Sunday, October 18, 2015

2015 ISSA International Conference

This past week I attended the 2015 Information System Security Association (ISSA) International Conference.  It was held in Chicago on October 12-13.  Before that the CISO Forum was held, and afterwards, they held the one-day Chapter Leaders Summit.  The CISO Forum was only open to members of ISSA's CISO Forum, and the Chapter Leader Summit brought together chapter officers for workshops and sessions to help them improve their chapters.

This is the second ISSA Conference I've attended.  I thought this was was pretty good.  We had a couple of good keynote sessions (Vinton Cerf and Dan Geer).  There were several sessions organized into different tracks, and all were tied to the ISSA's Cybersecurity Career Lifecycle model.  There were a few other special events, such as CISO Forum luncheon and the awards luncheon where several were recognized with ISSA Awards.  There was also a reception at 360 Chicago at the John Hancock Center.

This year they had a conference app, which I've seen such used at other events I attend.  This one also had people scan QR codes on name badges, at the vendor tables, and at events and sessions.  Those who got the most would get prizes.  So, obviously, at an infosec conference, some hacked the app.

They had a good number of vendors this year, tho many I had never heard of.  Disappointed that some of the major security vendors weren't there.

As a chapter officer, I also attended the Chapter Leaders Summit.  A good event.  I almost wish it was longer.

Next year's conference will be in Dallas around the same time.  Hopefully I can attend.


Saturday, May 16, 2015

Resources for the Internet of Things Security

At the HackMiami Conference  on May 16, 2015, I did a presentation on an Introduction to Internet of Things Security.  The presentation is now up on YouTube.  I have the link below.

As a tie-in to the presentation, I am providing here links to the various resources that I covered in the presentation, along with others I didn't have the time to.  If you come across other items of interest, please add them to the comments.

Friday, April 24, 2015

"The Frugal CISO" by Kerry Anderson

Currently I am reading thru Kerry Ann Anderson's The Frugal CISO (CRC Press, 2014).

I am always on the lookout for good infosec books, and one area that I think is under served are those that are aimed at the top-level security professional on how to implement a good information security program.

This one I had discovered thanks to a related article the author had in a recent issue of the ISACA Journal on information security maturity models ("From Here to Maturity—Managing the
Information Security Life Cycle" v6, 2014). She makes use of the Nolan Model, which I wasn't familiar with (being more familiar with the CMM/CMMI based models).  The article was interesting, and I wanted to know more on the idea and she spends a chapter on this concept, which is good.  I think this would be a better maturity model for infosec groups to use then a CMM-based one.

I am currently reading thru the book, basically jumping around based on my interests.  What I see is pretty good.  She has stuff on hiring and building an infosec team, policies, controls, and more.  Her main theme overall is being frugal, being smart with you are spending money on, an important concept in today's cost-cutting attitude.

This is not a full review of the book.  I will probably post something like that later on.


Monday, April 13, 2015

Resources for the NIST CSF

At the recent Security BSides Orlando conference, I gave a talk on the NIST Cybersecurity Framework (NIST CSF).

As an aide to that talk, here are a collection of resources on the CSF.

Security BSides Orlando 2015 Report

This past weekend, April 11 & 12 2015, we had the third Security BSides Orlando.  This was my second BSides Orlando and this year I also presented.  For those that may have missed it, this is my report of the event.

Sadly, I was not able to attend on Saturday, due to another event I went to.  I was disappointed by that, as there were a few talks I wanted to attend.  Each day there was a keynote, along with a second keynote on Saturday.  Talks were organized into 2 physical tracks, and the topics fell into one of 4 broad areas:  Foundations, Construction, Wrecking Ball, and Ground Truth.  Foundations was the more intro topics, construction built on that with tools, techniques, knowledge to build your program, Wrecking Ball was the red teaming, awesome tools, and Ground Truth was innovative comp sci/math.

In addition, there were all-afternoon workshops, 2 each day, a lockpick village all day each day, and the Capture the Flag game both days.


Friday, April 3, 2015

SFISSA's 2015 Anniversary Party/Hack the Flag event

The South Florida Chapter of ISSA is celebrating their 15th Anniversary this year.

Every year an event they put on is the Hack the Flag/Chili Cookoff.  At this event, they usually have 2 "hack the flag" events, one for beginners and another advanced.  The advanced game had been done by our local friends at Kommand && KonTroll CTF (part of HackMiami).

Monday, March 30, 2015

Upcoming Information Security Events (& Organizations) in the South Florida area

As an information security professional, it's important to stay up on the latest trends.  One great way of doing so is to attend conference and meetings and learn from your peers thru the presentations, panel discussions and just networking and chatting.

Here in the South Florida area (Miami-Dade, Broward, Palm Beaches) there are several opportunities for such, but sadly, too many don't take advantage of them.  Here are some to keep in mind for the coming year.

Sunday, March 29, 2015

HackMiami 2015 Conference

This May, HackMiami will be having their 2015 conference, their third, again in Miami Beach.

I've been to each one, and I will be presenting at this year's conference.  Each conference has gotten better, so even if I wasn't presenting I'd look forward to it.

If you are in the South Florida area, you should try to attend.  This is a great conference, and while more "hackerish", it's one that anyone involved with InfoSecurity should check out.

I'll publish a report on the conference afterwards.







Saturday, March 28, 2015

BSides Orlando 2015

In a few short weeks BSides Orlando 2015 will kick off.

This is the third year of this event, and my second time attending.  I will also be presenting on Sunday.  This year the venue is changing to the University of Central Florida.  I hope this will be a good thing.

So far we have 3 BSides Conferences in Florida: Tampa, Orlando, and Jacksonville.  I'd love to see one get going here in South Florida.  Any interest???


Friday, March 27, 2015

2015 SFISSA Biennial Security Conference

On March 20, 2015, the South Florida Chapter of the Information System Security Association (ISSA) had our biennial Security Conference.

Each time we do these conferences, we try to have a theme.  The one I had come up with was regarding Cloud Security, as that seems to be a big concern.  So I called it "Pirates in the Cloud: Security Issues, Threats, and Trends in Cloud Computing".  We encouraged people to submit proposed that tied into that, and would fall into one of 3 broad categories: technical, management, law/compliance.

With a sort of "Air Pirates" idea, we developed some interesting name badges and plaques.  I wanted to get away from the standard conference stuff.


Friday, January 30, 2015

So you want to hire an InfoSecurity professional? [Part 1]

The following posting is an opinion piece.  It's based on personal experiences and anecdotal information.  deal with it.

So your organization is looking to hire one or more Information Security Professionals.  Maybe you are growing your InfoSec organization, adding to your IT organization, or realizing that, yes, you need to create an InfoSec group.  (all those big breaches in the news have you running scared)

Do you have a good idea of what you need in terms of skills, knowledge, and experience?  Do you have a good idea what kind of role you are trying to fill?  Do you have an idea of salary candidates with the skills you need are expecting?  You best figure this out soon. (hopefully you've consulted with professionals to help you out, and I don't mean recruiters.)  Here are some things to consider.



Now, a word of warning.  It may seem that I am stating the obvious at several points, and in a condescending manner.  But the sad thing is that in speaking with recruiters and HR people is that they don't seem to understand these points.  As an infosec professional, this p*sses me off, and so I feel I need to state the obvious for those who don't get it.