Management is a shift in mindset

April 23, 2019

If you ever go into management in the infosec field (or really any field) get ready for a huge shift in mindset.

Finishing the Exploring Information Security podcasts was a great decision for me. I would love to still be doing it, however, it’s just not valuable for me as a manager right now. I am no longer thinking about the latest happenings in infosec. I am still paying attention to what’s going. It’s just that my performance is largely reliant on the people that report to me. That means managing workloads, removing blockers, providing feedback, making decisions, and metrics.

It’s been a shift for me, even though I knew it was coming. I have to delegate or else I get to caught in the day-to-day operations. It’s not efficient for me as a manager. I’ve seen others get promoted into management and struggle. Largely because they still wanted to do the technical things and get paid as a manager. That’s just not possible based on the role. I’ve always wanted to go into management. I find the challenge in how do I get the most of the people that report to me. How do you make someone as productive as possible.

Oh, it’s also about politics. If you can’t, “play” the political game you will struggle as a manager. To get things done as security professionals requires building relationships with other departments. We in security have a big stick. Using that stick to get things done has the effect of making people not like you. Instead I like to build relationships using the techniques of social engineering. It’s much more effective and people tend to like you afterwards.

A resource that helped me prepare for a management role is Manager Tools. It’s a great tool for figuring out how to be an effective management. They’ve been around for several years with lots of topics to dive into. Even if you’re not interested in management they have the Career Tools podcast, which focuses on career advice. There’s resume, interviewing, how to ask for a raise, and much more. The hosts are very direct and to the points, which will rub some people the wrong way. They have data to back up their recommendations, though. I can confirm that using their techniques has helped me shift into management and become a better professional. The most beneficial being how to write a resume and interviewing.

Prior to listening to the Career Tools podcast, I struggled writing resumes and interview. This despite going to seminars and reading books on how to do both. At one point it took me 15 months to find a new opportunity. After listening to the podcast I increased my job offers dramatically and eventually found my current opportunity that I hope to retire from.

I’m hoping to document my experiences in future blog posts. While I’m not as focused on the technical infosec things, maybe I can contribute from the career advice of things.

this blog post first appear on Exploring Information Security

Application Security resources for beginners

October 29, 2018

This is a continuation of my resource series of posts. Application security is the field I found a lot of interest in. This despite coming from the operations side of IT not development. Using the resources below I was able to get a job in application security.

Websites:

I first realized I had an interest in appsec after reading a Troy Hunt post. Not only were things explained well, but I was also paying attention to every word in his blog posts. He has since branched out to more breach related content as the creator and maintainer of Have I Been Pwned. Still he has a lot of good appsec content. He has several courses on Pluralsight for beginners plus. He also does a weekly podcast that’s worth checking out.

The Open Web Application Security Project (OWASP) is the go to resource for AppSec. It’s a massive non-profit organization that has tons of projects, knowledge bases, cheat sheets, and more. There might even be a local OWASP chapter. There’s annual conferences to attend (I’ve never been). It’s the resource I recommend for people starting out.

Podcasts:

DevelopSec
Application Security Podcast

James Jardine puts on the DevelopSec podcast. The podcast is targeted at developers. It’s also consumable by security people. This podcast doesn’t release on a regular schedule. The Application Security podcast is also targeted at developers. It releases in seasons.

Training:

The first bit of AppSec training I got was the SANS SEC542 Web Application Penetration Testing and Ethical Hacking. It’s a lot of AppSec information, concluding with a Capture The Flag (CTF) exercise. I’d try to get your organization to pay for this as it’s several thousand dollars.

The Practical Web Application Penetration Testing course is a Tim Tomes course. He’s a former SANS instructor who puts on this training several times throughout the year in public and for organizations. It’s a great affordable course that Tim tries to keep up to date with relevant information.

The blog post first appear on Exploring Information Security

2018-10-11 20_07_58-OSINT - Google Search.png

OSINT resources for beginners

October 22, 2018

I know what you’re thinking, “not another resource for OSINT.” This post is more focused on helping people just getting started with open source intelligence (OSINT).

This is the second of several resource posts I’d like to do that point people to some getting started resources. This is not meant to be an exhaustive list. Instead I’d like to highlight some of the resources I have found useful and use on a regular basis. This is meant more as a gateway into the deep field of OSINT.

Websites:

Google is the primary tool I use for doing searches. Learning how to Google Dork is one of the most useful skills to have in security, not just OSINT. IntelTechniques has a lot of useful tools for doing specific searches. OSINT Framework has over 1200 tools available for OSINT. Plenty of opportunity to fall into rabbit holes.

People:

These are all people I’ve interacted with regularly or had on the podcast previously to talk about OSINT and threat intelligence.

Training:

I took SANS SEC487 earlier this year and it is exhaustive. Lots of information, tools, and methodology in the course. I also recently took Social Engineer’s Advanced OSINT course at DerbyCon. It’s a shorter and much more focused course. It provides opportunities to play with certain techniques (Google Dorking) and tools (Maltego). Recently, Justin told me he was doing an OSINT course. Follow him on Twitter (above) to keep up with dates and links.

Podacsts:

OSINT on Exploring Information Security

I think this is the easiest way to capture all the podcast content. Plus, it keeps this blog post a little shorter and more streamlined. I don’t want this to be a super long post. The links I’ve provided in this post will lead you to other resources, tools, and ideas in OSINT.

How to get started with OSINT

Something to think about is use cases. Penetration testers use OSINT for assessing and organizations security aptitude. Investigators use it to track down people and companies. Incident responders use it to track malicious domains. Threat hunters use it to identify threats and risks to an organization. Those are some of the things I’ve used OSINT for working on a blue team. I’ve heard of use cases for police, insurance companies, and organizations looking to make acquisitions.

Methodology is also really important. It’s what keeps us from jumping too far down a rabbit hole. Dutch OSINT Guy has a good post on methodology. It’ll take practice and experience, so really just go do it and learn.

This blog post first appear on Exploring Information Security

Information Security resources for beginners

October 16, 2018

I wrote a recommended resources post back in early 2017. I’d like to update that, as the resources I recommend have changed. I try not to think of my podcast as something for new people to the infosec field. However, the people reaching out to me the most are people who are new to the field. So, I’ve given in and I want to start creating a series of posts directed at new people or those trying to get into the industry. These posts are meant as a gateway, not an exhaustive list.

These are the resources I find the most useful. With out further ado.

Websites:

Krebs is considered the public Intrusion Detection System (IDS) for companies. If you’re getting a call from him, it’s probably not good. He covers various topic primarily around breaches, skimmers, and unmasking malicious actors. I’m friends with Steve. He reports on a variety of infosec related topics. When something breaks on Twitter he’s one of the first people I check to get accurate information.

Podcasts:

Risky Business is the best security podcast out there. It’s the podcast with the best content and quality. The podcast allows me to stay up with the latest infosec news. He’s got sponsored (gotta pay dem bills) podcasts that are just as useful. Security Weekly was the first podcast I listened to. It’s great for getting information and gaining an understanding of the hacker culture. After a while, for me, it turned into a bit of a boys club where they go off on tangents and genital jokes. Episodes are usually two hours long which sucks up a lot of podcast listening times. Finally, there’s the Peerlyst list of podcasts. It has an exhaustive list of infosec related podcasts.

Conferences and local user groups:

Conferences and local user groups are a great place to learn, while also meeting people in the field. The security community is inclusive and welcoming if you put yourself out there. That means doing that awkward social thing. There is very likely a BSides near you. Most local user groups can be found on meetup.

Training:

Information security is an ever changing field. To stay relevant in the field requires curiosity and a willingness to learn new things. Before getting to that point, we need to learn the basics. Irongeek and Pluralsight help with the basics and staying up-to-date. SANS SEC401 is a general course that will provide a good foundation for any security professional. I thought I was above the course, as I was taking it three years into my infosec career (and several more in IT). I was so wrong. The course helped fill in a lot of gaps for me from a security and IT perspective. I highly recommend the course for beginners and those already in the field.

This blog post first appear on Exploring Information Security

Recommended resources for information security

February 20, 2017

“What are some good materials you would recommend on InfoSec?” -Kenneth Reavis

This is such a great question and one I thought worth a post. My short answer is podcasts, blogs, and videos. These are what I use to help improve and stay relevant in the information security field. I listen to podcasts on my ride into work. I read Feedly to stay up with news events and people in the industry. I watch YouTube and Pluralsight when I need to pick up a complicated concept or technical topic.

