Friday, December 23, 2011

InfoSecMentors @ BSides Byte Size

Just a quick note to tell our UK friends that the crew from BSides London is throwing a little meetup in Central London called BSides Byte Size! It's Saturday, January 7th, at a venue to-be-disclosed closer to the date. I'll be there as well, and I'll bring InfoSecMentors stickers to give out to anyone that attends!

From the BSides London website:

BSides Byte Size - The Acoustic Set

Saturday 7th January 2012

Venue - TBC (A Pub in London)


There are no invites, no sponsors, no projectors just you and beer. The Acoustic Set is a simple gathering of like minded people meeting, talking, listening, debating and drinking so come along and participate.

So what makes this acoustic? Anyone speaking is not provided with any electronic assistance. If you want to talk you need to go low-tech.

Who's speaking? We are going to have a few well known people come and speak but anyone can speak. Just turn up on the day.

Tell people you're coming on Twitter by using #BSidesByteSize.

No tickets or RSVP is required, but please join us on the event's profile and let everyone know that you're "interested" or "attending" and post comments.
So hopefully we'll see you there!

Happy Holidays!

Friday, September 16, 2011

InfoSecMentors @ BruCon 2011

Next week the InfoSecMentors team will be attending BruCon! We've been looking forward to this particular event all year because BruCon has been a valued supporter for the project. BruCon is a great conference not only because their slogan is "Hacking for Beer" but because they've captured that great balance between the black t-shirts and the suits. The trainings, presentations, and workshops are all very affordable (and a steal when you hear about the included after-party!) We're looking forward to learning a lot, meeting new friends, and drinking beer in amazing places.

This year, we're hosting a mentoring workshop on the second day. This workshop will tackle both sides of the mentoring relationship. For the mentees, we'll talk about ways to set yourself apart, how to efficiently do your homework, and what valuable benefits to expect from your mentorship. For the mentors, we'll go over different activity ideas, how to keep your mentee engaged, and the value mentors get out of the mentorship. After that, we'll put the question to the audience and try to define just what exactly counts as a successful mentoring relationship.

Our workshop panelists include David Rook (@securityninja), Chris Gates (@carnal0wnage), Wim Remes (@wimremes), and Marisa Fagan (@dewzi). We'll start at 19:30 Tuesday with a short presentation and open the floor for questions and experiences. Hope to see you there!

Tuesday, August 9, 2011


While The InfoSecMentors Project may be on a break until September, there are still plenty of conversations happening about mentoring! One blog post in particular has so correctly hit the nail on the head I wish I could copy and paste the whole thing! (But I won't. Remember kids, plagiarism is bad m'kay!)

This article comes from Ramit Sethi at (not a security-related blog, but couldn't hurt to read it) called "Why Successful People Don't Want To Mentor You." His take is that these days so few people actually put in the work to be a good mentee that it has left a bad taste in everyone's mouth about being a mentor. So it's not entirely your fault that it is so hard to find a good mentor. Fortunately, those that really do want to put in the effort will be part of a very short list that gets catapulted to the top. Ramit explains exactly how to do just a few hours of work before you approach your ideal mentor to guarantee they will jump at the opportunity to work with you.

From the article:
  • "Here is the 1-2-3 Choice Technique: “Hi Ramit, I love your book on blah blah. I noticed you said I should XYZ in chapter 5, and so I tried it. I’m stuck due to XYZ. So I’ve come up with 3 possible routes:
    • blah blah1
    • blah blah2
    • blah blah3

Which do you think I should do?

This will get almost a 100% response rate, since you have actually done the work in your head…plus all I have to do is tell you which is best. GOOD JOB."


I also thought the article had an interesting point about how as mentors we create these huge artificial barriers to intentionally make it difficult to contact us, perhaps without realizing it. Having your email address public may not be practical for other reasons, but at least consider making your LinkedIn profile public and be responsive there. And if you're a mentee, please be respectful of this direct access you have to the people in your industry. You may not realize it now but being "kooky," flakey, or lame is actually ruining it for the rest of us!

As part of the InfoSecMentors Project, I can vouch that everything in this article is true. The substantial majority of mentees are not doing the legwork, and so setting yourself apart is very doable (and totally worth it!) Look through past examples on this blog about the type of projects and jobs people get exposed to after they do the homework. Listen to the podcast at the end of Ramit's article for dozens more specific examples. Do this, and as Ramit said, "you will find people that LOVE helping other ambitious people who take action."

Good luck! (Not that you need it!)

Tuesday, May 3, 2011

Guest Post: Brandon Tansey "Practical Lessons"

Guest blogger Brandon Tansey is back this week to tell us about his experience as a mentee. He also has some suggestions for thing to do with your mentor, including setting up an at-home hacklab, and getting involved in the Security Community.

It's important to be clear that my last post isn't to say that practical lessons aren't great in a mentor/mentored relationship. My discussion with Marisa also included some thoughts I had on the practical aspects of working with a mentor. There were two main points I looked to get across: work with more than one mentee per mentor, and to focus on helping a mentee make the jump from methodology to practice.

As I mentioned, my experience with Dan began when he started giving presentations at the group on campus. After each meeting he would come back to my apartment and work more closely with people who were interested. The setup we have is great! We're fortunate enough to have a Poweredge 2650 humming away in our apartment. We use it to virtualize all sorts of targets and services (ex: PFSense) and to practice taking down some machines. We used a mix of standard virtualized desktops/servers and some premade target distributions (Damn Vulnerable Linux, Damn Vulnerable Webapp, Metasploitable, etc) to bang on. Our setup makes having people over to practice easy, but having a big, loud server isn't the only way to safely practice on live targets. A desktop virtualization program like VirtualBox can be just as good! Boot up a VM with Metasploitable (or whatever you'd like to attack) and you've already got your own mini-hacklab!

Some nights there were more people coming over than others, however there were two of us that made it week after week without fail. There was myself, and there was a junior networking major at Wentworth named Ian Abreu(@Ian_Abreu). Every week (and often in between) we'd meet up to work on something. Working as a trio was great; it allowed the dynamic to become less teacher/student like and more like a group of people working together. Everyone had something to bring to the group.

I understand that not all mentors are able to devote the amount of time that Dan did. The trio is even better in these situations. Having multiple mentees in a group allows for dialogue even when the mentor is busy between talks. The mentees can help each other grow both their passion and technical ability.

The other comment I had for Marisa was one that may have been more specific to my experiences, however I wouldn't be the least bit surprised to find that other students feel the same way. The comment I made was that it's incredibly handy for a mentor to help a mentee make the jump from methodology to practice.

Before meeting Dan I had done quite a bit of reading. I think the most well-known book I read was Hacking Exposed. The book was an incredible way to learn principles. I feel that the main issue I face, however, isn't the principles. I personally had a hard time starting the jump from reading to doing. I felt that I could describe quite a few techniques and how they worked, but if you asked me how to actually do them I'd be stumped. Technology in general moves quickly, however InfoSec seems to move especially fast. It's because of this that a lot of the reading material out there is far outdated by the time people get to reading it. If I was to redo the last year's mentoring experiences, that is probably the one thing I'd change. I think it would've been incredibly handy to slowly step through a particular methodology and really learn how each step translates from theoretical to practical.

There is one final tip that I feel is incredibly important to stress. Regardless of whether or not the pairing is local, getting mentees involved with the InfoSec community somehow is one of the best things you can do for them. Get them on twitter (or to start following the InfoSec crowd), get them on the mailing lists, if possible get them to local meetups and introduce them to people! The InfoSec community is a small one full of incredibly intelligent people. In my experience, many of these people are incredibly open (if not eager) to help people willing to take the time to learn. It is much easier to meet these people when you approach them with someone they already know! The best thing I personally got out of SOURCE was all of the incredible people I met, and I feel that was a direct result of volunteering for the conference which I did through the people I had already met at the local meetups!

Overall, I'm incredibly glad I was able to find a mentor to work with. I'm not Dan, however I feel that Ian and I were able to give him something through working with him as well. I'd personally consider the InfoSecMentors Project a success for simply putting together a few mentors and mentees. Fortunately they're only limited by the amount of people that express interest! I really do advise you give it a try. You'll be incredibly glad you did regardless of which side of the relationship you sign up for!

You can find Brandon Tansey on his new blog at The Wormhole, on his Twitter feed, or on LinkedIn.

Thursday, April 28, 2011

Guest Post: Brandon Tansey "SOURCE Boston & Mentors"

Today, our guest blogger is Brandon Tansey. He is a networking student and is active in the Boston Information Security community. Here is Brandon's post with his thoughts after attending SOURCE Boston.

I'm one of the folks that was lucky enough to make it out to SOURCE Boston this year, and I'm incredibly glad I did. There was a great selection of talks as well as hallway conversations, but there were a few sessions and conversations that stood out to me. The InfoSecMentors Panel and the following social were definitely among them.

