Feeds:
Posts
Comments

Archive for May, 2009

One of the main reasons I love information security is that there’s always something new to learn, or re-learn.  I got started around 2001 when, working as a systems manager with a db full of SSNs, realized I needed to know more about breaking into my systems if I was going to defend them.  This led to some serious SANS Institute training, earning my CISSP cert, and having a great time swimming in a sea of knowledge!

So what do I do to keep up?  I read and re-read the monthly ISSA journals,  Secure Computing magazine, Information Security magazine, and the ISC2.org Journal of Information Security.  I joined ISACA earlier this year, so am adding their publications to my nightstand.  There are various and sundry email subscriptions like SearchSecurity, TechTarget, and Shadowserver.  The Association for Computing Machinery journal arrives quarterly.

As part of my ongoing gap-analysis and searching for a new safe harbor, I work on learning more about my profession and focus on certain elements in it.  Among them:

Books I’ve been reading:

The first book is by Fyodor himself, so I had to give it a read and use it as a desktop reference.  The second is by Ed Skoudis & Tom Liston; I’d read it a few years ago, but turn to it for refreshers.

Then there are blogs!  Some of my favorites are:

I think if I don’t make time to keep reading and doing, I’ll fall behind – our industry is still young and growing fast as the threat horizons expand.  It’s hard to keep up, but I’m tryin’…

Peace y’all.

Read Full Post »

I was quite fortunate to attend this year’s RSA Conference.   I applied for, and was awarded one of the 24 ISC2.org scholarships to attend, so with that support, it was off to San Francisco for the week.

Like my last two years at RSA, what a fabulous experience it is!  If you aren’t a good networker though, it can be intimidating; the size of Moscone Center and the scope of it all are a bit of a head-rush.

I spent my time mostly between the Professional Development and Hacker Techniques sessions, with some time at the Innovation Sandbox, Crypto Commons and Peer2Peer sessions.

At the Innovation Sandbox, I ran into Dr. Hugh Thompson before his whiteboard session.  Hugh has opened the closing keynotes the past few years with his hilarious and informative ‘The Hugh Thompson Show‘.  After the IS presentations by innovative new companies, I saw him again and chatted him up.  We agreed to get together later in the week and cognate together, visit, hang, etc.,  Hugh was very gracious and gave me an hour of his time, sharing career growth insights, humorous anecdotes, and some ‘wisdom of the ages’.  We also LinkedIn.

I also ran into some of the local Seattle area security folks, which was cool, including David Matthews (City of Seattle), Frank Simorjay (Microsoft), and Dan Kaminsky from IOActive.

My favorite session presentation was Ed Skoudis and Johannes UllrichThe Seven Most Dangerous New Attack Techniques, and What’s Coming Next‘.  ‘Pass-the-Hash, Super-flexible Pivoting, Wireless from compromised client into corporate, Problems with SSL, and VoIP systems among others.  I can’t wait to listen to the session recordings because it was SRO in the room and hard to take notes from the balcony…

I ran into Ed again at the CodeBreakers Bash and we chatted for a bit.  He’s always very approachable and open.  In 2004, I took his Incident handling and hacker Techniques course from the SANS Institute and loved it.

I spent some good time cruising the exhibition floor during lunchtime, vast and crowded.  The swag was tempting, but too much to tote back, so ‘travel lightly’ is always good advice at trade shows…  I did visit with some nice recruiters and focused a bit on GRC software vendors.

The first full day of the conference, it was 93 degrees Fahrenheit outside!  To quote from ‘Young Frankenstein‘ , that’s ‘Abby-Normal‘ for S.F. in April

Some have said that this year, RSA lacked sustenance.  I enjoyed it though.  The opening keynotes were a bit humdrum compared to past years, except for the Cryptographers Panel and Lieutenant General Keith B. Alexander from the NSA.  Melissa Hathaway on Wednesday looked at her notes and talked to us like we were members of the Press Corps – the general reaction I heard was like, ‘Lady, we’re smart security geeks, not journalists.  We don’t need to know that the Administration has been planning to do stuff, just tell US what it is!’ Yawners.

James Bamford’s talk on the NSA was very good.

The opening number rocked!

NB – open the keynote webcast page, then select Opening Ceremony, View Video Webcast, Opening Ceremony Performance

Read Full Post »

It’s been awhile since I wrote last…been busy with business and always climbing some new slope on the InfoSec Learning Curve.  In the meantime, I’ve been doing some personal gap analysis and working to fill-in the blanks as I find them, with help from other folks!

I attended SecureWorld in Seattle last October and have been enjoying the monthly ISSA meetings of the Puget Sound chapter.  I feel very fortunate to have met some incredibly talented people at these, including Russ McRee and Joel Scambray.  Shouts-out to these folks, Deanna Locke and Ravila Helen White for helping me re-orient my internal compass!  I’ve also been attending the Agora meetings held quarterly on the University of Washington campus and organized by the UW CISO, Kirk Bailey.  These colloquia are fabulous and bring together a few hundred local/regional infosec folks for a half-day of presentations and serious networking.

Stuff being studied – ISO 27001 and 27002 along with COBIT 4.1 as my interest in IT GRC grows.

Later…

Read Full Post »