How to join an online infosec community

July 17, 2017

I had an interesting follow up question to the most recent Exploring Information Security podcast, how to join the infosec community. Here’s the question:

Tyler Neeriemer:

Any advice for those of us in incredibly rural areas. Are there active online communities you can recommend?

This a great question, because I imagine there are a lot of people in a similar situation. My response was to join CitySec meetups remotely. Both MiSec and ColaSec stream and record the talks that they have. They would both love people to get involved online. Those are two groups that I know do this, there may be others (please hit me up if there are others).

I just started GamerSec, which is an infosec user group for those interested in video games. You can contact me directly to get added (my Twitter DMs are open or email, timothy.deblock[@]gmail[.]com). Again, there may be other online specific groups.

I also asked Micah for his input and he recommended checking meetup.com. If there’s nothing there you can get involved via listservs or slack channels. I am part of the OWASP, security metrics, ColaSec and GamerSec listservs. These are usually Google Groups that people with the same interest members can join to discuss an infosec topic. Slack is more of a chat channel (AKA IRC). I’m part of three slack channels: DevelopSec, MiSec, and ColaSec. I know there is also a channel for OSINT and Network Security and many others.

My final bit of advice is to start your own CitySec. You only need two people to start one. I've done a two-part podcast series on this topic. I would love to hear other suggestions.

This blog post first appeared on Exploring Information Security.

To cover letter or not to cover letter

May 30, 2017

TL;DR

Yes, write a cover letter. They will help you standout and express things about you that bullet points can not.

There is one scenario in which I don't write a resume. If I'm working through the process with someone I know or have an acquaintance with. Any other opportunity I am writing a cover letter to go along with a resume.

Why cover letters are important

Cover letters are a great opportunity to stand out from the pile of resumes sitting on a hiring managers desk. I recently heard some chatter that cover letters aren't relevant anymore. I would argue that they're rare. Which is exactly why you should write a cover letter for a job posting.

I used to not write cover letters. Writing a cover letter is hard. It requires inner reflection and an ability to write coherent sentences. For a non-writer that can seem daunting. I'll walk through how I write a cover letter below. I took chances in my cover letter and I was rewarded with at the very least a conversation. That's all we are looking for from a resume and cover letter, a chance for a conversation.

Cover letters are a great opportunity to show what you know and why you would be a good fit. Here are my two most recent cover letters.

Example one

You have to be very careful about pointing out issues in a website. It's like telling someone their baby is ugly. I ended up getting a call anyway. It was a short call. They were looking for someone who would jump in and start writing secure code. I was not that person. We both agreed it wasn't a great fit for them or myself.

Example two

In this example, I went much further in the interview process. I did several interviews and even made it to the sample security assessment on an application phase. This example is a little more standard. It highlights my desire to get into the appsec field and the activities I'm doing to accomplish that goal. I didn't get this role either. They were looking for someone more senior and I was looking for something closer to junior. Going deep into the process, though, was a valuable experience.

How to write a cover letter

Hopefully, those two examples are useful and provide ideas for writing a cover letter. Walking through both examples the first part of the cover letter is all the contact information. Your information and the companies information and the date.

If you have a name for the person who will review the cover letter address it to that person. I recommend not using "To whom it may concern," because there's something about the phrase that can rub people the wrong way. I like "Hiring Authority," because it empowers the person reading the letter. It provides them with a sense of importance that "to whom it may concern" doesn't.

My first paragraph focuses on the role I'm applying for and what makes me a good fit for the role. In the first example, I'm focusing more on recommendations I can make in the role. The second example, I'm trying to say that I have a strong interest in appsec, despite a weak background in development. Re-reading both first paragraphs makes me want to throw up. However, I'm keeping them (and the rest unedited) to show that a cover letter doesn't have to be an amazing thing. Try to provide a little insight into your personality. Take chances.

The middle paragraphs I'm focusing on me. What makes me a good candidate. What experience do I have. What activities I'm doing to help improve my skills in the field.

The final paragraph I focus back on the position and highlight what makes me a good fit for the role. Sort of summarizing the whole thing. Then finally sincerely your name. In example two I misspelled sincerely, which simply highlights making sure to re-read your cover letter for mistakes.

Write a cover letter to stand out

When I talk to people trying to fill a particular role, one of my questions is how many cover letters were submitted. The numbers I get from those people are very low. Cover letters give you an opportunity to standout and highlight your strengths as a candidate. Resumes are bullet points of accomplishments and responsibilities. They say very little about you as a person.

Cover letters are frustrating to write. The more you write them, the easier they become to write. I would avoid using a template. For each job you're submitting to, write a fresh cover letter. Cover letters show a willingness to go the extra mile. Which is why you may be surprised to find more calls from potential employers.

This blog post first appeared on Exploring Information Security.

BSides Knoxville - May 5, 2017

April 14, 2017

Only 3 weeks left till #BSK2017, official poster finished and going to print, amazing design by Joshua Marc Levy at https://t.co/wy9Fng8DDd pic.twitter.com/rBFXS0Vlze
— BSidesKnoxville (@BSidesKnoxville) April 13, 2017

I love BSides events. It's the simplest idea that has a tremendous impact on the information security. A lot of work goes into each BSides event and there are over 200 of them worldwide. I've been to two this year already in Huntsville and Indianapolis. It was my first time attending each of those conferences (one of the perks of moving to Nashville). I had an outstanding time at both. I was afforded the opportunity to speak and make some new connections with people in the industry. I will be attending Nashville next weekend and speaking at two more next month. Detroit and Knoxville.

