What's happening at DerbyCon 2018 - Part 2

In this Hyatt recorded edition of the Exploring Information Security podcast, Micah Hoffman, Josh Huff, and Justin Nordine.

Micah (@WebBreacher), Josh (@baywolf88), and Justin (@jnordine) join me to go over a variety of topics at DerbyCon 2018. The Hyatt was kind enough to provide space near the bar (shout to the amazing Lauren).

In this episode we discuss:

  • Why other industries don’t use OSINT

  • Where to find your niche

  • What are some frustrations of mentorship

  • How apps are impacting our lives

What's happening at DerbyCon 2018 - Part 1

In this Hyatt recorded edition of the Exploring Information Security podcast, Micah Hoffman, Josh Huff, and Justin Nordine join me at DerbyCon 2018.

Micah (@WebBreacher), Josh (@baywolf88), and Justin (@jnordine) join me to go over a variety of topics at DerbyCon 2018. The Hyatt was kind enough to provide space near the bar (shout to the amazing Lauren).

In this episode we discuss:

  • What OSINT classes and projects everyone is working on

  • Why contributing is important

  • What value conferences like DerbyCon provide

  • Why hotels hate accountant conferences

What is advanced OSINT?

In this whiskey fueled edition of the Exploring Information Security podcast, Ryan MacDougall and Colin Hadnagy of Social Engineer join me to discuss advanced OSINT.

This past DerbyCon, I had the opportunity to take the Advanced OSINT with Ryan (@joemontmania) and Colin (@UnmaskedSE). The course was great! It was different from some of the other OSINT courses I’ve taken. They covered very specific techniques and tools. After presenting on those techniques and tools we were given the opportunity to dive in from a free-form standpoint.

If you’d like to take the training, signup for their April 23-24, 2019, training in Denver Colorado.

Also, you can catch Ryan at the First Pacific Hackers Conference, November 9-11, 2018.

In this episode we discuss:

  • What is advanced OSINT

  • What is the mindset needed for OSINT

  • What are some of the tools used for OSINT

  • How to phish an organizationa

How to achieve security awareness through social engineering - Part 2

In this ranty edition of the Exploring Information Security podcast, Jayson E. Street joins me to discuss how to achieve security awareness through social engineering.

Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.

In this episode we discuss:

  • How to communicate with executives

  • Why we need to empower users

  • What happens when Jayson plays video games

  • Why shock value is important

How to achieve security awareness through social engineering - Part 1

In this ranty edition of the Exploring Information Security podcast, Jayson E. Street joins me to discuss how to achieve security awareness through social engineering.

Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.

In this episode we discuss:

  • Why security awareness is important
  • What our own experience is with training people
  • What's in the training
  • How to talk to communicate effecitvely

What's happening at DerbyCon?

In this legacy edition of the Exploring Information Security podcast, Ben Miller (@securithid) , Cliff Smith (@BismithSalamandr) , Paul "BubbaSec" Coggin (@PaulCoggin) , Dave Chronister (@bagomojo), Sean Peterson (@SeanThePeterson), and Jimmy Byrd (@Jimmy_Byrd) (and briefly @aprilwright ) join me to talk security.

 This is likely the last podcast conference special of the year. It's a good one. We had quite the crew to record this one and got very in-depth and deep on topics related to infosec. Big shout out and thanks again to Dave for bringing the mics and participating in the podcast.

I've been pleasantly surprised with how this and the other podcasts have turned out. I've gotten some great feedback and I plan to do more of these in the future. It was also floated to me that we record one of these as a panel at one of the conferences. We'll see.

In this episode we discuss:

  • The legacy of DerbyCon and what the future holds.
  • What it's like at a developer conference?
  • Is there security fatigue?
  • Patch your shit.

Resource we discussed:

How to get a DerbyCon ticket

In this scavenger edition of the Exploring Information Security podcast, I provide tips on getting a ticket to DerbyCon.

DerbyCon tickets went on sale May 6, 2017. Two minutes before the official release time, tickets were already sold out. This led to some controversy surrounding the release of tickets five minutes before. This was something that the conference has done for years. Last year the conference sold out in hours. This year it became a problem. There is still plenty of time to secure a ticket. Here are some ways to do that (h/t @PyroTek3).

DerbyCon Twitter account: DerbyCon plans to release more tickets in smaller batches. Watch their Twitter account for more information.

Watch Twitter: Plans change. People will be selling tickets leading up to the conference. Expect an increase in people looking to sell their tickets the month before the conference. I would also recommend paying attention for when speaker notifications go out. Usually around early August.

Submit a talk: The year I began speaking, I got accepted to speak at DerbyCon. The conference prefers new talks and loves new speakers. If you have an idea go for it. You never know. 

Volunteer: It takes a lot of people to run a conference. Volunteers get a free ticket to the con. You will have to work the conference. Which also may result in making some new friends and connections.

Sponsor the conference: DerbyCon is still looking for sponsors. Included in the sponsor package are tickets to the con.

Contests: Keep a look out for contests involving tickets. For example the Brakeing Down Security podcast is putting on a CTF for DerbyCon tickets. 

What I learned at DerbyCon

In this enlightening episode of the Exploring Information Security podcast, I talk about what I learned at DerbyCon.

This was my second trip to DerbyCon. Last year was a wonderful experience. This year was much the same. While at the conference I had some takeaways that I wanted to share on the podcast (Also, I've been slack in getting guests on the show lately).

In this episode I discuss:

What is DerbyCon?

In the return of the Exploring Information Security podcast, I explore DerbyCon with Adrian Crenshaw AKA Irongeek.

Adrian (@Irongeek_adc) is one of the founding members of DerbyCon. Last year I went to DerbyCon for the first time. I had an absolute blast and I happy that I am getting an opportunity to go again this year. The talks are all fantastic, but even better are the connections that can be made at the conference. DerbyCon is in Louisville, Kentucky, September 21 - 25, 2016. The conference is sold out, but tickets can be usually found by watching Twitter for people selling tickets.

DerbyCon videos are up.

In this episode we discuss:

  • The origins of DerbyCon
  • All the events and activities available
  • How to get involved in the conference
  • BONUS: How to get accepted at DerbyCon

Other resources:

My DerbyCon talk - The Blue Team Starter Kit

In this special episode of the Exploring Information Security (EIS) podcast, my Blue Team Starter Kit talk from DerbyCon.

I had the wonderful opportunity to speak at DerbyCon this year. The overall experience was amazing and I am thankful and honored to speak at such a great event. I was placed in the stables track with a 20-25 minute talk, which makes the recording perfect for this podcast. A huge shoutout and thanks to Adrian Crenshaw for all his work in recording talks for conferences. The information security community would be lesser without him.

In my talk I discuss several challenges and tools to meet those challenges, including: