How to prepare for the OSCP - Part 1

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • What is the OSCP and OSCE
  • Why someone should pursue the OSCP
  • What is the test like
  • How Chris' first attempt went

More resources (h/t @KrvRob):

What are the steps to secure application development?

In this getting started episode of the Exploring Information Security podcast, Jim Manico joins me to discuss the steps (or rather phases) to secure application development.

Jim (@manicode) is an active member in the application security field. He's been a board member for OWASP. He's a regular speaker at OWASP conferences and he provides appsec training nine months out of the year. I recently had the opportunity to tune into a webinar put on my Jim discussing the steps to secure application development. He's got a wealth of knowledge and provides actionable advice for anyone wanting to move in that direction.

In this episode we discuss

  • How Jim got started in appsec
  • Why secure application development is important
  • What the steps are to get started
  • Who should be implementing application security

Why is passion an infosec requirement?

In this strong episode of the Exploring Information Security podcast, Chris Sanders CEO of Applied Network Defense and founder of the Rural Technology Fund joins me to question why passion is an infosec requirement.

Chris (@chrissanders88) recently put up a blog post titled, The Cult of Passion. In this post he discusses the concept of passion being a requirement in information security. This is something I've railed against in the path. Like Chris I think it sets the bar higher for those trying to get in. They feel like they have to spend 18 hours of their day doing infosec related things. That is in fact not the case and there are plenty of successful people in infosec that don't eat, sleep, and breath infosec.

In this episode we discuss:

  • What is passion?
  • What is some of the psychology around passion?
  • Why passion isn't a reliable measure for hiring managers.
  • What should people be focusing on instead of passion?

How to join the infosec community - part 2

In this inclusive episode of the Exploring Information Security podcast, Micah Hoffman, a certified SANS instructor, joins me to discuss how to join the infosec community.

Micah (@WebBreacher) gave a talk at BSides DC last year on joining the infosec community. For Micah it took him a while to get involved. He jumped right into the deep end by going to DEFCON. Several years later he decided to get more involved in the community and quickly discovered several of the benefits from doing that. I had a similar experience, attending DEFCON in the early 2000s. I wouldn't attend another security conference until 10 years later.

There are a lot of benefits to getting involved in the infosec community. You get to contribute and make the community a little better. You get to meet some awesome people. You will have more job opportunities open up. Community engagement shows initiative and allows you to meet people looking to fill roles.

In this episode we discuss:

  • How to meet people

  • What are some of things to watch out for in the community

  • Other resources available for getting invovled

More resources:

How to join the infosec community - part 1

In this inclusive episode of the Exploring Information Security podcast, Micah Hoffman, a certified SANS instructor, joins me to discuss how to join the infosec community.

Micah (@WebBreacher) gave a talk at BSides DC last year on joining the infosec community. For Micah it took him a while to get involved. He jumped right into the deep end by going to DEFCON. Several years later he decided to get more involved in the community and quickly discovered several of the benefits from doing that. I had a similar experience, attending DEFCON in the early 2000s. I wouldn't attend another security conference until 10 years later.

There are a lot of benefits to getting involved in the infosec community. You get to contribute and make the community a little better. You get to meet some awesome people. You will have more job opportunities open up. Community engagement shows initiative and allows you to meet people looking to fill roles.

In this episode we discuss:

  • How Micah got into the community

  • What is the infosec community?

  • Why it's important to get involved

  • Where can someone get involved?

More resources:

What does Jayson E. Street, Dave Chronister, Johnny Xmas, April Wright, and Ben Brown think about security?

In this epic episode of the Exploring Information Security podcast Jayson E. Street (@jaysonstreet), Dave Chronister (@bagomojo), Johnny Xmas (@J0hnnyXm4s), April Wright (@aprilwright), Ben Brown (@ajnachakra), and surprise guests Adrian Crenshaw (@irongeek_adc) and Kevin Johnson (@secureideas)all join me to discuss various security related topics.

ShowMeCon is one of my favorite security conferences. The organizers are awesome and take care of their speakers like no other conference. The venue is fantastic. The content is mind blowing. I can't say enough good things about the even that Dave and Renee Chronister put on every year in St. Louis, Missouri. They know how to put on a conference.

Regular listeners of the podcast will note that I recorded an episode with Dave on ShowMeCon several weeks ago. After that recording he asked if I was interested in doing a recording at the conference. I said yes and thus the birth of this epic episode. This format is experimental. First, it is marked as explicit, because there is swearing. Second, It's over 90 minutes long. I didn't think breaking it up into four or five pieces would serve the recording well. Send me your feedback good or bad on this episode, because I'd like to do more of these. I would really like to hear it for this episode.

In this episode we discuss:

  • Certificates
  • Hiring
  • Interviewing
  • Where to get started
  • Soft skills
  • ShowMeCon and other conferences
  • Community and giving back
  • Imposter syndrome
  • Irongeeks impact on those in attendance

What is malware analysis - part 2

In this analyzed episode of the Exploring Information Security podcast, Daniel Ebbutt joins me to discuss malware analysis.

Daniel (@notdanielebbutt) is a malware analyst at a fortune 500 company. I recently caught up with Daniel at Converge and BSides Detroit. We had a great conversation about malware analysis. Talking about the topic with him you can tell he is very passionate and excited about the subject. Which is why I decided to have him on the podcast for a little chat.

In this episode we discuss:

  • What types of anti-malware Daniel has seen
  • How to perform malware analysis
  • What skills are useful for malware analysis
  • What resources are available

More resources:

What is malware analysis - part 1

In this analyzed episode of the Exploring Information Security podcast, Daniel Ebbutt joins me to discuss malware analysis.

Daniel (@notdanielebbutt) is a malware analyst at a fortune 500 company. I recently caught up with Daniel at Converge and BSides Detroit. We had a great conversation about malware analysis. Talking about the topic with him you can tell he is very passionate and excited about the subject. Which is why I decided to have him on the podcast for a little chat.

In this episode we discuss:

  • What is malware analysis
  • How to get malware
  • How to handle malware
  • What the different classes of malware are

More resources:

Why social skills are important - part 3

In this final part of a three-part series of the Exploring Information Security podcast, Johnny Xmas joins me to discuss why social skills are important.

Johnny (@J0hnnyXm4s) has presented talks and performed training on the topic of social skills at various conferences. He told me it's the topic he gets the most feedback on from people in attendance. I was first introduced to one of Johnny's talks at BSides Nashville 2015. He was presenting on networking with people at conferences. Which I immediately identified with. I was there shooting pictures, because it was an easy way to meet people at conferences.

Social skills are important in organizations, because it allows us to build better relationships with people to improve security. It's a topic that Johnny can talk about for hours (as evident by this three-part series).

In this episode we discuss:

  • Why it's important to never eat alone
  • How to improve your social skills
  • How to start a conversation
  • Why it's important to practice

More resources:

Why social skills are important - part 2

In this second part to a three-part series of the Exploring Information Security podcast, Johnny Xmas joins me to discuss why social skills are important.

Johnny (@J0hnnyXm4s) has presented talks and performed training on the topic of social skills at various conferences. He told me it's the topic he gets the most feedback on from people in attendance. I was first introduced to one of Johnny's talks at BSides Nashville 2015. He was presenting on networking with people at conferences. Which I immediately identified with. I was there shooting pictures, because it was an easy way to meet people at conferences.

Social skills are important in organizations, because it allows us to build better relationships with people to improve security. It's a topic that Johnny can talk about for hours (as evident by this three-part series).

In this episode we discuss:

  • Why it's important to never eat alone
  • How to improve your social skills
  • How to start a conversation
  • Why it's important to practice

More resources:

Why social skills are important - part 1

In this start to a three-part series of the Exploring Information Security podcast, Johnny Xmas joins me to discuss why social skills are important.

