Tag Archives: career

Jun 23 2016
Leave a comment
Blog Posts

Booth Babe Shame

Yesterday on Twitter I came across the following in my feed:

Screenshot 2016-06-23 13.46.05

I was horrified and angry, responding with the following:

Screenshot 2016-06-23 14.05.41

I also posted something similar on Linkedin, Facebook and Google+.  I never heard from the vendor, but I did hear back from some pretty offended men and women, both technologists and non-technologists.

Screenshot 2016-06-23 14.15.34

Why are we still having this conversation? Why would ANY vendor think it’s appropriate to make make the staff at a technical conference dress like employees at Hooters?

There’s a bitter irony in reading article after article about improving the diversity in STEM fields and then seeing this. I’m getting pretty tired of feeling like a second class citizen in this industry. I’d like to be able to go to a conference and know that I’ll be treated with the respect due a senior-level technologist, not minimized because I happen to have a uterus. Clearly, I’m not the only person who feels this kind of behavior is no longer acceptable and shouldn’t be tolerated. I encourage anyone equally appalled to call out the vendor in question. If we can’t appeal to their morals, maybe they’ll think twice if it impacts their bottom line.

UPDATE: I’ve been corrected regarding the venue. This event took place at a Vegas night club, but I’m STILL offended. I don’t see any Booth Bros. Why did this vendor feel the need to have women promote their product this way?

UPDATE 6/28: Looks like people at Nutanix are embarrassed, but I’m not sure if this will actually translate to any awareness on their part.

“In a blog post Friday, Julie O’Brien, vice president of corporate marketing at Nutanix, apologized for the stunt while also offering an explanation of what went wrong.”

This was in my feed this morning: Nutanix CMO After Risque Conference Stunt: I Will Resign If It Happens Again.

 

Tagged , ,
Jun 04 2016
Leave a comment
Blog Posts

Fixing a Security Program

I’m still unsettled by how many security programs are so fundamentally broken. Even those managed and staffed by people with impressive credentials. But when I talk to some of these individuals, I discover the key issue. Many seem to think the root cause is bad tools. This is like believing the only thing keeping you from writing the Next Great American novel is that you don’t have John Steinbeck’s pen or Dorothy Parker’s typewriter.

In reality, most of the problems found in security programs are caused inferior processes, inadequate policies, non-existent documentation  and insufficient standards. If buying the best tools actually fixed security problems, wouldn’t we already be done? The truth is that too many employed in this field are in love with the mystique of security work. They don’t understand the business side, the drudgery, the grunt work necessary to build a successful program.

For those people, here’s my simple guide.  I’ve broken it down to the following essential tasks:

  1. Find your crap. Everything. Inventory and categorize your organization’s physical and digital assets according to risk. If you don’t have classification standards, then you must create them.
  2. Document your crap. Build run books. Make sure you have diagrams of networks and distributed applications. Create procedure documents such as IR plans. Establish SLOs and KPIs. Create policies and procedures governing the management of your digital assets.
  3. Assess your crap. Examine current state, identify any issues with the deployment or limitations with the product(s). Determine the actual requirements and analyze whether or not the tool actually meets the organization’s needs. This step can be interesting or depressing, depending upon whether or not you’re responsible for the next step.
  4. Fix your crap. Make changes to follow “best practices.” Work with vendors to understand the level-of-effort involved in configuring their products to better meet your needs. The temptation will be to replace the broken tools, but these aren’t $5 screwdrivers. Your organization made a significant investment of time and money and if you want to skip this step by replacing a tool, be prepared to provide facts and figures to back up your recommendation. Only after you’ve done this, can you go to step 6.
  5. Monitor your crap. If someone else knows your crap is down or compromised before you do, then you’ve failed. The goal isn’t to be the Oracle of Delphi or some fully omniscient being, but simply more proactive. And you don’t need to have all the logs. Identify the logs that are critical and relevant and start there: Active Directory, firewalls, VPN, IDS/IPS.
  6. Replace the crap that doesn’t work. But don’t make the same mistakes. Identify requirements, design the solution carefully, build out a test environment. Make sure to involve necessary stakeholders. And don’t waste time arguing about frameworks, just use an organized method and document what you do.

Now you have the foundation of any decent information security program. This process isn’t easy and it’s definitely not very sexy. But it will be more effective for your organization than installing new tools every 12 months.

 

Tagged , , , , , , , ,
Oct 01 2015
Leave a comment
Blog Posts, Security Resources

Security Training for Cheapskates

During a recent webinar I gave, someone asked how soon I would be doing another one. I was flattered, but responded that because of a full-time job as an architect, my time was limited. “Besides,” I said, “you don’t need to wait for me, there’s plenty of free or inexpensive security training available online.”

Security professionals love to share and show off what they’ve learned. Some of us crave the warm fuzzy of helping our colleagues, while others do it to demonstrate their wicked skills or build their resume. Regardless of the motivation, that means there’s always abundant content to help you learn and grow.