What I love about BSides is that each one is unique. Huntsville is in rocket city. It is one of the simplest and well run conferences you can go to. The area is a lot like Augusta. Not much around, but a lot of really smart people. Indianapolis is similar in nature and a quite possibly the most laid back. It's located at a culinary school and I ate pastries all day. Nashville feeds its attendees with catered (YES CATERED!) barbecue from Martin's BBQ. I'd put the lunch up against any conference anywhere. I will be heading to Detroit next month for that BSides which coincides with Converge Detroit. I've bailed on the organizers two years in a row due to life changing events. Not this year, though! Flight and hotel are booked.

Knoxville is another new conference for me this year. It's already turning out to be quite the unique experience for me. I am speaking at the event. Which is a bit of an outlier for me. I've submitted to three different conferences in Tennessee and BSides Knoxville is the only one that accepted my submission. It's fulfilling that dream and my dream to have a walk up song.

I'm a big baseball fan. My dream of coming out to a walk up song in professional baseball died a long time ago. In my adulthood, I've thought about what walk up song I would choose if I were given the opportunity. That day has arrived! Along with my presentation acceptance email were instructions on sending in my preferred walk up song. I only get 20 seconds, but that's all I need.

I started thinking about all my favorite songs. There were too many to make a choice from. I decided to take to Twitter to ask for suggestions. I got some really great responses. I also took the question to ColaSec a security user group in Columbia, SC. My talk is on kick starting an application security program, so I took the question to the development team I work with. I got some really weird and interesting response. I had about 20 potential songs, so I made a survey. From there I picked the top three and created a Twitter poll.

Final vote: What should my walk up song be for @BSidesKnoxville? Got some great suggestion. These are the top 3 based on survey.
— Timothy De Block (@TimothyDeBlock) April 14, 2017

If you have Twitter I'd love for you to vote and share. I like all three songs in the poll, so I will absolutely use the poll winner for my walk up song. If you're going to BSides Knoxville I would highly recommend planning your schedule. It helps the organizers place talks in rooms and time slots. From talking to several organizers of security conferences scheduling is one of the most frustrating things. This will make scheduling easier for the organizers of Knoxville. They're putting on an awesome conference at a ridiculously good price. It's the least you can do.

If Knoxville is in your plans May 5, 2017, hit me up on Twitter and let me know you're attending. Or walk up and say "Hi!" (I don't Twitter at conferences anymore). I'm really excited for the conference and hope to see you there.

This post first appeared on Exploring Information Security.

How to find your niche in information security

November 28, 2016

How to find your niche

Relax. It can take time to figure out what really engages you. Appreciate some of the skills you learn along the way. Ignore the advice to follow your passion. You may find work in security that you enjoy doing but aren't exactly passionate about. That is okay. You can be passionate about other things and still be happy in the work you do.

Explore. Try all the things. If your role allows it, take on security projects or initiatives in different areas. Research different areas. Go to security conferences and checkout various talks. Some of the best ones for exploring are single track conferences like BSides. Find a local security meetup. Follow a bunch of people on social media in the infosec field. Listen to security podcasts. There are a ton of them.

Play. Build a home lab. One of the great things about our industry is that there are a ton of free tools that do some amazing things. Some of my favorites are:

Redline a memory forensics tool
Zed Attack Proxy a dynamic analyzer for applications
EMET a windows hardening tool
PDQ Deploy third-party patch management and software deployment tool

Ask questions. Talk to people in various fields. Do this at work and at conferences and local meetups. Social media is also a great place to ask questions.

Evaluate your strengths. If you love math or a good puzzle, cryptography might be your thing. Do you love solving mysteries like a detective? Then maybe incident response or forensics might be your thing. Liking a little bit of everything may lead down a generalist path and into a management or CISO role. Whatever the strength try to match it to a different field in information security.

My story

I didn't really have a plan for what I wanted to do coming out of high school. The one thing I was sure of was that I was heading into the military. I didn't want to head to college not knowing what I wanted to do and put myself in debt. The military would give me an opportunity to figure that out and earn money for college when I did.

Prior to graduating I had looked at a number opportunities in the Army. Helicopter mechanic was one I remember. The other one I remember is paralegal, because that's what I ended up signing to do. That plan ended up falling through and I ended up working at Blockbuster for six months. I eventually signed on with the Navy and tested into the electronics technician role.

As an electronics technician I dealt with anything that had a circuit. Computers, phone lines, printers, communication equipment, and so on. I learned a lot about troubleshooting. I honorably discharged from the Navy after six years still without an idea of what I wanted to do. This lead to contract jobs pulling cable on and off for six months. Eventually, I landed an IT role as a tier two technician. The IT field was alright. I was good at it, but it wasn't exactly inspiring me.

At this point I started going to college part-time as a media arts undergraduate. Why media arts? I enjoyed movies and video games. I had an interest in possibly building websites. The biggest factor, however, was that the offered night classes. The computer science department did not. Plus, I had worked as an electronics technician for the past several years. I would only be gaining a little benefit in going back to school for that.

A year into my tier two technician role I got hired as a network/system administrator for a small state agency. This is where my interest in security really started to manifest. The first appliance I touched was the Sourcefire intrusion prevention system (IPS). I started tuning it and setup a process where I reported computers that needed to be grabbed because they were talking to places like China. This was a juvenile detention facility, there is no reason to talk to China. Despite starting to gain an interest in security, I had aspirations to move into the media arts field for a few years. I was blogging and podcasting about baseball and enjoying that opportunity. I even started making a little money from it. I didn't know what I wanted to do, but I started looking at opportunities in the field.

The problem with the media arts field is that it doesn't pay well and it's highly competitive. The money I started making wasn't anywhere close to feeding myself, wife, and child. I was also putting in a lot of hours after work just to maintain that extra source of income. After a few years of exploring the possibility of a career in media arts, I nixed it for practical reasons. This is when I started to gain clarity on the information security field.

After gaining some network and system, as well as security, administration experience, I was hired into my first security role. This role had me wearing several different hats in the security field. I managed AV, the webfilter, email spam filter, incident response, web application firewall, and much more. All these different areas intrigued me more than network or server administration had ever.

I thought I was good. Security was my niche. Done.

Then I found out I was supposed to find a niche within my niche. I had to pick a field in security. Really? I was enjoying doing it all in security. Can't I be a generalist. Well depending on who you talk to you can or you can not be a generalist. I think you can be a generalist and I was heading down that path as my niche. I had a wide range of experience in not only security but IT in general. I could walk into a network or server discussion and talk basics.

One day my manager came to me and said, "We need to setup an application security program." Off I went to figure out what I need to do. What I discovered in my research was that I had a strong interest in application security. Reading about the field was keeping my interest more than the other fields. Some of my strengths started to show themselves. I've also had an interest in web design. I know HTML and XML pretty well. Plus, I was wrapping up a degree in media arts that gave me more experience with websites. I also started to discover that I had a knack for working with other departments. Which came in handy when setting up security programs that involved other departments. I had found my niche.

Nearly, three years later I am working as senior software security engineer. I work with the development team to get security in the software development life cycle and I am loving absolutely every minute of it. I know I wouldn't be happy as a security operations center (SOC) analyst, because I was in that role for eight months and disliked it a lot. I think I would be happy working as a generalist in information security. For a time I thought I would have to be generalist. The "requirement" to get into application security is to have a programming and development background, which I don't have. That didn't stop me from perusing those types of roles and should probably be left to another blog post.

I shared this story, because I want to show people that it can take time to figure out what you want to do. I didn't know I wanted to be in security until my late 20s. I didn't get into security until after my 30th birthday. It was another two years from that point that I figured out what I wanted to do. Relax, explore, play, ask questions, and evaluate your strengths. Then you'll find your niche.

This post first appeared on Exploring Information Security.

Leveraging the security mindset of others

November 21, 2016

I am over six months into my new role as a senior software security engineer. My role has me embedded with the development team. I go to meetings and interact with the team on a day-to-day basis. My desk is in there area. I go to lunch and conferences with them. As I’ve gotten more familiar with the environment and team, my task list has started to grow.

One of my co-workers noticed this and while leaving a meeting the other day asked if security had plans to hire another security person. I responded that I thought they might in the future, but that I wasn’t counting on it. It took two years to fill my role. With the current “talent shortage” it may take another two years to fill a similar role.

My strategy for getting security into the software development life cycle is to leverage the skills and knowledge of the developers. They are really smart people, so I put a focus on improving the security mindset of the developers. In meetings, I let them to talk through security issues and find their own solution. Just me being there the developers know that security needs to be taken seriously. For the most part they choose the right path.

I also recognize when security issues are identified and addressed by the development team without my involvement. The development team is already doing a lot of good things from a security perspective. By recognizing that in a meeting or one-on-one I am amplifying and encouraging that type of behavior. Using that strategy, I’ve started to see improvements in the development team in regards to security. The other person I was discussing this with agreed. They were seeing more focus being made on security.

Do we need more people in security? I don't know. What I do know is that the security industry is having a tough time finding the right people. Maybe we need a different strategy. I think that strategy should include leveraging the security mindset of others. I've had some encouraging results so far. It will be interesting evaluate the strategy a year from now.

This post first appeared on Exploring Information Security.

Rethinking the security team

November 5, 2016

What if security teams placed their people into each department, instead of their own?

This is the position I currently find myself in. Four out of five days I sit with the development team with the goal of improving security in the software development life cycle (SDLC). It is going really well. It's going so well in fact that I've started to wonder why we don't do this more?

There would still be a security operations center and some other roles, like pentesters, working in a security space, but why not place a person in network or the server team?

Being in the room with the developers I'm able to build strong relationships within the team. I'm a security resource for them to bounce ideas off of and gain clarification on various security ideas and concepts. This makes things tremendously easier when I look to establish security processes and practices for the dev team. They see me daily and know that security is a priority. They also know that I see their successes and their struggles and that my goal is to help them be successful.

I believe this can apply to other departments. If security is involved the day-to-day operations of a team we are seen more as a resource instead of someone holding them accountable. We are still holding them accountable. The difference is that they can ask us questions. Why are we doing it this way and not this way? I'm finding people are much more amenable to security initiatives when we can explain why it's important and it benefits them.

This post first appeared on Exploring Information Security.

Josh Huff presenting at ColaSec - March 2016

How Josh Huff got into information security

May 29, 2016

I've gotten a lot of good feedback form the most recent episode of the Exploring Information Security podcast, "How I got into information security." People seem to like the solo podcast. More importantly a lot of people identify with my story. Some had a similar story. Others appreciated the story as they were in the process of getting into information security.

One such person is Josh Huff. Whom I've gotten to know the several months personally. He's a regular at our ColaSec meetings and recently found his own way into infosec. He shared his story with me.

"I was raised on technology. I was computing on Commodore 64 at the age of 5 and playing Atari 2600 video games. So growing up I saw, used and played with most forms of technology as it developed into what it is today. (Does anybody miss Palm Pilots?) I wasn’t sure what I wanted to study in college. Since I was comfortable with technology and I liked math and science mechanical engineering was my choice.