Johnny (@J0hnnyXm4s) has presented talks and performed training on the topic of social skills at various conferences. He told me it's the topic he gets the most feedback on from people in attendance. I was first introduced to one of Johnny's talks at BSides Nashville 2015. He was presenting on networking with people at conferences. Which I immediately identified with. I was there shooting pictures, because it was an easy way to meet people at conferences.

Social skills are important in organizations, because it allows us to build better relationships with people to improve security. It's a topic that Johnny can talk about for hours (as evident by this three-part series).

In this episode we discuss:

  • What are social skills
  • Why they're important
  • How it relates to social engineering
  • How to interact with someone in a conversation

More resources:

How to pick a lock

In this picky edition of the Exploring Information Security podcast, Adrian Crenshaw joins me to discuss lockpicking and how to pick a lock.

Adrian (@Irongeek_adc) contributes a lot to the infosec community. He's at a lot of different conferences around the country. When he attends dinners at those conferences you can usually see him carrying around a big chain of locks and a monster wallet of lock picks. I've learned to pick locks with Adrian at a few of these dinners and thought it would make a good topic for the podcast.

In this episode we discuss:

  • How to lock pick
  • What are Bogota picks
  • How video games are bad for lockpicking
  • What is lock bumping
  • What happens when you bring lock picks on a plane

Resources:

How to get a DerbyCon ticket

In this scavenger edition of the Exploring Information Security podcast, I provide tips on getting a ticket to DerbyCon.

DerbyCon tickets went on sale May 6, 2017. Two minutes before the official release time, tickets were already sold out. This led to some controversy surrounding the release of tickets five minutes before. This was something that the conference has done for years. Last year the conference sold out in hours. This year it became a problem. There is still plenty of time to secure a ticket. Here are some ways to do that (h/t @PyroTek3).

DerbyCon Twitter account: DerbyCon plans to release more tickets in smaller batches. Watch their Twitter account for more information.

Watch Twitter: Plans change. People will be selling tickets leading up to the conference. Expect an increase in people looking to sell their tickets the month before the conference. I would also recommend paying attention for when speaker notifications go out. Usually around early August.

Submit a talk: The year I began speaking, I got accepted to speak at DerbyCon. The conference prefers new talks and loves new speakers. If you have an idea go for it. You never know. 

Volunteer: It takes a lot of people to run a conference. Volunteers get a free ticket to the con. You will have to work the conference. Which also may result in making some new friends and connections.

Sponsor the conference: DerbyCon is still looking for sponsors. Included in the sponsor package are tickets to the con.

Contests: Keep a look out for contests involving tickets. For example the Brakeing Down Security podcast is putting on a CTF for DerbyCon tickets. 

What is hardware hacking?

In this bulb edition of the Exploring Information Security podcast, Price McDonald Director of Colafire Labs joins me to discuss hardware hacking.

Price (@pricemcdonald) recently gave a hardware hacking talk at BSides Indy. Which I had the pleasure to attend. I was fascinated by the content he provided for the talk and decided to have him on. Hardware hacking is not something we see too much, but it is out there. It's used in physical penetration tests and for other learning opportunities. Listening to Price you can tell he has a strong interest in the topic.

In this episode we discuss:

  • What is hardware hacking?
  • What hardware can be hacked?
  • Where hardware hacking applies?
  • How to get started in hardware hacking

Resources:

What is threat intelligence? - Part 2

In this smart episode of the Exploring Information Security podcast, Rob Gresham formerly of McAfee joins me to explain threat intelligence.

Rob (@rwgresham) previously served as a practice lead in McAfee's security operations. I had the opportunity to meet Rob in person. He is deeply involved in the many things information security related in South Carolina. Including the National Guard and Palmetto Cyber Defense Competition. Threat intelligence is a topic he thoroughly enjoys discussing. Which is why this topic will be a two parter.

In this episode we discuss:

  • What is threat intelligence
  • How threat intelligence is useful
  • What are the benefits of threat intelligence
  • What needs to be done before threat intelligence

Resources:

What is threat intelligence? - Part 1

In this smart episode of the Exploring Information Security podcast, Rob Gresham formerly of McAfee joins me to explain threat intelligence.

