Thursday, April 28, 2011

Guest Post: Brandon Tansey "SOURCE Boston & Mentors"

Today, our guest blogger is Brandon Tansey. He is a networking student and is active in the Boston Information Security community. Here is Brandon's post with his thoughts after attending SOURCE Boston.

I'm one of the folks that was lucky enough to make it out to SOURCE Boston this year, and I'm incredibly glad I did. There was a great selection of talks as well as hallway conversations, but there were a few sessions and conversations that stood out to me. The InfoSecMentors Panel and the following social were definitely among them.

The panel was primarily geared towards the mentors, however I found it quite interesting to listen to as a mentee. I feel that working with a mentor shouldn't be a one way street; the mentor should definitely be getting something out the relationship as well! Sitting in on the panel definitely gave me some insights to how mentors (at least the ones on the panel) view working with a mentee and the concerns they had. The panelists often had some differing opinions, however for the most part I didn't hear anything too unexpected. There was one answer that they all shared which shocked me, however: unresponsive mentees. The panelists were three people who are highly regarded when it comes to what they do professionally. There was Chris Gates(@carnal0wnage, Pentester at Rapid7), Andy Ellis(@csoandy, CSO at Akamai), and Allison Miller (@selenakyle, formerly a fraud specialist at Paypal). I was incredibly surprised to hear that even these three were having trouble with mentees not putting in the time. I found this to be a good problem as far as problems go, however. The fact that the program has mentors interested in more active mentees is great!

To backtrack for just a moment, my name is Brandon Tansey(@BrandonTansey) and I'm a sophomore Networking major at the Wentworth Institute of Technology in Boston. I'm enjoying my time at school and it has given me a desire to explore the InfoSec field beyond what the major offers. It's because of this that I began following quite a few of the SecurityFocus mailing lists early fall semester. I came across an email with the subject of "University Plan" on the PenTest list, and that was where my incredible mentor/mentee experience began.

As I was reading the discussion I saw something familiar. One of the people giving advice happened to have been describing the time he spent at Wentworth! I decided to email this mysterious Dan Crowley (@dan_crowley) and ask him a few questions about the school and the security field. After all, who could be better to ask than someone who started exactly where I was and happened to be exactly where I wanted to go? I found out that the answer to that is no one. The first time we spoke, I got the impression that he was even more excited about the hacklab setup my roommate and I have than we were. Within a week Dan started speaking (and would continue to do so weekly) at a club I help run on campus for technology enthusiasts. We'd also head back to my apartment afterwards with a few other classmates who really had an interest in exploring security.

Dan is, of course, incredibly talented when it comes to the technical side of things. What stood out to me, however, was the passion he had for both what he did and helping others learn what he knew. This passion is what immediately came to mind when Marisa Fagan(@dewzi) of the InfoSecMentors Project asked me if there was anything that I had from my work with Dan that I could share. Our discussion covered quite a few topics and some practical tips (which I'll get to in later), but I think the main point I was trying to make was how important that passion is.

I was certainly excited about security by the time I came across Dan (It definitely takes some level of interest to read through all of those SecurityFocus threads!). The passion I have now is on an entirely different order of magnitude, however. I'm also miles ahead of where I was in a technical regard, however I undoubtedly feel the biggest gain I've had has been in my interest of the subject. Without that I never would have done everything I've done on my own. I never would have been able to read the billions (give or take a few) of pages of security texts. I feel it's like the old "give a man a fish" proverb. A mentor can suggest a few vulnerabilities to look for or tools to use and call it a day, or they can help nurture the desire of the mentee to explore for themselves and keep learning between mentoring sessions. One of these will do much more for a mentee when he/she parts ways with the mentor, and I feel that's a large part of what the relationship is about: putting the mentee in a better position to help him or herself grow.

You can find Brandon Tansey on his new blog at The Wormhole, on his Twitter feed, or on LinkedIn.

Tuesday, April 19, 2011

InfoSecMentors at SOURCE Boston

We've been looking forward to April in Boston ever since last year when SOURCE Boston hosted a wonderful mentoring workshop. This week, Wim, Jimmy, and I will be attending the conference and hosting a mentoring workshop of our own! On Wednesday evening, there will be an interactive panel where we invite security professionals interested in the process of mentoring to come and learn about tricks and activities they can do with their mentee. Our panel of experienced mentors will be available to answer any type of questions. We also hope to brainstorm with our audience for new ideas for mentorship activities, like Open Source projects, CCDC, public speaking, and more.

Afterwards, it's the InfoSecMentors Project One Year Anniversary! We're inviting everyone out for drinks/snacks and networking with the mentors and mentees of the project. Look for more information in your SOURCE Boston schedule brochure.

The InfoSecMentors Project is going to be very active this year! Be sure to follow us on Twitter, @infosecmentors, to get the latest on our plans for scholarships, publications, and the party at Brucon!

To hear us discuss all of this, and much more, (more than you could ever want!!) listen to my interview with the EuroTrash Security Podcast Episode 20.


Thursday, April 7, 2011

My SOURCE Boston Walkthrough

Let me introduce myself real quick, I'm Jimmy Vo and I've been a mentee in the InfoSec Mentors program for about 10 months now. I'm a recent Computer Science graduate and working my first year professionally as a systems analyst. I'm looking forward to going to my SOURCE Boston since it will be my first conference. I just wanted to do a walk through of some of the talks and workshops I'll be attending. If you see me, please say Hello.

Every single talk and session I’ve seen for this years SOURCE looks amazing. There were a few talks that popped out on the schedule. Of course, I wish I could attend every talk.

Bringing Sexy Back: Defensive Measures That Actually Work
Paul Asadoorian, Founder & CEO, PaulDotCom Enterprises
April 20, 11:00am-11:50am

This talk focuses on implementing defensive measures that can mitigate and/or slow down attackers using many technologies. These technologies include honeypots, scripts, and traps. This talk goes beyond traditional defensive measure that do not work anymore. I’m looking forward to this talk because I’m a big fan of the PaulDotCom podcast and Paul and the rest of his crew are as entertaining as they are knowledgeable when it comes to information security.

In the land of the blind, the squinter rules
Wim Remes, Ernst & Young (@wimremes)
April 20, 2:30pm-3:20pm

This talk focuses on security visualization, which a topic that my Mentor and I have talked a few times about. Visualization is an easily digestible way to present data to colleagues and executives. This talk by Wim will cover the basics of visualization and then elaborate on gathering information using Davix and Google Chart API.

Getting Stuff Done: How to work with the rest of the business
Andy Ellis, Senior Director of Information Security, Akamai
April 20, 4:00pm-4:50pm

This should be a very useful and interesting talk. In many organizations information security importance is not totally understood. Sometimes it’s very difficult for technical people to work with other business units and co-workers. It took me a while to figure out operational people don’t care for the technical background and jargon, they just want to know if the systems working. I’m hoping to learn some information on working more cohesively with other business units.

Selling Security Without Selling Your Soul
Aaron Cohen, Managing Partner, MAD Security (@aaronco)
April 20, 5:00-5:30pm

I’m very excited about this talk Aaron is giving. It’s evident that security is not widely and truly embraced as it should be. I’m personally very excited with this talk because I’m always trying to get management buy in and project sponsorship for security initiatives.

InfoSec Mentors Workshop
April 20, 5:30-8:30 in The Constitution

This workshop is to celebrate the 1 year anniversary of the InfoSec Mentors program/project. I hear there’s going to be good food and a lot of fun. I’m excited to talk to other mentors/mentees. I also look forward to sharing my experience at the workshop.

Between 5:30 and 6:30 there will be an InfoSec Mentors panel that will be discussing mentoring tips and tricks. The Panel will focus on making great mentors even greater. The panel will consist of many professionals, InfoSec veterans, and speakers to share their experience and knowledge to build mentors.

After the InfoSec Mentors Panel there will be a mixer at 6:30-8:00. During this time mentors and mentees will have time to meet and party! Also there’s an open bar and food, automatically a good time. I’m looking forward to talking to other mentors and mentees to see some other perspectives on the program.

Across the Desk: Different Perspectives on InfoSec Hiring and Interviewing
Lenny Zeltser, Security Consulting Director,Savvis & Faculty Member, SANS Institute (@lennyzeltser) & Lee Kushner, President, LJ Kushner & Associates (@ljkush)
April 21, 10:00-10:50am

I always look forward to the content on Lenny Zeltser and Lee Kushner’s blog. The talk focuses on very important perspectives from the candidate and the employer. There is further discussion on important aspects such as resumes, job descriptions, interview communications and compensation. This is an extremely relevant talk for me since I’m a mentee trying to get into the InfoSec field.

So You Got That SIEM. Now What Do You Do?
Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)
April 22 - 11:10am-12pm

This talk by Dr. Anton Chuvakin helps navigate the challenges of deploying SIEM. Dr. Chuvakin shares some best practices and insight on how to achieve SIEM success. I’m interested in this talk because I’ve recently have been following Dr. Chuvakin’s blog which covers topics such as log management and SIEM. I’ll also be working with SIEM solutions in the near future.