How information security professionals should interact with the media - part two

In this exciting edition of the Exploring Information Security podcast, Steve Ragan of CSO joins me to discuss how information security professionals should interact with the media.

Steve (@SteveD3) prior to becoming an InfoSec Journalism Wizard for CSO he spent 15 years as an IT contractor. Last year Steve gave talks on how to interact with the media at conferences such as CircleCityCon and DerbyCon. With information security getting more play in the media recently it's important that we all have a basic understanding of how to interact with the media.

In this episode we discuss:

  • Interacting with different types of media
  • Contacting media to make a correction
  • The difference between on-the-record and off-the-record
  • Don't be afraid to talk to the media
  • Steve tells a story about getting his Skype hacked.

How information security professionals should interact with the media - part 1

In this exciting edition of the Exploring Information Security podcast, Steve Ragan of CSO joins me to discuss how information security professionals should interact with the media.

Steve (@SteveD3) prior to becoming an InfoSec Journalism Wizard for CSO he spent 15 years as an IT contractor. Last year Steve gave talks on how to interact with the media at conferences such as CircleCityCon and DerbyCon. With information security getting more play in the media recently it's important that we all have a basic understanding of how to interact with the media.

In this episode we discuss:

  • Who is the media?
  • Where would someone interact with the media?
  • Reaching out to the media
  • What does a bad interaction look like?

How to network in information security - part 2

In this edition of the Exploring Information Security podcast, I discuss with Johnny Xmas how to network in information security.

Johnny (@J0hnnyXm4s) is a penetration tester for Redlegg and an accomplished speaker at security conferences around the United States and Iceland. One of Johnny's more recent talks is titled "That's not my RJ45 Jack" which covers, among other topics, how to interact with people. I saw this talk in April when I went to BSides Nashville and it has a lot of good information that can be applied to networking with people in general.

In part two we discuss:

  • Resources for getting better at networking
  • Some of the challenges of learning to network

How to network in information security - part 1

In this edition of the Exploring Information Security podcast, I discuss with Johnny Xmas how to network in information security.

Johnny (@J0hnnyXm4s) is a penetration tester for Redlegg and an accomplished speaker at security conferences around the United States and Iceland. One of Johnny's more recent talks is titled "That's not my RJ45 Jack" which covers, among other topics, how to interact with people. I saw this talk in April when I went to BSides Nashville and it has a lot of good information that can be applied to networking with people in general.

In part one we discuss:

  • What is networking?
  • How can Twitter be leverage to strengthen and improve your network?

How to play a CTF

In this thrilling edition of the Exploring Information Security Podcast, I talk with David Coursey about how to play capture the flag (infosec-style).

David (@dacoursey) is one of the organizers of the Charleston ISSA chapter. At DerbyCon 2014 he experienced his first CTF. He had such a good time that he decided to put together the CTF for BSides Charleston two months later. Through those experiences he has learned a lot and has participated in many more CTFs this past year.

In this episode we discuss:

  • What is a CTF event?
  • What is needed to get starter?
  • How to play a CTF?
  • How to win a CTF?
  • What makes for an excellent CTF

How to deal with the "experience required" paradox

In this exciting edition of the Exploring Information Security (EIS) podcast, I talk with Jerry Bell about overcoming the "experience required" requirement on infosec job postings.

Jerry recently had a blog post on his site (malicious link) titled, "Dealing With The Experience Required Paradox For Those Entering Information Security." It is a wonderful article with actionable items on what people can do to overcome that stipulation on job postings. Jerry is also a co-host for the Defensive Security podcast.

In this episode we talk about:

  • Activities that can be done to overcome "experience required"
  • Who is does this requirement apply
  • Our own personal experiences and suggestions for overcoming the paradox

What certifications are available for infosec professionals?

In this episode of the Exploring Information security (EIS) podcast, I talk with Ralph Collum of Training Concepts about the certifications available for information security professionals or those looking to get into information security.

Ralph (@Optimus__Prime) holds many infosec related certifications and is also an instructor of courses meant to help people get certified. Certifications are not a finish line for professionals. They are, instead, more of starting point for professionals. Getting certified means that a certain level of knowledge has been achieved.