Rob (@rwgresham) previously served as a practice lead in McAfee's security operations. I had the opportunity to meet Rob in person. He is deeply involved in the many things information security related in South Carolina. Including the National Guard and Palmetto Cyber Defense Competition. Threat intelligence is a topic he thoroughly enjoys discussing. Which is why this topic will be a two parter.

In this episode we discuss:

  • What is threat intelligence
  • How threat intelligence is useful
  • What are the benefits of threat intelligence
  • What needs to be done before threat intelligence

Resources:

How Macs get Malware

In this installed episode of the Exploring Information Security podcast, Wes Widner joins me to discuss how Macs get malware.

Wes (@kai5263499) spoke about this topic at BSides Hunstville this year. I was fascinated by it and decided to invite Wes on. Mac malware is a bit of an interest for Wes. He's done a lot of research on it. His talk walks through the history of malware on Macs. For Apple fan boys, Macs are still one of the more safer options in the personal computer market. That is changing though. Macs because of their increased market share are getting targeted more and more. We discuss some pretty nifty tools that will help with fending off that nasty malware. Little Snitch is one of those tools. Some malware actively avoids the application. Tune in for some more useful information.

In this episode we discuss:

  • How Macs get malware
  • What got Wes into Mac malware
  • The history of Mac malware
  • What people can do to protect against Mac Malware

More resources:

What is ShowMeCon?

In this show me episode of the Exploring Information Security podcast, Dave Chronister managing partner at Parameter Security (@ParameterHacker) and organizer discuss ShowMeCon.

I can't say enough good things about Dave (@bagomojo). Last year was my first opportunity to attendee and speak at ShowMeCon (@ShowMeConSTL). He and the organizers did a tremendous job taking care of the speakers and attendees. There was great content, activities, food, parties, and the venue was top notch. This is one of the most well run and classiest conferences I've had the opportunity to attendee. I am excited to have the opportunity to speak again at the conference.

The conference has a different feel than other security conferences. It has more of a business feel. Which is a nice change of pace. This gives businesses in St. Louis an opportunity to tap into the vast knowledge of infosec community. It gives speakers of the infosec community an opportunity to show businesses how deep the infosec rabbit hole goes. I highly recommend (and often do) this conference to everyone in IT security.

ShowMeCon is June 8 and 9, 2017, at the Ameristar Casino and Resort. Tickets are available until May 15, 2017.

Other Details:

If you need to contact the organizers of ShowMeCon their phone number is 314-442-0472. If you would like to volunteer send an email to info[@]showmecon[.]com

In this episode we discussed:

  • What is ShowMeCon
  • How the conference got started
  • Who should attend ShowMeCon
  • What can attendees expect
  • A Saturday morning cartoon party

What is the OSINT Framework?

In this knowledge filled episode of the Exploring Information Security podcast, Justin Nordine joins me to discuss the OSINT Framework.

Justin (@jnordine) is the creator of the OSINT Framework. The page is a spider web of tools and other OSINT resources that you can get lost in for days. It's a fabulous tool for those just getting in or those who use OSINT on a daily basis. He created it as a way to keep up with all the OSINT resources out there.

In this episode we discuss

  • How he got started in OSINT
  • What is the OSINT Framework?
  • How should the framework be used?
  • What he has in store for future iterations

What is the internet of things?

In this excessive episode of the Exploring Information Security podcast, Ed Rojas joins me to discuss the Internet of Things (IoT).

Ed (@EdgarR0jas) has recently switched roles. In that role he's researching the internet of things. The internet of things is everywhere and it's starting to become an issue for the security community. From baby monitors to IP cameras to fridges, everything in the home is becoming connected. The issue comes in with the security being embedded in these device. There isn't any and it's allowing malicious people to create massive bot armies for distributed denial of services (DDoS). It's a tough problem to solve. Luckily, Ed is on the case.

In this episode we discuss:

  • What is the internet of things?
  • Why is an IoT an issue?
  • What should organizations be worried about?
  • What are the dangers of IoT?

More resources: