skills as well as make connections with the event coordinators. I am currently helping Ed Rojas (BSides Nashville event organizer) with starting up a new security podcast as well as interning this Spring with BSides Nashville. When you volunteer you get just as much as you give.

Up until recently I've been volunteering at my church for the past three years. Every other Sunday morning I would get up and be at church by 7 a.m. I would then spend the next five and half hours helping produce three services. Through that I've been able to gain WordPress, mac and sound design experience, but I've also made connections with other volunteers, musicians and sound engineers. In fact that music for most of my podcasts comes from the sound engineer I was working under as a volunteer. The fence in my backyard was built by another volunteer who runs his own business.

Volunteering is a wonderful thing: You not only give back to a community or a cause, but you also get back just as much if not more. Don't be just a consumer of your hobbies or profession, be a producer. And if your hobby or profession is information security give back to a BSides event near you. You won't regret it.

This post first appeared on Exploring Information Security.