In this episode Ralph and I discuss:

  • Why someone should get certified?
  • What certifications are available?
  • How to get certified
  • When should someone get certified?
  • Which certifications are the best?

My DerbyCon talk - The Blue Team Starter Kit

In this special episode of the Exploring Information Security (EIS) podcast, my Blue Team Starter Kit talk from DerbyCon.

I had the wonderful opportunity to speak at DerbyCon this year. The overall experience was amazing and I am thankful and honored to speak at such a great event. I was placed in the stables track with a 20-25 minute talk, which makes the recording perfect for this podcast. A huge shoutout and thanks to Adrian Crenshaw for all his work in recording talks for conferences. The information security community would be lesser without him.

In my talk I discuss several challenges and tools to meet those challenges, including:

What is the perception of information security - part 2

In the second episode of the refreshed edition of the Exploring Information Security (EIS) podcast (wow, that's a mouthful), I talk with Chris Maddalena about the perception of information security.

Chris recently gave a talk on FUD at BSides Detroit and CircleCityCon this past Summer, prompting me to explore the topic of information security perception with him. I think perception is something very important to the infosec community, especially, now that it is becoming more relevant in the public eye.

In part two of this two part series we talk about perception:

  • Security can be a friendly face.
  • The word hacker.
  • Developers vs. security.

What is the perception of information security - part 1

In the second episode of the refreshed edition of the Exploring Information Security (EIS) podcast (wow, that's a mouthful), I talk with Chris Maddalena about the perception of information security.

Chris recently gave a talk on FUD at BSides Detroit and CircleCityCon this past Summer, prompting me to explore the topic of information security perception with him. I think perception is something very important to the infosec community, especially, now that it is becoming more relevant in the public eye.

In part one of this two part series we talk about perception

  • What is the perception of infosec in business?
  • How do we change the perception of security?
  • We start getting into where security fits in an organization

What is CircleCityCon?

In the ninth edition of the Exploring Information security (EIS) podcast, I talk with Grap3 Ap3 and Dr. BearSec about the security conference CircleCityCon.

Both Grap3 Ap3 and Dr. BearSec are organizers for the wonderful event. In this episode they talk about the origins of the conference, some of the challenges of putting the conference together, the atmosphere of the conference, and what attendees can expect for next year. Follow Grap3 Ap3 (@grap3_ap3) and DrBearSec (@drbearsec) and of course the conference (@CircleCityCon) on Twitter.

In this interview we cover:

  • What is CircleCityCon?
  • How did it get started?
  • The challenges of putting the conference together
  • What to look forward to in 2016

What is security awareness?

In the refreshed edition of the Exploring Information Security (EIS) podcast, I talk to Amanda Berlin AKA @Infosystir about security awareness. 

Amanda was charged with setting up a security awareness program for her company from scratch. Setting up a security awareness program is hard work, making it effective is even harder, but Amanda rose to the challenge and came up with some creative ways to help fellow employees get a better handle on security.

In this interview we cover:

  • What is security awareness?
  • How a security awareness program should be implemented.
  • What does an effective security program look like?
  • How do you measure the effectiveness of a security awareness program

How to ZAP your websites

Originally posted on September 11, 2014.

In the seventh edition of the Exploring Information Security (EIS) podcast, I talk with Zed Attack Proxy (ZAP) creator and project lead Simon Bennetts.

Simon is the project lead for ZAP an OWASP Open Web Application Security Project. He has a developer background and originally built the tool to help developers build better applications. The tool was so good that it caught the eye of the security community and is now used by developers, people just getting into security and veteran pen testers. You can follow him on Twitter @psiinon and find out more on the tool by going to the project site on OWASP.

In this interview we cover:

  • What is ZAP and how did the project get started?
  • Who should utilize ZAP?
  • What skill level is need to start using ZAP?
  • Where should ZAP be used?
  • How you can get involved in the project.

How to use PowerShell for security

Originally posted on August 27, 2014.

In the sixth edition of the Exploring Information Security (EIS) podcast, I talk with PowerShell guru Matt Johnson a founder of PoshSec.

Matt Johnson has spoken at conference's like GrrCon and DerbyCon on using PowerShell for security. He also has his own podcast titled, Leveled up Infosec Podcast and he's the founder of PoshSec. You can catch Matt tweeting about security on Twitter @mwjcomputing.

In this interview we cover:

  • What is PowerShell
  • How to get started using PowerShell
  • How to best utilize PowerShell for security
  • Available resource
  • What mistakes can be made using PowerShell for security

What is BSides Augusta?

In this episode of the Exploring Information Security (EIS) podcast, I talk with one of the organizers of BSides Augusta, Doug Burks.

2015 will be the third year for the security conference and it looks to be even bigger and better than last year. This year the conference features a two blue team tracks, a red team track, CTF challenge, a lock pick village, and much more.  Doug also talked about his own conference that leads into BSides Augusta, the Security Onion conference. BSides Augusta is sold out, but the Security Onion conference still has tickets available.

Security Onion Conference - September 11, 2015 - Tickets available

BSides Augusta - September 12, 2015 - SOLD OUT with waiting list

In this interview Doug discusses:

  • What is BSides Augusta
  • How the security conference got started
  • The blue team atmosphere
  • The Security Onion conference

What is threat modeling?

Originally posted August 13, 2014.

In the fifth edition of the Exploring Information Security (EIS) podcast, I talk with J Wolfgang Goerlich, Vice President of Vio Point, about threat modeling.

Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec (@MiSec) projects and events. 

In this interview Wolfgang covers:

  • What is threat modeling?
  • What needs to be done to threat model
  • Who should perform the threat modeling
  • Resources that can be used to build an effective threat model
  • The life cycle of a threat model

What is cryptography?

Originally posted July 30, 2014.

In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.

Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.

In the interview Justin talks about

  • What cryptography is
  • Why everyone should care about cryptography
  • What some of it's applications are
  • How someone would get started in cryptography and what are some of the skills needed

What is a Chief Information Security Officer (CISO)

Originally July 9, 2015.

In the third edition of the Exploring Information Security (EIS) podcast my infosec cohort Adam Twitty and I talk to the Wh1t3 Rabbit, Rafal Los, about what exactly a Chief Information Security Officer, otherwise known as CISO, is.

Rafal Los (@Wh1t3Rabbit) is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog.  I would highly recommend both if you're in the infosec field or looking to get into it.

In the interview Rafal talks about:

  • What a CISO is
  • What role does a CISO fill in an organization
  • Who skills are needed to be an effective CISO
  • The different types of CISOs

How to organize an information security conference

Originally posted on July 2, 2015.

In the second edition of the Exploring Information Podcast (EIS) my infosec cohort Adam Twitty and I talk to Ed Rojas about how to put together an information security conference.

Ed Rojas (@EdgarR0jas) is a Master Consultant for HP Enterprise Security and the creator of Security Zone information security conference in Columbia and the organizer of the BSides Nashville security conference. I had the pleasure of attending BSides Nashville this year and got the opportunity to snap a few pictures. Ed was a very accommodating and passionate host for the event. 

In this interview Ed talks about:

  • The first step to organizing a security conference
  • The time and effort it requires
  • How to pick the right date
  • The biggest challenges putting together an event
  • Some of the mistakes that were made
  • Where to host the event

How to get into information security

Originally posted June 25, 2014

I've been wanting to do a podcast, for a while now, on information security. I wasn't sure what I wanted the objective of the podcast to be. Most of the information security podcasts out there, or at least the ones I listen to, usually do a guest interview and cover some of the latest news and happenings within the information security. I didn't want to spin up, yet, another one of those.

Instead I've decided to spin up a podcast that explores the world of information security. One of the things I've been hearing the infosec community needs are people to teach security to those inside and outside the community. I am still very much in the early stages of my career as an information security professional and trying to learn as much as I can. I thought a podcast that allowed me to share what I've learned and explored would make for a great podcast. So here we are and my first podcast is about how to get into information security.

To explore that topic I decided to do an interview with VioPoint consultant and roundhouse master Jimmy Vo (@JimmyVo). We covered how he got into information security and also talked about some of things people on the outside looking in can do to get into information security.

Feedback is very much appreciated and wanted. Leave them in the comment section or contact me via email.