The panel was primarily geared towards the mentors, however I found it quite interesting to listen to as a mentee. I feel that working with a mentor shouldn't be a one way street; the mentor should definitely be getting something out the relationship as well! Sitting in on the panel definitely gave me some insights to how mentors (at least the ones on the panel) view working with a mentee and the concerns they had. The panelists often had some differing opinions, however for the most part I didn't hear anything too unexpected. There was one answer that they all shared which shocked me, however: unresponsive mentees. The panelists were three people who are highly regarded when it comes to what they do professionally. There was Chris Gates(@carnal0wnage, Pentester at Rapid7), Andy Ellis(@csoandy, CSO at Akamai), and Allison Miller (@selenakyle, formerly a fraud specialist at Paypal). I was incredibly surprised to hear that even these three were having trouble with mentees not putting in the time. I found this to be a good problem as far as problems go, however. The fact that the program has mentors interested in more active mentees is great!

To backtrack for just a moment, my name is Brandon Tansey(@BrandonTansey) and I'm a sophomore Networking major at the Wentworth Institute of Technology in Boston. I'm enjoying my time at school and it has given me a desire to explore the InfoSec field beyond what the major offers. It's because of this that I began following quite a few of the SecurityFocus mailing lists early fall semester. I came across an email with the subject of "University Plan" on the PenTest list, and that was where my incredible mentor/mentee experience began.

As I was reading the discussion I saw something familiar. One of the people giving advice happened to have been describing the time he spent at Wentworth! I decided to email this mysterious Dan Crowley (@dan_crowley) and ask him a few questions about the school and the security field. After all, who could be better to ask than someone who started exactly where I was and happened to be exactly where I wanted to go? I found out that the answer to that is no one. The first time we spoke, I got the impression that he was even more excited about the hacklab setup my roommate and I have than we were. Within a week Dan started speaking (and would continue to do so weekly) at a club I help run on campus for technology enthusiasts. We'd also head back to my apartment afterwards with a few other classmates who really had an interest in exploring security.

Dan is, of course, incredibly talented when it comes to the technical side of things. What stood out to me, however, was the passion he had for both what he did and helping others learn what he knew. This passion is what immediately came to mind when Marisa Fagan(@dewzi) of the InfoSecMentors Project asked me if there was anything that I had from my work with Dan that I could share. Our discussion covered quite a few topics and some practical tips (which I'll get to in later), but I think the main point I was trying to make was how important that passion is.

I was certainly excited about security by the time I came across Dan (It definitely takes some level of interest to read through all of those SecurityFocus threads!). The passion I have now is on an entirely different order of magnitude, however. I'm also miles ahead of where I was in a technical regard, however I undoubtedly feel the biggest gain I've had has been in my interest of the subject. Without that I never would have done everything I've done on my own. I never would have been able to read the billions (give or take a few) of pages of security texts. I feel it's like the old "give a man a fish" proverb. A mentor can suggest a few vulnerabilities to look for or tools to use and call it a day, or they can help nurture the desire of the mentee to explore for themselves and keep learning between mentoring sessions. One of these will do much more for a mentee when he/she parts ways with the mentor, and I feel that's a large part of what the relationship is about: putting the mentee in a better position to help him or herself grow.

You can find Brandon Tansey on his new blog at The Wormhole, on his Twitter feed, or on LinkedIn.

Tuesday, April 19, 2011

InfoSecMentors at SOURCE Boston

We've been looking forward to April in Boston ever since last year when SOURCE Boston hosted a wonderful mentoring workshop. This week, Wim, Jimmy, and I will be attending the conference and hosting a mentoring workshop of our own! On Wednesday evening, there will be an interactive panel where we invite security professionals interested in the process of mentoring to come and learn about tricks and activities they can do with their mentee. Our panel of experienced mentors will be available to answer any type of questions. We also hope to brainstorm with our audience for new ideas for mentorship activities, like Open Source projects, CCDC, public speaking, and more.

Afterwards, it's the InfoSecMentors Project One Year Anniversary! We're inviting everyone out for drinks/snacks and networking with the mentors and mentees of the project. Look for more information in your SOURCE Boston schedule brochure.

The InfoSecMentors Project is going to be very active this year! Be sure to follow us on Twitter, @infosecmentors, to get the latest on our plans for scholarships, publications, and the party at Brucon!

To hear us discuss all of this, and much more, (more than you could ever want!!) listen to my interview with the EuroTrash Security Podcast Episode 20.


Thursday, April 7, 2011

My SOURCE Boston Walkthrough

Let me introduce myself real quick, I'm Jimmy Vo and I've been a mentee in the InfoSec Mentors program for about 10 months now. I'm a recent Computer Science graduate and working my first year professionally as a systems analyst. I'm looking forward to going to my SOURCE Boston since it will be my first conference. I just wanted to do a walk through of some of the talks and workshops I'll be attending. If you see me, please say Hello.

Every single talk and session I’ve seen for this years SOURCE looks amazing. There were a few talks that popped out on the schedule. Of course, I wish I could attend every talk.

Bringing Sexy Back: Defensive Measures That Actually Work
Paul Asadoorian, Founder & CEO, PaulDotCom Enterprises
April 20, 11:00am-11:50am

This talk focuses on implementing defensive measures that can mitigate and/or slow down attackers using many technologies. These technologies include honeypots, scripts, and traps. This talk goes beyond traditional defensive measure that do not work anymore. I’m looking forward to this talk because I’m a big fan of the PaulDotCom podcast and Paul and the rest of his crew are as entertaining as they are knowledgeable when it comes to information security.

In the land of the blind, the squinter rules
Wim Remes, Ernst & Young (@wimremes)
April 20, 2:30pm-3:20pm

This talk focuses on security visualization, which a topic that my Mentor and I have talked a few times about. Visualization is an easily digestible way to present data to colleagues and executives. This talk by Wim will cover the basics of visualization and then elaborate on gathering information using Davix and Google Chart API.

Getting Stuff Done: How to work with the rest of the business
Andy Ellis, Senior Director of Information Security, Akamai
April 20, 4:00pm-4:50pm

This should be a very useful and interesting talk. In many organizations information security importance is not totally understood. Sometimes it’s very difficult for technical people to work with other business units and co-workers. It took me a while to figure out operational people don’t care for the technical background and jargon, they just want to know if the systems working. I’m hoping to learn some information on working more cohesively with other business units.

Selling Security Without Selling Your Soul
Aaron Cohen, Managing Partner, MAD Security (@aaronco)
April 20, 5:00-5:30pm

I’m very excited about this talk Aaron is giving. It’s evident that security is not widely and truly embraced as it should be. I’m personally very excited with this talk because I’m always trying to get management buy in and project sponsorship for security initiatives.

InfoSec Mentors Workshop
April 20, 5:30-8:30 in The Constitution

This workshop is to celebrate the 1 year anniversary of the InfoSec Mentors program/project. I hear there’s going to be good food and a lot of fun. I’m excited to talk to other mentors/mentees. I also look forward to sharing my experience at the workshop.

Between 5:30 and 6:30 there will be an InfoSec Mentors panel that will be discussing mentoring tips and tricks. The Panel will focus on making great mentors even greater. The panel will consist of many professionals, InfoSec veterans, and speakers to share their experience and knowledge to build mentors.

After the InfoSec Mentors Panel there will be a mixer at 6:30-8:00. During this time mentors and mentees will have time to meet and party! Also there’s an open bar and food, automatically a good time. I’m looking forward to talking to other mentors and mentees to see some other perspectives on the program.

Across the Desk: Different Perspectives on InfoSec Hiring and Interviewing
Lenny Zeltser, Security Consulting Director,Savvis & Faculty Member, SANS Institute (@lennyzeltser) & Lee Kushner, President, LJ Kushner & Associates (@ljkush)
April 21, 10:00-10:50am

I always look forward to the content on Lenny Zeltser and Lee Kushner’s blog. The talk focuses on very important perspectives from the candidate and the employer. There is further discussion on important aspects such as resumes, job descriptions, interview communications and compensation. This is an extremely relevant talk for me since I’m a mentee trying to get into the InfoSec field.

So You Got That SIEM. Now What Do You Do?
Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)
April 22 - 11:10am-12pm

This talk by Dr. Anton Chuvakin helps navigate the challenges of deploying SIEM. Dr. Chuvakin shares some best practices and insight on how to achieve SIEM success. I’m interested in this talk because I’ve recently have been following Dr. Chuvakin’s blog which covers topics such as log management and SIEM. I’ll also be working with SIEM solutions in the near future.

Wednesday, March 16, 2011

The InfoSecMentors Project Essay Contest

The InfoSecMentors Project is giving away one ticket to Notacon 8 by having an essay contest. Each entrant should write an essay of less than 400 words about the following topic:

"Pretending I am your supervisor, write me an email requesting leave to attend a conference. Include reasons why attending conferences are valuable to the organization, and what you hope to learn from this hypothetical conference."

Submissions will be judged by an independent professional manager who makes decisions like this one. The submission that is most convincing and appropriate for a professional situation wins!

Email submissions to Anyone can enter. The ticket will be available at will call. Contest ends April 8th 2:00pm ET. Winner announced April 9th.

Notacon is April 14-17 in Cleveland, OH.