Thursday, February 4, 2016

The Infosec Hiring Crisis and Building Remote Security Teams

Well, it's not a secret. It's becoming very difficult to hire information security talent and with the job market increasing the talent pool is getting thinner. This is happening all over, especially in large cities, and it's become even more of a concern in smaller cities, where the smaller population limits qualified candidates from applying. With this being said, I'm a big fan of "spreading the net" across the country and building elite teams that work remotely with top talent.

In this article for Tripwire I explain what I think companies need to start considering to fill the void of these positions, all while be agile and acquiring top talent in the security industry. It's one thing to hire someone, but it you're not going to hire a candidate with the experience and skills, why not look outside your geographic area? It requires a change of thinking for most large companies, not as much for startups, but it can work and could give you the best protection of your assets.

Here's the article:

Wednesday, January 13, 2016

What David Bowie Taught Cyber Security

We're all trying to keep up with the risks of tomorrow and that means evolving ourselves in order to stay somewhat relevant against today's threats. If we learned anything from David Bowie it was that evolution of self will keep you relevant in today's market. The man was a genius at never doing the same thing twice and always pushed the boundaries of what people thought was "sane". That's what we need to be doing in cyber security.

If we're the same people we were last year we're dying. This field doesn't take kindly to those that don't learn, stay stagnant, or accept that what they're doing doesn't really matter in the grand scheme of things. If you're one of these people than you have to look at Bowie and how he kept a career of three decades by pushing the envelope, never sitting on his arse or following what others were doing. Over the past year we've seen hacks grow in both sophistication and scale, there's no room for people in cyber security that just want to get by. There's a shortage of good help out there in InfoSec and if you're responsible for being at the helm, give them courteous of giving your all.

Now regarding technology, if the same technology is being used that was in use for the past 5 years, you have a problem. I understand that budgets can become an issue, but let's not blame the lack of money for all our problems. I've personally seen security departments running on a very small budget that have tighter security than a those with multi-million dollar budgets. It's a mindset, money sure does help, but if you're not willing to get a little dirty the money won't do anything anyways. Figure out the areas that you need improvements in, determine how these improvements would be remediated to protect your assets and get it done. This doesn't always mean dropping some serious coin on a solution. Maybe it's a process that needs to be tightened, a script that needs to be wrote, or an open source solution that needs to be managed. This is the Bowie approach, if something isn't handed to you, figure it out and make something with what you have that no one would ever assumed possible. 

We have the option to either let the threats keep coming while complaining that we don't have the resources, people, or process OR we go out there and carve out our own path doing things that people said would never get done. We have the opportunity to make our assets safer and to make a difference in the way things are done, but it we concede to a defeatist mindset
we're not only hurting our selves, we're hurting those that rely on their data being protected. We truly can make a difference in the world, the economy and the lives of others, just by thinking outside the box. This problem of cyber security isn't going anyway, the issue of budgets will always be there, but we need to take this upon ourselves and rise to the occasion. As the Bowie quote goes, "I don't know where I'm going from here, but I promise it won't be boring." Well said.

Monday, January 4, 2016

Comparing Personal VPN Services

We’re all familiar with using VPN’s for businesses purposes and the benefits we receive from them (privacy, security, etc.), but what about individuals looking to utilize a VPN for personal use? Whether you’re in a coffee shop, a journalist or someone who wants to add additional privacy and security to their internet connection, a VPN for personal use is a wise choice. The problem now comes when attempting to select a VPN service for this purpose. The good news is that much of the heavy lifting this has already been done for you. 

I was recently contacted by the creator of who went through this very same debacle and decided to create a webpage based off his experience. Due to his research and diligence in comparing some of the major personal VPN services out there, this site might make your decision on selecting a personal VPN a little easier. Enjoy.

Wednesday, December 30, 2015

The Size and Scope of Data Breaches in 2015 (Bromium)

Last year was a pretty big year for data breaches, and it seems like 2015 is not so much different. Online retailers used to be a big target, but this we've seen breaches across many different sectors including insurance, many health companies and even governments. These targets carry even more of our personal data than retailers did. Awareness of security issues is higher than ever, with people putting more efforts into protecting their data. However, according to studies, the cost per stolen records has still managed to increase by 6% this year to an average cost of $154 per stolen record. Companies like Uber, Experian, Anthem, Premera and even the IRS had data breaches. Check out this graphic from Bromium to see the size and extent of breaches in 2015.

Tuesday, December 29, 2015

Call for Security Authors! No Prior Writing Experience Needed!

Over the course of the next year, I’d like to publish a few small booklets regarding reoccurring themes we’ve seen year-over-year in the security industry. What I’d like to do is have these booklets broken down into chapters with people within the security industry assisting with adding the real world material and insights. There is really nothing better than having those working in the trenches each day to guide the way the booklets should be written. There are so many people out there that don’t have the ability to share what they’re learning and doing each day and hopefully this can allow them to share their experience.  By doing so, we all benefit.

Within each topic I’d like to include multiple chapters, each topic will be somewhat different, but what I’m aiming at is education on topic itself. The granularity of the information for each topic will vary, but we should attempt to hit on the following main themes on each subject:

Booklet Themes
  • Review of the topic
  • Why it’s a reoccurring topic
  • Advice with solutions
  • Tricks of the trade
  • Improvements

At this time I’m proposing the following six topics to start with, since this advice is either in great demand when looking to resolve an issue or when proactively looking to improve your security posture. I’d like people to use these booklets as a way to guide people in creating better security for the topics being written on. These won’t be vendor slicks trying to sell a product, but something valuable that can be taken without bias. This in my opinion is more valuable. Also, this is a first stab at the topics, if you have others you think should be on the list, please let me know. We’re flexible.

  • Incident Response
  • DDoS
  • Deception in Depth
  • Security Monitoring
  • Phishing
  • Application Security

If you have experience in any of these areas, and want to submit some content on the topics, please let contact me at the email below. Once we get enough authors signed up we’ll start breaking down the themes of the topics in more detail. These booklets aren’t being sold and would hopefully be put under a creative commons licensing approach where others can share and add to it freely, but by giving credit to those that worked on it. 

If you’re interested, please contact me at

Monday, December 28, 2015

Cyber Security 2015 Reflections - Another Year Gone By

Here's some cyber security reflections I've written for Algosec as the year comes to a close. Also, a few things we're forecasting for the new year to come.

Wednesday, December 23, 2015

Another Example of Why Governments Should Exit the Encryption Debate (The Juniper Debacle)

With the recent revelation of the Juniper backdoor vulnerability, it begs the question as to why we should “let” the government put purposeful backdoors into our products. Apple has been very vocal on why they won’t be bullied into allowing this type of behavior with the government, and how the privacy of their users data is paramount. With the recent terror attacks in Paris and other places in the world, governments everywhere, U.S.A and U.K being the loudest, are attempting to use fear to push their agendas. This isn’t news anywhere. We know they’re looking to create backdoors into our encryption and it’s for that very reason why we have the Juniper scandal today.

In a recent article by WIRED magazine they explain that the backdoor was made possible due to the DUAL_EC_DRBG encryption algorithm which was purposely created by the NSA to decrypt data surreptitiously. This was always assumed while the protocol was in review, but was eventually pushed into NIST standard as one of the recommended encryption protocols at the time. It’s been reported that this was part of the NSA’s operation BULLRUN, which was created to break encryption for monitoring targets, and one in which they had a nearly $250 million dollar yearly budget to do so. Even more concerning is that the NSA purportedly paid off RSA with the sum of $10 million to include this algorithm into their product. RSA has since said that they were unaware of this at the time, but it’s still highly suspicious.

This being said, governments have already been accessing our systems, either in cooperation with technology vendors, or by illegally circumventing vendors technology to gather the data they’re looking to collect. So why should we trust them to be more responsible by allowing them to put holes into products that we use everyday? What have they done in the past to gain this respect and trust? They don’t have our confidence to play within the rules, so what makes them think we’d be willing to be taken by the hand and walked down a path we'll eventually regret? The problems they’re creating, look at Stuxnet and DUAL_EC_DRBG, discredit them from being taken serious. Also, it’s overreaching to start using the terrorist attacks in Paris, where they didn’t use encrypted channels for communications, or the terrorist attacks in San Bernardino, where there were public Facebook announcements made by the terrorist alerting of their actions. Both of these attack communications were in cleartext and both of these attacks weren’t stopped. This might be somewhat far-fetched by me, but if you want all the encrypted information now start stopping things that happen in the clear first.

What many of these governments aren’t thinking now is that they’re making your device less secure and more vulnerable to eventual attack by someone else. I understand they want to have a separate key that would only allow them to access the data when needed; which is still scary. But just like Dr. Ian Malcolm said in Jurassic Park, “Life, uh….finds a way” and it’s possible that the vulnerability/hole you created for yourself will be abused by others. That this hole will be used to spy against you, or that even more malicious actors will use a similar method to abuse the access that was blown open to “protect” people.  I can’t see any concrete reasons, or examples, that have been used in the past that dramatically slides the argument into the governments favor against us giving up our privacy. So as we watch the latest backdoor issue we've seen come to light with Juniper, all due to the NSA making a hole that shouldn't have been there to begin with, is yet another example of why the government should remove themselves from this debate completely. They don't have a track record of being responsible with this type of access and we don't want to give it to them.