Podcasts

I love podcasts. I love them so much that I produce my own. Security Weekly is the first podcast I started to listen to when I got in the field. Each episode contains a news, interview, and demo segment. I found the interview segment to be the most useful. This is a good first podcast to start with. The show has been around for years. It has a lot of good content and it’s a good crash course to the hacker culture of the field.

Risky Business is the best podcast in the infosec field. The production quality and content are top notch. The show starts with a news segment. That leads into two interview segments. The first usually deals with a current topic being discussed in the field. The other is a sponsor interview, which is usually just as useful as the other interview. The show is usually 50-65 minutes long.

Peerlyst has a long list of podcasts. Look for a few that are of interest. Give the podcast about three episodes before making a decision. Podcasters do sometimes have “off” shows. Here are some of the other podcasts with good content.

Down the Security Rabbit Hole - Leadership and business

Defensive Security podcast - Blue team focused

Data Driven Security - Data scientist focused

DevelopSec - Application security focused

On my ride home I listen to hobby and interest focused podcasts. I found that when I listened to infosec podcasts both ways I started to get burned out on podcasts. I now listen to infosec or business related podcast on my drive in. This helps me get focused. On the ride home I listen to hobby podcasts. This helps me transition from work to home much easier.

My last recommendation is to pick up podcasts that don’t have an infosec lean but focus on improving the self. I listen to both Manager and Career Tools for business etiquette guidance. I also listen to the Art of Charm for relationship building and self-improvement guidance. Both have helped tremendously in my day-to-day interactions at work.

Blogs

I use Feedly to collect RSS feeds from the sites and blogs I have an interest in. I follow ars-technica for news. Their articles are both informative and usually a quick read. I also follow Steve Ragan at CSO for news.

I work in the application security field. Troy Hunt is one of the bigger names in the field that produces content regularly. He also runs Have I Been Pwned which is a very useful tool for incidents involving a breach.

Brian Krebs is the man when it comes to reporting on breaches and criminal activities involving digital technology and ATMs.

Bruce Schneier is one of the top names in the cryptography and encryption field. He also tends to focus on the bigger picture and ramifications of security in society.

I add and prune my feed pretty regularly. If I get too far behind on my feed I’ll look to simplify it and get rid of the blogs. I look for blogs that aren’t providing as much value or report on stories I see from other feeds.

Get an RSS reader setup (it doesn’t have to be Feedly). Start adding to it and adjust if necessary. Feeds are also good for keeping up with alerts and vulnerability databases.

Video

I am a visual learner. The two resources I use extensively are YouTube and Pluralsight. I add a lot of conference talks to my Watch Later list. That list has 48 videos as of this writing. I don’t get on YouTube as much as I would like, but it’s still a useful tool for research. And every once and a while I'll create a playlist. It’s a valuable resource for better understanding a technology or infosec technique. Pluralsight requires a subscription. The content is top notch and provides a more indepth look at technology or security topics. It's $300 a year. I've had my place of employment pay for the last few years. It's usually an easy sell.

Conclusion

Those are the resources I use on a daily basis to learn and keep up with information security. There are a lot of other great resources out there. I just haven't found them or don't get as much value out of it. There are a lot of great digital forensics and incident response resources. I just don't work in that field. Find what gives the most value. If it's giving very little, ditch it.

Blogs allow me to keep up with daily news and read interesting new content. I have several hobby feeds setup in there so I get a nice mix throughout the day (I sometimes need a break from infosec). I listen to podcasts almost daily. There are general podcasts and more focused podcasts. Some have varying degrees of quality, but most have really good content. Finally, videos provide a visual opportunity to learn and research topics. I don’t use these on a daily basis. Instead I use them when I need to dig deeper into a topic.

There are a lot of great resources out there. Ask around. Find what type of medium you prefer and fits best into your lifestyle. Try something. If it provides value, great! If not, get rid of it. I just realized I didn't even touch on boxes. I may save that for another post.

This post first appeared on Exploring Information Security.