Data Driven Security - all about the analytics

I've been remiss in my blogging duties. I've had some changes in my life recently, but I'd like to get back to posting on a regular basis and there's not real a good reason why I should be able to do that. Allow me to rectify my absentmindedness by talking about the book Data-Driven Security by Jay Jacobs and Bob Rudis.

This was a wonderful book to read as an information security professional. As information security matures (and the world in general) metrics and analytics are going to become a bigger part of the field. We see sabermetrics taking over baseball and other sports for the simple fact that it helps organizations gain a deeper understanding of what the have, which leads to making better decisions. Those same strategies can help many professional fields, including information security.

Each chapter of the book covers a different scenario in which data is analyzed to answer an infosec related question. It also discusses the art of visualization and how to make communicating numbers more useful to people (*cough*executives*cough*). The book exposes the reader to the wonderful world of Python and R studio, both of which are used to analyze and make sense of the data, without requiring too much previous knowledge. Each chapter walks the reader through exercises utilizing pre-built Python scrips in R Studio, just enough to wet the petite.

What I really enjoyed about the book was that it was easy to read. It wasn't bogged down with numbers or big words. Of course, I'm not exactly a newb to reading about statistical analysis. Still, I think people with some interest in data-driven security will find the book a fairly easy read. It's a great starting point for those wanting to explore a discipline in security that is likely to become more and more relevant as security and data matures.

This post first appeared on Exploring Information Security.

The return of the Exploring Information Security podcast

A year ago, I started an information security podcast that explores different topics and disciplines within the field. I stopped producing the podcast because I had too many things going on at the time and my final year of school was about to start. I was overwhelmed and that was an easy project to stop doing. A year later and I've found myself with more time and a desire to continue the project I started a year ago.

This week I have two interviews lined up with more expected in the coming weeks. My plan is to launch in early August. I will be putting the first three episodes I did last year up on iTunes and then begin releasing the episodes weekly. All seven episodes I did last year can be found at http://www.timothydeblock.com/eis/. I will continue to release episodes there, as well as on your favorite podcast directory.

This post first appeared on Exploring Information Security.

CircleCityCon gallery is up and bonus GIFs

All the CircleCityCon pictures are now available on Flickr.

Below are some GIFs I made from the pictures I took.

DJ Rance giving CircleCityCon attendees something to bounce to.

DJRevRance.gif

Who's behind the mask?

Here's the ladies of CircleCityCon having some fun during their "photo shoot."

This post first appeared on Exploring Information Security.

BSides Nashville video project

I will be traveling to Nashville, TN, to attend BSides this weekend. For the second year in a row I will be running around the conference taking pictures. I'll also be shooting video this year, as part of my final project for a cinematography course I'm doing.

The idea is that I want to show hackers in a more positive light via a documentary style. The project is only required to be a few minutes long, so I won't need a ton of footage. I would like to setup some interviews before hand with some people to ask them what the term, "hacker" means to them. I also want to setup some interactions to shoot highlight some of the words people use in their interview. For example, words like family or community, I can use shots of people hugging, high-fiving, etc. Curiosity and a desire to learn I can use lock picking and shots of people in talks.

This is going to be a very fluid thing so I'd love to get the interviews done, then move onto getting shots of the conference. If anyone would be willing to help me with either item, I would very much appreciate it. Email me at timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Information security podcast review

There are a lot of good information security related podcasts out there. Here are the ones I listen to and my impressions of the show. In no particular order.

PVC Security Podcast - FULL DISCLOSURE: I produce this show, would appreciate any feedback you have for the show positive or negative.

I love the passion and fun Paul and Ed bring to the show. They speak their mind and have some fun doing it. I take the quality of a show very seriously both from a technical and non-technical standpoint and I was happy to find that Paul and I share a lot of those same philosophies in the production of an audio show. We’re only 10 episodes in, so we’re still figuring some things out. When we created the podcast we decided that it wouldn’t cover news topics (though I did make them cover Sony) like several of the other podcast. Instead we wanted to focus on how to become a better information security professional and how to facilitate an improved security culture within an organization.

Security Weekly - This was one of the first podcast I was able to find on information security and it’s easily one of the top podcasts in the infosec community. It can get a little vulgar and can get a little off track, but the co-hosts are very knowledgeable and entertaining. It can get a little long, usually running 60-90 minutes, but that includes an interview, a demo and a news segment. Of the three segments the interviews are the best. I have gotten more information and ideas and tools out of this podcast than any other podcast I’ve listened to.

Down the Security Rabbithole - If you’re into enterprise security and want a more top level view of information security this is the podcast for you. They cover topics from an executive level as well as dive into the legal aspects of information security. They do cover news topics but do it from a much broader viewpoint. My only gripe with the show is that the audio quality can be lacking at times. The main issue being co-hosts being at different volume levels throughout the show. The audio quality seems to be getting better though

Risky Business - The best information security podcast out there. Patrick Gray is the Australian based podcast host and producer for the show. The production value of the podcast is high and well structured. He always has good interesting interviews and covers the news in an entertaining light-hearted way. If you’re only looking for only one security podcast to listen to, this has to be it.

Crypto-Gram Security - This is Bruce Schneier’s monthly podcast that basically has Dan Henage reading the articles Schneier posted on his website. Depending on how ofter Schneier writes, this podcast can be anywhere from 15 - 45 minutes long. Dan does a great job reading and producing the podcast. It’s a nice way to listen to Schneier articles. I usually pick up new things in the podcast that I missed reading his articles.

Defensive Security - This is another well produced show that takes a blue team approach to discussing topic and news items. From a technical aspect everything is sound. From a presentation standpoint it could use more energy. It is a good podcast that takes a slightly different angle on information security.  

Data Driven Security - This is the latest show I’ve picked up and I’ve loved the two episodes I’ve listened to so far. The topic, as the title suggests, is about data within information security, which might not appeal to everyone. Still it covers metrics within security, which is very much needed in every organization. I’m looking forward to seeing what I can learn from this show.

This post first appeared on Exploring Information Security.

Hacking the movies

In the first month of 2015 a new hacker movie is set to come up called, Blackhat. The movie is about a convicted blackhat hacker getting recruited by the government to track down and another hacker causing mayhem and destruction. It looks fascinating and I plan to at some point see it and hopefully review it on the site.

In the meantime here are the hacker movies (in no particular order) I have seen and what I've thought of them.

Hackers - 1995

Very entertaining movie. It's been a while since I've seen it, but there a lot of very memorable scenes that I can recall. It was also referenced at the most recent DEF CON by Wesley McGrew when he hacked the pineapples people tried to use at the security conference.

Sneakers - 1992

I recently watched this movie for the first time and I was a little disappointed that I've missed out on this wonderful movie for the past two decades. It uses a lot of techniques pen testers use today to break into an organization and it's got a top notch cast. Robert Redford, David Strathairn, Dan Aykroyd, Timothy Busfield, Mary McDonnell and Donal Logue. I'm pretty sure the logo for the Blackhat conference comes from this movie.

Swordfish - 2001

I've read on Twitter that the hacking scenes in this movie are bullshit (I haven't watched it since getting into infosec) and they probably are, but that doesn't make it any less entertaining. The hacking part of the movie is simply there to push the story along to John Travolta shooting people while standing in a sports car and helicopters making buses fly. I watched this movie several times in my younger years.

Die Hard 2 - 1990

It might be a little bit of stretch to call Die Hard 2 a hacker movie, but I just watched it recently and think it's totally a hacker movie. A rogue military group takes over Dules airport to free a drug lord being extradited to the U.S. They hack into Dules airport tower and seizing control of all the systems. There's not a lot of actual hacking, but there is quite a bit of social engineering that provides a nice twist towards the end of the movie.

Live Free or Die Hard - 2007

This Die Hard actually did have quite a bit of hacking included in the movie and for the life of me I don't remember a whole lot about the movie. I thought it was a solid movie, though of course not as good as the other Die Hard movies. I'll be watching it again some time in the near future.

Office Space - 1999

In an interview I was once asked to name my three favorite movies. This was one of the movies I answered with and as expected I didn't get the job. This movie isn't about hacking but it's one of the key elements of the film when Peter, Michael and Samir upload a virus to try and rip off the company their about to fire. It's a good example of insider threat now that I think about it. It's still one of my favorite movies of all-time and if employers can't handle that, that's their problem.

The Matrix - 1999

I'm still not sure if this should be considered a hacking movie, but it uses hacking as the gateway into the real world and out of the dream state that is the Matrix. It's a visual stunning, action packed movie that still holds up to today. The other movies, not so much.

Tron - 1982

This falls along the same lines as The Matrix. A visually stunning movie that uses hacking as a gateway into another world. Tron: Legacy (2010) is even more stunning, but like the Matrix sequels falls short of the original. The soundtrack is good though.

The Italian Job - 2003

There's quite a bit of hacking from "The Napster" (Seth Green) as well as some social engineering. I would have to watch the movie again (it's free on Amazon Prime, at the moment), but from what I recall there wasn't a lot of messing about with hacking techniques. Lyle (Seth Green) was in and out and probably highlighted a weakness in traffic equipment that has become a bit more relevant today. Though, it seems to be used more as a prank than for a brilliant plan to steal a ton of gold bars.

The Social Network - 2010

Facebook all started with the hacking of the Harvard network by Mark Zuckerberg, according to the movie. The hacking seemed pretty legitimate in the movie, though I'll need to go to the judges on that one. It played a small role at the beginning of the movie and that was about it. Then it turned into a programmer and developer movie. I thought the movie was good and enjoyed it thoroughly. Like a few other movies that only have small parts of hacking this probably should make the list, but it's on the Wikipedia list so there's that.

What about you?

What are some movies you enjoyed or hated that included hacking? What did I miss and what should I see? Which ones incorporate the best hacking techniques?

Happy New Year!

This post first appeared on Exploring Information Security.

Blackhat trailer numero uno

Yes, this is in fact a movie about a hacker.

I'm not sure if it's going to be a hacking movie, but Thor...excuse me Chris Hemsworth is a hacker that has been put away by the US government for 15 years. He's released to help the US government hunt down another hacker attacking US infrastructure.

On top of being a, "genius hacker and coder from MIT" he also apparently kicks ass like Thor and can handle a gun, at least in the trailer. It will be interesting to see if the hacker role will play a significant role or a side roll to this movie. The term blackhat, for those who don't know, is used to denote hackers who are of a criminal nature. Or they use their "powers" for self gain. The hope is that the studio using the title "Blackhat" for one of its movies about hackers would ensure that there is at least some relevancy to its correct usage. But Hollywood can be Hollywood sometimes.

It looks like an interesting movie, though.

Micheal Mann is one of the main players behind the scenes of this movie with director, screenplay, story and producer credit. Some of the other movies he's known for include: Heat; Public Enemies; The Insider; and The Last of the Mohicans (IMDB). The dude has been nominated for an Oscar four times. If you browse his IMDB page you'll get an idea of what kind of movie this is likely to be. Of the movies I've seen he's been involved in: Hancock; Miami Vice; and Ali. All solid movies in my opinion.

Will this be a true hacker movie? Unlikely, but nothing will be if Hollywood is involved.

Will this be an entertaining movie about hackers? There's a very good chance.

Movie expected release date: January 16, 2015.

This post first appeared on Exploring Information Security.

Monday morning links September 22, 2014

For Sale Soon: The World's First Google Glass Detector - Andy Greenberg - Wired

“Basically it’s a wireless defense shield for your home or place of work,” says Oliver. “The intent is to counter a growing and tangibly troubling emergence of wirelessly capable devices that are used and abused for surveillance and voyeurism.”

"Hobbes and Bacon" is a "Calvin and Hobbes" tribute that takes place 26 years later - Free Republic

This was posted two years ago and is just simply awesome. If you read Calvin and Hobbes growing up you'll really enjoy this.

This post first appeared on Exploring Information Security.

Presentation in the information security community

I am a media arts student who works in information security. 

Coming out of high school I knew I was going into the military. I didn't know a lot about myself back then, but I knew that if I went to college it would be a waste of my parents money. Once I completed my service in the Navy, I decided that I was going to go straight into the workforce. I mean who wouldn't want a fresh military veteran with six years of experience working on electronics instead of some wet behind the ears kid fresh out of college. So I naively entered the workforce and things didn't go exactly as I planned as far as landing a job, but I eventually worked my way up the IT ladder to the security position I currently hold.

During that climb I did make the decision to apply for college on a part-time basis. I had paid into the GI Bill so there was no reason not to. One class a semester was easy enough, but likely meant I wouldn't be finishing college in under 20 years. That changed when the government decided to change the way the GI Bill worked. Instead of just getting my classes paid for, I was going to get my classes paid for and extra money each month I was in school. The only catch was that I needed to take over six hours a semester which was roughly three classes. Not exactly easy, but also not impossible.

Initially, when I started taking classes I had decided that I wasn't going to go for a tech degree. I had worked with electronics and IT systems for six years while in the Navy. If I was going to take classes, I wanted to learn something new. I ended up in the media arts degree program.

I don't regret the choice.

I would love to have a tech degree for career advancement purposes, but most job postings include the 'or education can be substituted with experience' caveat and I have plenty of that. A media arts degree isn't ideal for a technical career and I wouldn't recommend it to anyone, however, I do think it has it's benefits. Attention to detail is something the military taught me and my media arts degree has helped me refine. Every excellent piece of work you see or hear has attention to detail. Every little detail in the work has a purpose and a reason. You might not pick it out, but it's there and can subconsciously elicit enjoyable responses from you, or if there is a lack of attention to detail a piece of work can elicit a negative response from you.

What I'm getting at is presentation, and more specifically presentation within the infosec community. The infosec community has a tough job, not only technically but also in getting people and organization to buy into information security ideas and solutions. Presentation is very important, not only within the community but also outside the community. I don't think the community's presentation is bad, in fact I've seen a lot of good presentations, but I do think it can be improved and I'm hoping that's something I might be able to contribute to.

For example (and the reason for this post):

I came across this website from CarolinaCon, a security conference in North Carolina.

CarolinaCon

Now, before I critique this site I want to make note that I am trying to provide constructive feedback here. I am not calling the creator a dunderhead or the event stupid. I simply think the site can be improved. I absolutely love the logo. I think it's creative and unique to other security conference logos. I even like the colors, but what I don't like is using the colors for the rest of the website. Black on red or red on black or any other dark on dark colors is never a good combination for a website. Same goes for bright on bright colors. Gray on black is also not the best idea, but it's workable. The color scheme is a real eye sore and makes the whole website hard to read.

If we look at DefCon's, another security conference, website that uses black for it's background we see that they're using a lot of light blues and light purples. Which is much more pleasing to the eye. 

They are using grey, but it's a much lighter grey in most places and the other light colors help balance it out.

Not to totally rag on CarolinaCon, it has built some pretty good websites in the past. At the bottom of their main page are links to some of the previous iterations of the site. Last years site was pretty good.

The light blue and orange on black is a good combination and the site is much more pleasing to navigate. The 2012 site is also much more pleasing to the eyes.

Like with anything we do in life, how much thought and effort you put into something is what you're going to get out of it. In regards to content you are presenting to others, it's also what other people are going to get out of it. If you want to get your message across, content needs to be created with the viewer in mind. They will essentially get out of it what you put into it. If content is just slapped on then it's going to feel like a slap to the face of the viewer and that can have a negative impact on your message.

Getting a media arts degree probably wasn't the smartest decision I made for my career, but I think I can make some use of it. I hope to do more posts like this that highlight and discuss some of the good and bad things done in presenting the information security message. If you have comments or questions please leave them in the comment section below or contact me directly. I would love to hear your thoughts.  

This post first appeared on Exploring Information Security.

Exploring information security: new podcast art

I completely whiffed on a link post this morning. I had a good, but dumb weekend (if that makes sense). One of the things I managed to accomplish this weekend was putting together some podcast art, with the help of some friends (Ryan, Adam, Win and Hope, thank you!).

EIS_PodcastArt.jpg

Now I just need to get the RSS feed together and the podcast will be ready to be submitted to a podcast directory near you.

Feedback is certainly welcome.

This post first appeared on Exploring Information Security.