Although I learned some awesome things about the business and manufacturing world being an engineer was NOT my calling. I changed my major to business. I changed colleges a couple of times. Then at some point in my part time college job, I took a promotion into full time retail management. Now my comfort level with technology was used to teach and sell technology to customers and train my sales staff. Retail management wasn’t perfect as a career by any means, but it was a good fit for my skill set and I was good at my job. I was good at it for about 13 years in fact.

As my son grew older and family time became a much higher priority I had to make a career choice that would get me off the retail work schedule. So in May of 2015 I started studying everything InfoSec related I could find. At this point I also quit my job and enrolled in technical college. I realized all my old college credits weren’t far off from an Associate’s degree. In just under 2 semesters I got my degree and started looking into how I could land a job in information security.

Podcasts, blogs, an InfoSec twitter feed and security books were my source of guidance. The biggest challenge with learning this way was “drinking from the fire hose” which means taking in way too much to learn anything. I was reading about pen testing, malware, lock picking, network sniffing and cryptography. I researched coding, firewalls, forensics, open source intelligence, networking, vulnerabilities and social engineering. Everything I read was interesting, but I didn’t know how I proceed to this magical job in security. I needed to network with real people that were working in security and find out what they do and how they got there.

I looked online for local meetups. There were some community groups like a Linux user group, open hack Columbia and something called ColaSec. ColaSec had a meetup 3 days later. Plus they said it was an open invitation group, so I just decided to show up to the September meeting.

I wouldn't call myself shy, but getting out of your comfort zone and just going out to meet new people can be tough. If you are looking to get into security find your local city ‘Sec’ meetup and go! If the people you meet are half of what I found at ColaSec it will be worth your time.

I walked in, introduced myself as a tech and security enthusiast. People said hi and gave me pizza and beer. They were hanging out talking about random security news then a speaker gave a talk about building a security framework. There was a table in the back with practice locks and lock picks and people were drinking an adult beverage or two. I HAD FOUND MY PEOPLE!

Once the meeting was over everybody was kind of hanging out so I introduced myself to a few of them. I met a few people that worked in a Security Operations Center. There was several help desk managers and a technology course instructor present. There were also people on the job search like me. A conversation about security conferences led to an invitation to one in Kentucky called Derbycon. Tickets sold out, but I managed to snag one last minute and headed out of town to my first security conference.

On the way to Derbycon I checked the speaker list. I found that a few authors of my security books plus people from my twitter feed were going to be at this conference. I decided to meet as many of them as I could. Derbycon itself is worthy of its own write up, but in short it was awesome. I got to keep meeting and talking with real security professionals. They were open to answering questions and connecting on twitter and I continue to stay in touch with many of them today. I learned a lot of other people’s career paths that led to information security.

When I got back from Derbycon I felt like I had direction. I started applying to some help desk and technology jobs to try and get my foot in the door. I revised my resume and evaluated my past skills into how they could help me in a security related position. This started a roller coaster process. As applications and interviews started to pile up frustration started to settle in. Repeat… wait… apply… repeat. I had one interview that I thought went well and a few pings on my resume that had placed me into consideration. I felt things were looking up again. The promising job lead fell through. Then the 'under consideration' jobs decided not to fill the position.

This is the point in the story where desperation may have kicked in. I took a hard look at what I wanted from a security job and it wasn’t a help desk spot that I could work my way up from. Open source intelligence (OSINT) was my favorite subject so I decided to find people I could talk to again. It seemed that military or law enforcement background was a prerequisite for a job in OSINT. I thought about who I could talk to about this and I looked up private investigation firms in Columbia, SC. Through the ‘contact us’ part of the PI websites I shot a quick introduction email. I gave a brief description of who I was. I described what I was studying and asked if they were hiring. I also said if they weren't hiring I would be happy to just talk OSINT and find out how they used it as investigators. I got a phone call from a private investigator 1 day later.

I chatted with the investigator for a few minutes and he asked for my resume. It turns out the background in law enforcement or military wasn’t an issue. So a few hours later I was called for an interview. The position wasn’t exactly OSINT, but they had need of a digital forensic analyst. My technical background led me through the interview with ease. 1st interview led to a 2nd interview which led to a tryout in their computer forensics lab. The tryout went well and I am now over 3 months into my role as a digital forensics analyst. I get to work in a forensic lab doing cool stuff with all types of technology and in between cases I talk OSINT with the other investigators.

I’ve listened to a lot of stories about how people got their InfoSec job. There doesn’t seem to be a defined path or perfect guide out there, but this is my path. I hope by sharing my path that somebody finds some facet of my story that they can apply to their own career path. If I could re-iterate just once point of my story it is to go out and talk to people. Information security is about the people that drive the technology. If you don’t know how to apply information security it in real world scenarios go talk to the people that do. It will likely be a fun journey."

This post first appeared on Exploring Information Security.

Getting into information security via military service

May 21, 2016

I see a lot of self-study and going to college advice for those looking to get into information security. I would like to recommend another option. Join the military. People joining the military get training, real world experience, and money for continued education.

Now, the military isn’t for everyone. Yes, there is a chain of command filled with people who give out orders. And yes, those orders need to be complied with. The thing about that is that most people know what they’re doing in the military. It's usually not an issue. And that's because the quality of people in the military is top notch.

Joining the military is no small decision and it shows in the people that serve. I had several really good mentors in the military that helped shape who I am as a person. Not only did I enjoy the benefits below, but I learned a lot from those mentors. I gained a strong work ethic. Learned communication and leadership skills. And I had a lot of fun doing it.

The lifestyle is a lot different. The first couple of years involved moving around quite a bit. Moving from a barracks to a dorm to another dorm to a different base. Then off-base to an apartment. I spent a year in the midwest, three years one the west coast. Then two years on the east coast. If you like traveling there’s plenty to be had in the military.

Then there's the uniform. Sure, I couldn't pick my close, but that made things easier. Each day I woke up and new what I had to wear. I also saved quite a bit of money on doing laundry, because I could wear the same uniform for a few days. Usually, I was just changing my undergarments.

Training

My first military contract had me set to be a paralegal in the Army. That fell through and I ended up joining the Navy as an electronics technician. That contract came with a $7,000 signing bonus. I had two months of basic training. Two months of basic electronics training. Four months of communication electronics training. Three weeks of miniature/microminiature board repair training (2M). All that in my first year. I was also sent to radio, aircraft load out, instructor, Humvee driver and forklift operator training. When it comes to training the military is one of the best.

I joined in early 2001 and IT (let alone infosec) positions weren't as well defined. Now that the digital age has matured, there's a much stronger focus on information security. That means the programs are much more prominent in today's military.

Real world experience

During my time in the Navy I did a little bit of everything. I pulled cable. Moved phone lines. Setup computers. Troubleshooted computer issues. Setup communications for field exercises. Inventoried and maintained radio equipment. Setup switches. Created user accounts. And that was all at my first command.

My second command involved a lot more IT work. I learned how to rebuild a server after it crashed and no backups were available. I trained personnel on email usage. Took part in my first workstation refresh, swapping out old computers with new ones. Patched systems. Updated anti-virus. Troubleshooted more computer issues. I leaned on a lot of that experience when I got out and started looking for a job.

I also got the opportunity to do a lot of fun stuff. Train with Navy SEALS. Face-off against the Canadian Army in multi-nation exercise. Jump waves on the Pacific Ocean in a Zodiac Hurricane. Just to name a few.

Money for continuing education

The GI Bill is one of the best benefits received from joining the military. I paid for school and a Network+ certification with it. Last year I graduated from the University of South Carolina with a degree in media arts. All paid for by the GI Bill. I knew coming out of high school that if I went to college I would be wasting my time and my parents money. I wanted to get some real experience and get college paid for when I was ready to go.

The GI-Bill is even better now then when I first started going to school. A year or two after I started taking classes, the GI-Bill changed. Not only was school paid for, but I was making a little money on the side. As long as I was taking more than half a load of classes I got basic allowance for housing (BAH). Which is a significant amount of money. This really helped when we started expanding our family.

Final thoughts

The military is a great option for people looking to start a career. The military does a great job of training and giving it’s members real world experience. A lot of that training and experience translates to the real world. For those looking to get into information security, the military has some good programs. When I joined, I had no idea of the career I wanted to be in. That was okay, because when I knew what I wanted to do I could lean on a lot of my experience.

Serving the military is a massive commitment. Again, it’s not for everyone. It is a viable option though and one that I recommend exploring.

This post first appeared on Exploring Information Security.

Success doesn't require following your passion

February 15, 2016

“Follow your passion” is a phrase often given as career advice to people getting into a field. I don’t like the this advice. It sets high expectations for someone trying to break into a field and it has the potential to lead to burnout. Note the second definition about in the image above.

There’s nothing wrong with using passion as motivation, but that same emotion has a dark side. Instead of following a passion, bring it to your daily work. Look for value and unique skill sets that will provide a positive impact.

Following your passion isn't helpful advice

I first started to question “follow your passion” early in 2015. It was while listening to an episode of the NPR TED Radio Hour titled success. In that episode there was plenty of talk about following your passion for success. Well, except for Mike Rowe. For those unfamiliar with Rowe, he had a TV show titled Dirty Jobs. Rowe would go with a film crew to various locations to work for a day doing a less than glamorous job.

In his TED talk he described the people doing these dirty jobs day-to-day as happy. No one follows their passion to be septic tank cleaner or a road kill highway picker upper or a bait seller. Yet, that's what these people did and they were successful. 40-50 of the 200 people he followed around were multi-millionaires. He suggests that instead of following a passion, bring passion to the work.

A recent Art of Charm podcast featured Cal Newport and he has another angle. In the episode he debunks the “follow your passion” advice. The people that give the advice usually give it because they can't explicitly explain why they've been successful. He says, instead of following your passion you should let your passion follow you. He talks about finding the unique skill and valuable skills in your daily work that makes you stick out. What creative solutions can make systems and processes run more efficiently. That's what these successful people have found in the work they do or the content they create.

Reflecting on my career

Coming out of high school I was set to go into the Army as a paralegal. Instead I ended up in the Navy as an electronics technician, after my contract fell through. Would I be more or less happy in that role? I don't know. I'd like to think I would be just as happy in a legal career as I am in my IT career. I've seen people passionate about computers and I can safely say I am not one of them. What I've enjoyed is solving problems. Building new programs and systems and optimizing ones already in place.

In my daily work I've looked for ways to make the most impact and make things run better:

I’ve implemented a remote access and software deployment solution for the help desk. They had to manage computers all over the state. Before the solution they had to travel for the simplest problem.

I also took our unused IDS solution and setup a one-man security operations center (SOC). Computers I found talking to countries outside of the US I had a technician investigate for malware.

I’ve cleaned up content filtering rules and rebuilt servers to interfere with operations less. That led to management tasking me with important projects. Implementing security in the software development life cycle (SDLC) process. Hardening our computers and securing our websites. I didn't follow my passion to any of those areas, I brought it with me. What's allowed me to be successful is following through on tasks and improving what's already in place.

Of all the work I've done, I found that I really enjoyed working in application security. If there’s one area I would love to move into it would be application security. Yet, I also enjoy building new programs and making a positive impact. I currently work in a SOC. It’s not the most exciting experience for me, but I’m learning what I can and trying to improve or build out new processes. I’m trying to learn the nuance of a SIEM and the challenges of being a SOC analyst. I’m bringing my passion with me and learning the skills that provide value to the organization.

Conclusion

It’s okay to be in a field and not be passionate. Success isn't found by following your passion. It's by bringing it with you. If you’re among those that are passionate about a particular field, that's awesome. I know a couple people like that and they live and breath the work day and night. I contest that’s a rare thing.

For the rest of us look for enjoyment and fulfillment in everyday work. Try to identify what can make the most impact in your organization and your career. Bring the passion or let it follow you. Success will be sure to follow.

This post first appeared on Exploring Information Security.

GSEC Analyst 38087

January 21, 2016

This past Wednesday I took and passed my GIAC GSEC exam. I am now officially GSEC Analyst 38087!

SANS 401 - Security Essentials and the GSEC exam are the main reason why I haven't been posting very much lately. With the course and exam out of the way, I plan to get back to postng more regularly. Before I do that, I wanted to give some quick thoughts on the course.

When I was told that I would be doing the SANS 401 course back in November, I was a bit annoyed. I was just about to start studying for the CISSP and was essentially told to forget that and focus on this course and the accompanying exam. I thought I was too good for a 401 course. I have 13 years of experience in IT. The last three and half of which I've spent in security. I didn't need some entry level training. Boy was I wrong.

What SANS 401 security essentials did for me, was fill in a lot of holes in my IT and security knowledge. Networking things such as the OSI model, TCP/UDP traffic, and so on. It also introduced me to things at a higher level such as risk management, critical security controls, and so on. I learned new things about Windows, and I've been working on Windows since NT. I also got a better understanding of the Linux operating system.

The course taught me a lot of new things, while giving me a deeper understanding of the things I already knew. It was a very valuable course for me to take and I would recommend it for anyone in security.

This post first appeared on Exploring Information Security.

Trends 2015 presented by IT-ology wrap-up

October 28, 2015

Trends 2015 presented by IT-ology was today and I am exhausted.

Every year in the fall IT-ology selects a technology topic to hold a conference on. This year was security, so naturally ColaSec was involved in providing speakers, volunteers, and marketing for the conference. Four keynote speakers filled the morning track and 12 speakers filled the afternoon tracks, which were split into technologist, civilian, and business. I presented a talk titled, "Low cost tools for security challenges" in the technologist track.

For those coming to my site who were in that talk, here are my slides and here are my videos (from previous conferences) of the talk. I got some good feedback from in regards to the talk, which was very much appreciated.

Trends 2015 was the last time I intended to give this particular talk. The recordings are out, my slides are out there, and I'd like to move onto some fresh content. What that is, I don't know yet, but I have some ideas. Before I move onto some fresh content, I want to compliment the video and slides of my talk with some blog posts that go a little more in-depth with the tools I presented. Over the next several weeks I intend to have a post a week, with step-by-step instructions on how to use each of the tools in my talk.

Thank you to everyone that made it to my talk and any feedback is still welcome.

This post first appeared on Exploring Information Security.

Investing in the people who work on a security team

October 22, 2015

I was recently featured in an article title The support security leaders need for better cloud security on CSO Online by fellow palmettoian(?) Michael Santarcangelo. I'm working with Michael on improving my writing while exploring various topics within information security. I did not realize moving to the cloud had become such a hot trend for businesses. It makes sense, though, and is probably something that will become more excepted. After thinking about it I realized I've had some exposure to moving certain IT functions to the cloud already. It makes sense for the right technology, and the technology is only getting better, so it will make sense for more and more initiatives.

As I was researching the topic one challenge began to stick out to me. Is everyone on board, specifically those in security, with moving business and IT functions to the cloud? Talking to several IT people I work with and know, I came away with a feeling of hesitation. Hesitation or not, the business is making the call to move to the cloud and doing it at an ever increasing pace. Which is why it is important for all members of a security team to have an understanding and be comfortable with technology moving to the cloud. It is happening whether we like it or not. We could say, "no" but that just means we are being the brick wall that the business will hammer through or more simply walk around or climb over. I have come around to the idea that security needs to be an enabler of the business, but security leaders needs to become an enabler of the people on the security team.

I'm seeing a lot of managers and leaders wanting to do good things, but not finding the time to invest in their people. They are slammed with meetings and projects and spending time with the members of the security team just doesn't fit into the schedule. They were hired to do a job and that's what they'll do, plus they are slammed with a long to do list too. Here's the thing, the people on the security team have wonderful ideas, they have creative ways to solve problems, but more importantly they want to help find solutions to problems the manager is facing. If there's a disconnect all that creativity and input goes to waste.

We often hear about the talent shortage within security. The easy solution is to higher more people and get better funding. The even easier solution is to invest in the people already on the security team. Are security leaders getting the best out of their people? The only way to find out is to invest in the team, not just in training but in mentorship. Sitting down with them to understand their frustrations, provide mentorship, give feedback, and more importantly enable them to be the best they can be. Santarcangelo followed up the article above with one titled The security talent shortage and your leadership opportunity. It's a slideshow format article, which makes it a quick read and it asks some questions on what leaders are doing to address the talent shortage.

Wrapping up (because this is already longer than intended), I'm seeing security teams struggle with finding and then keeping people. As it happens, I was listening to a podcast from NPR's Ted Radio Hour titled The Meaning of Work. The episode explores how we make work more meaningful. Compensation is not something that makes work more meaningful. The environment, the culture, and the challenges are what make work more meaningful. Investing in the security team will help build a better environment and culture. Enabling the security team will help create more challenging opportunities that lead to more meaningful work. More meaningful work makes for a happier security team and a happier security team accomplishes so much more than an unhappy security team.

This post first appeared on Exploring Information Security.

DerbyCon talk and impressions

September 28, 2015

DerbyCon lived up to its top billing as one of the best security conferences to attend. It is amazing how much is going on at the conference the entire time. Five talk tracks, CTF competition, lock pick village, vendor area, and of course LobbyCon. And that doesn't include the evening festivities like Hacker Jeopardy, a showing of Hackers to hackers, or the two nights of concerts (DualCore and The Crystal Method). There was a constant roar coming from the lobby of DerbyCon each day from 8 a.m to 6 a.m.

The con was well located in downtown Louisville, Kentucky. Outside of the venue is a plethora of food choices and entertainment. All within a two block radius. The farthest I ventured away from the con was about three blocks for breakfast with a group of old and new acquaintances.

Speaking of acquaintances, I got to catch up with people I've meet at previous conferences, as well as meet some new ones. That is one of the best things about attending these conferences, the connections you create and maintain (and I've made a whole bunch in the one-plus year of attending cons).

Below is the recording of my DerbyCon talk and a link to my slides.

DerbyCon talk slides

I was pretty happy with my talk. I wish I wasn't so monotone, but part of that was nervousness and the other part was sitting down for the talk. I believe later speakers stood up with microphone, which is something I should have done. Sitting down to give my talk sucked some of the energy from it. Looking past the lack of energy, I have gotten good feedback on the talk. Everyone that I talked to about the talk said it was good and useful, which was my ultimate goal.

I am very much looking forward to DerbyCon 2016

This post first appeared on Exploring Information Security.

BSides Augusta gallery and pictures

September 21, 2015

Media

The gallery for BSides Augusta can be found in my Photography section.

BSides Augusta 2015

BSides Augusta, Georgia, September 12, 2015.

My Blue Team Starter Kit talk is available on YouTube.

Impressions

This was my second year attending BSides Augusta. As I've mentioned several times, this is one of the best run security conferences out there. You can tell pretty quickly that the organizers put a lot of effort and time into ensuring everything runs smoothly. This year was no different. I heard Mark Baggett tell one persont hat there were some minor hiccups in the morning. I didn't notice them. The only thing I could tell was that they overlooked the registration line. They had lines divided up into last name, but it was apparent entering the building.

Aside from that, everything else ran smooth for the conference. Speaking of attendance, the number reached 500 this year. That's up from 300 last year, which makes Augusta one of the bigger BSides events. The event is expected to grow even more as the Army continues to grow its cyber command at Fort Gordon.

I didn't get to sit in a lot of talks, but there seemed to be a pretty strong malware theme this year. Joel Esler's "2015 - It's Not Over Yet" and Wes Widner's "Lessons Learned from Analyzing Terabytes of Malware" are two such talks that stood out to me as I hoped from track to track taking pictures. But Paul Melson's "Viper Framework for Malware Analysis" and Alex Rymdeko-Harvey's "Malvertizing Like a Pro" are two more talks that deal with malware. I plan to go back through several of the session's at BSides Augusta after the baseball season is over.

If you live in the South East, I highly recommend BSides Augusta. Especially for security professionals working on a blue team. It's rare for a security conference to have two blue team tracks and I don't see that changing in the future. Put the event on your calendar for next year. I promise you won't be disappointed.

This post first appeared on Exploring Information Security.

Back from vacation: Trends 2015, DerbyCon, and podcast

August 4, 2015

Trends 2015

October 28, 2015, IT-ology will be hosting Trends 2015, which will focus on:

"...the overall digital transformation taking place in society and the associated security issues that come along with it."

The ColaSec group has been asked to help with promoting and finding speakers for the event. The call for presenters is now open. Here are the details:

IT-oLogy presents Trends 2015

Cybersecurity 2020: The Impact of Digital Business on Security

CALL FOR PRESENTERS NOW OPEN

Form to submit: https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

What is Trends?

An IT-oLogy (www.it-ology.org) hosted annual conference focusing on technology issues and topics that are “trending” nationally as well as regionally/locally. Basically, it heightens awareness around issues that will impact the future of IT-oLogy partners, the local and regional community, and South Carolina in a big way. The conference is kicked off by a presentation from a Gartner analyst.

2015 Topic:

This year’s topic is the overall digital transformation taking place in society (everything is becoming ‘digital’) and the associated security issues that come along with it.

2015 Date/Location:

Trends will take place Wednesday, October 28 fro 9:00 am to 4:30 pm EST at IT-oLogy, 1301 Gervais Street, Columbia, SC 29201.

Call for Speakers:

The 2015 Call for Speakers is now open. We’re looking for talks in the following areas:

Digital Transformation

A massive “digital transformation” is taking place in society and the pace is only accelerating. Industries, as well as organizations and individuals, are being impacted in ways never imagined. What are examples of this transformation? How is it having an impact? Why is it important?

Security, specific to the following areas:

C level/Executive – security issues impacting executives at all levels (decision makers). Those topics executives should be aware of and know about.
Technologists – issues impacting those at a hands-on technical level. Target audience here will be technologists.
Citizen 101 – issues impacting everyday citizens. Things they should be aware of. Examples might include a very basic overview of how to encrypt email and/or attachments (most don’t have a clue), why changing passwords often is a must-do (and how to keep up with all those passwords), and other like issues.

Do you have a presentation? We’d like to hear from you! Please fill out the form and Todd Lewis (todd.lewis@it-ology.org) will respond!

https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

DerbyCon

While on vacation last week, I was surprised to receive an email from the organizers of DerbyCon informing me that my Blue Team Starter Kit talk was accepted. I was a bit surprised to have my talk accepted, then I was a little terrified to be speaking at one of the biggest and well known security conference in the US. Now I'm really excited to be speaking at the event and I look forward to the experience of not only speaking at DerbyCon but attending the conference as well.

Which leads to my next point. I need to figure out a place to stay. If anyone wants to split a room, get in touch. Also, I'll be driving to Louisville, KY, from Lexington, SC, anyone in between is more than welcome to contact me about a ride. I will be heading to the conference on the 24th of September.

Exploring Information Security

I will be working on getting the podcast feed setup for the Exploring Information Security podcast, so I can submit it to iTunes and begin releasing episodes next week. Feedback and suggestions for future episodes are welcome.

This post first appeared on Exploring Information Security.

CircleCityCon Links

July 6, 2015

I meant to include this on my last post, but I completely forgot. Here are some links to impressions other people had of the CircleCityCon conference that I found perusing my Twitter feed.

My First "Con": Alice in Security Wonderland by Cheryl Biswas

The Power of Community -- Circle City Con Edition by Chris Maddalena

This post first appeared on Exploring Information Security.

CircleCityCon impressions and pictures

July 2, 2015

In mid-June I traveled to Indianapolis, Indiana, to be the photographer for the security conference called CircleCityCon. Click the Gallery link below to see some of my favorite pictures from that conference.

CircleCityCon 2015

CircleCityCon Indianapolis, Indiana, June 12 - 14, 2015.

One of the things I noticed while processing pictures from the security conference were all the smiles people had. The conference was a blast and it appeared that everyone involved was having a pretty good time.

Chris Roberts AKA Sidragon AKA the dude who flew a play "sideways" kicked off the conference, followed by a Space Rogue opening keynote. From there, the conference featured three security talk tracks, and four to six training tracks. DJ Rance and DJ Cy-Fi and DJ Triptych provided some kickass sound for both Friday and Saturday after parties, which included walls lined with old arcade games. Duane & Brando rocked the stage Friday night and MC Frontalot got the hackers dancing Saturday night. There was also a capture the flag (CTF) competition, lock pick village, and activities for kids. It was a well rounded conference, that I would recommend to any security professional.

My favorite part of the conference came during closing ceremonies when announcing how much money they had made for the five charities they were supporting at the conference. I don't remember the exact amount the conference made, but at one point Micheal Smith AKA DrBearSec said they would contribute $200 more to a particular cause to round the total up to $1000. I absolutely loved that and that gesture reaffirmed that I was contributing to something special.

I had a fantastic time. I got to meet a lot of people I interact with online and I also got to meet some new people I hadn't interacted with online yet, but will be in the future. I hope everyone enjoys the pictures and I look forward to next year's conference.

This post first appeared on Exploring Information Security.

Catching up update: CircleCityCon, BSides Augusta, and a 360 music video

June 24, 2015

I've got all the pictures processed for CircleCityCon and sent to DrBearSec for him to do with what he will. In total I processed about 360 pictures. I have two GIF ideas left to put together and then I'll be done with my venture. Look for a post about CircleCityCon and a gallery of some of my favorite pictures from that event.

In the mean time, here is InfoSystir AKA Amanda social engineering here way onto the stage at Dick's Last Resort in Indianapolis for a bachelorette dance off.

My talk, "The Blue Team Starter Kit" has been accepted by the CFP committee at BSides Augusta and I will be presenting there September 12, 2015. This will be my first time presenting at a security conference and I'm very excited about it.

Finally, this is just a really cool music video from Mike Shinoda's project, Fort Minor. Check out the website for a controllable 360 view.

This post first appeared on Exploring Information Security.

Eddie Mize and his fantastic art at CircleCityCon

Catching up: CircleCityCon, ColaSec, and Astros hack

June 17, 2015

It's been a very busy week and it all started last Thursday when I departed for Indianapolis to be the photographer for CircleCityCon. 1300 driving miles and 25 walking miles later and I was back home with 3473 pictures to go through, a ColaSec meeting to get ready for, and a baseball hack to write about.

I've gotten the pictures down to 400+ shots I like and I hope to have something by next week, if not earlier.

Here is the wrap-up post from our ColaSec meetup on Tuesday.

Finally, here is my writeup on Astros County regarding new information involving the Astros hack from last year. The Cardinals did it!

This post first appeared on Exploring Information Security.

Heading to CircleCityCon

June 10, 2015

Early Thursday morning I will depart South Carolina and head North to Indianapolis, Indiana, for the three day security conference called Circle City Con. The conference is a three day event with training, speakers, and nightly entertainment that begins June 12, 2015, and ends June 14, 2015.
I am signed on as the photographer of the event to document with pictures all the fun things.

I would love to meetup with anyone going that I know, or even don't know. If you see me walking around the con stop me and say, "hi." Also, if anyone lives between South Carolina and Indiana and needs a ride, let me know. We might be able to work something out.

Check out what the lucky @CircleCityCon 2015 attendees will be getting at the event next weekend! pic.twitter.com/CUTnRkwS8G
— SyncStop (@SyncStop) June 4, 2015

This post first appeared on Exploring Information Security.