Here’s a list of useful sites that I’ll try to keep updated. If you know of others and would like to contribute or if you think the training is outdated or bad, please let me know and I’ll adjust the list accordingly.

Securitytube.net – a project of security researcher, Vivek Ramachandran.

Hak5.org – Online security show produced by Darren Kitchen (of Pineapple WiFi router fame) and a collection of nerds who demo security tools and hacks. Includes Metasploit Minute with the awesome @Mubix.

OWASP – The Open Web Application Security Project has lots of “how to” guides and videos.

Offensive Security’s Vimeo Channel

Metasploit Unleased, Made for Hackers for Charity, an ethical hacking course provided free of charge to the InfoSec community in an effort to raise funds and awareness for underprivileged children in East Africa.

Georgia Weidman:Bulb Security – creator of the Smartphone Pentest Framework, researcher and author of Penetration Testing: A Hands-on Introduction to Hacking. She offers inexpensive online training in pentesting.

Adrian Crenshaw’s site, Irongeek, with conference and training videos.

Official BlackHat Conference Youtube Channel 

Defcon Youtube Channel 

Chaos Communication Congress videos

OpenSecurityTraining.info – CreativeCommons licensed security training site

Cyber Kung Fu for the Eight (8) Domains of CISSP – Training videos from Larry Greenblatt, a CISSP training guru.

Pentester Academy – video training site available for monthly or yearly subscription fee. Some free content.

Pentester Lab – Free online pentesting courses with practice images.

Penetration Testing Practice Lab – A mindmap of available vulnerable applications and systems practicing pentesting.

ENISA(European Union Agency for Network and Information Security) incident handling training

Carnegie Mellon University Software Engineering Institute (SEI) training – low-cost security training from a research, development and training center involved in computer software and network security.

Cybrary – free online IT and security training that grew out of a Kickstarter project.

Udemy, Coursera, edX and many universities offer MOOCs in computer science and information security. You can get a list from MOOC-Online.

Tagged , , , ,
Aug 08 2015
Leave a comment
Blog Posts

No More Mrs. Nice Guy

Time To Reclaim My Bitch Status.

I’m exhausted. I’m tired of working in a field that’s become a veritable wasteland for women. And while everyone seems to be discussing the absence of women in STEM fields, it’s really “a tale told by an idiot, full of sound and fury, signifying nothing.”

I also know that even the men who care about this issue are on empathy overload. So where’s the disconnect? Why are we still stuck at the beginning of the conversation?

I think it’s because women have become classic enablers in a dysfunctional situation. Instead of standing our ground and demanding equal, gender-neutral treatment, we feel obligated to play by a different set of rules. We constantly work to gain approval, managing the discomfort of those around us by walking on eggshells, ultimately failing to realize that this behavior keeps us shackled to the past. Is anyone telling men to “Lean in?”

So go ahead and say it. I know you want to. BITCH. I’m not going crumble and run into the ladies room. I’m not going to weep into my monitor. I’ve decided to wear that Bitch Label as a badge of honor. Because as Tina Fey said, “Bitches get stuff done.” So screw Sheryl Sandberg’s polite, Lean-In Army. If that’s what you need to call me in order to feel less threatened,both men and women, then do it. I’m prepared to own it.

Pix Plz from xkcd.com

Tagged , , ,
Jul 27 2015
Leave a comment
Blog Posts

Meetings: the First Horseman of the Apocalypse

While browsing the Interweb for daily threat intelligence this morning*, I found an interesting research paper, “Meetings and More Meetings: The Relationship Between Meeting Load and the Daily Well-Being of Employees.” Anyone with some amount of seniority in IT is familiar with the concept of “death by meeting,” so I was excited to find scientific research (!) confirming that meetings are the soul-sucking creation of Satan.

Meetings are an integral part of organizational life; however, few empirical studies have systematically examined the phenomenon and its effects on employees. By likening work meetings to interruptions and daily hassles, the authors proposed that meeting load (i.e., frequency and time spent) can affect employee well-being. For a period of 1 week, participants maintained daily work diaries of their meetings as well as daily self-reports of their well-being. Using hierarchical linear modeling analyses, the authors found a significant positive relationship between number of meetings attended and daily fatigue as well as subjective workload (i.e., more meetings were associated with increased feelings of fatigue and workload).

No shit, Dick Tracy. Every morning I check my calendar with trepidation, wondering how much of my day will be wasted watching pointless Powerpoint presentations, the “jazz hands” of the modern workplace. How often will I be forced to feign attention as leadership drones on about strategy? Then I realized that civilization will not be destroyed by weapons of mass destruction or global warming, but with meetings. As T.S. Eliot said,

This is the way the world ends
Not with a bang but a whimper.

It seems appropriate to end with an xkcd comic on the topic.

Meeting from xkcd.com

*Who am I kidding, I was watching silly videos like “The Running of the Pugs.” I blame Adobe Flash, not just for being insecure, but as the harbinger of time-wasting.

Tagged , , , ,
%d bloggers like this: