Sunday, March 23, 2008

Introducing: Were I taking this seriously...

So in an effort to separate the wheat from the chaff I decided to spin off my InfoSec thoughts from my wanderings and exploration of the world.

My initial plan for this little corner of writing will be for me to discuss things about Information Security that crop up on a daily basis. Let's say this is going to be about "iron sharpening iron."

I am also planning on using this space to dump bits and pieces of wisdom I might learn along the way to being the best InfoSec manager in the world (this is humor - I am sure I will provide more than enough reasons to flame as this goes along. Please learn to see my sarcasm before we get to far into things.)

I am not a super h@x0r - I have never claimed to be. I am not a Bruce Schiener or a Richard Bejtlich, or even a Dan Kaminsky (although I do work with him).

I am a former network engineer who always had a belief that security should be included in everything you built. I blame this on my own misspent youth. My father watched me blow my eyebrows off more than once doing stupid things. After awhile of doing destructive things that might hurt you, suddenly security (protection of self) became important.

I started college as a Sociology Major (people are interesting) - then changed to Mechanical Engineering (I am going to build robots) - a quick stint in Biology: Marine Biology (I read Lilly - one of his pals was Timothy Leary). I had a car accident and things changed - I ended up in Computer Science and did well. I had a computer from the age of 9 on so it made some sense (thanks to mom and dad on that one).

I enjoyed computers - introduced some neat ideas to the use of computers and biology at my university (if I had known that there would be a field to spring up years later called BioInformatics I might have stayed in that) and then bounced to Colorado to be a ski bum.

My diverse course of study has provided me with different ways of looking at things. Those in the security industry realize that having alternate viewpoints will help you figure out where the next bad thing is coming from.

As a side, there was a post in the last month about the way InfoSec people think. Is it learned or is it innate knowledge? See Bruce's thoughts at link. You can see one rebuttal at link.

Sorry Bruce - I am going to lean towards the learned ability. Proper scientific method at use here:

1) Define the question (how would i break this web application? steal this car? compromise this RFID tag?)
2) Gather information and resources (Google, Secunia, milw0rm, RFID)
3) Form Hypothesis (hmm if I add a ' there will things go awry?)
4) Perform experiment and collect data (well look at that - the database just dumped)
5) Analyze data (oh looks like someone has been keeping credit card data)
6) Interpret data and draw conclusions that serve as starting point for next hypothesis (does everyone using Joomla have Remote File Inclusion Vulnerabilities?)
7) Publish results (Google, Secunia, milw0rm, RFID)
8) Retest (here come the script kiddies)

So while I might agree that InfoSec people are a little different (if you don't agree you have missed oh every Defcon since the dawn of time) - I am not going to agree that they go at things differently than the next guy. InfoSec professionals just come up with better hypothesis to test.

Well that's enough for a solid introduction. I will be adding more as I go along. Here's a brief snippit of where I will be over the next couple of weeks:

"Next I am in Amsterdam all week for Blackhat Europe. The first couple of days I will be in class learning Reverse Engineering: Application in Malicious Code Analysis. I am really looking forward to the class. It should be interesting and allow me to be more successful in my on reverse engineering assignments. I wrap that up and zip back to the States on the 29th.

I will be in Seattle for a week (time to practice being a manager) then I am off to San Francisco for RSA. There I will get to practice my new Director skills as I begin the process of moving IOActive forward in their information security offerings (glamorous words for me being a sales guy for a week). I will also be there as a technical resource to help the real sales people discuss what we can do as a resource for an organization. I am really excited about this. I have begun to make some new contacts and I am really looking forward to increasing the range of discussions and add my own input to the security community.

After that long week I will be back in Seattle reviewing what I learned at RSA and preparing for a trip back to Germany. If you don't follow me on Dopplr let me know and I will add you. My travel schedule is crazy...."

Hope to meet you and see your comments in the future.

No comments: