Security BSides Orlando & Tampa 2016

Well, here we are in 2016.

This year I am working on speaking at several upcoming conferences.  Two are coming up this month and next:  BSides Orlando and BSides Tampa.

Security BSides Orlando 2016 will be held the weekend of March 12-13, just before SANS Orlando.  This is the 4th year of the conference, and the conference again returns to the University of Central Florida, but in a different building from last year.

I will be giving a 2 hour workshop on various security standards, frameworks, and regulations such as NIST CSF, ISO/IEC 27001, HIPAA, PCI-DSS and more.  I will be posting here a list of the recommended sources of info, training, etc for this presentation.

Security BSides Tampa 2016 will be held on Saturday, April 16 at Stetson College of Law – Tampa Campus.  This is the third year of the conference and my first time attending.  I will be giving a presentation on the NIST Cybersecurity Framework on its second year of existence.  I have something special in regards to this presentation which I will review later.

I took forward to both conference.  If you have never been to a BSides Conference, check to see if there is one coming up in your general area.  Just in Florida we have 3, tho I'd love to see one start here in South Florida.

As I learn about the other conferences I have submitted proposals to, I'll post them here.

2015 ISSA International Conference

This past week I attended the 2015 Information System Security Association (ISSA) International Conference.  It was held in Chicago on October 12-13.  Before that the CISO Forum was held, and afterwards, they held the one-day Chapter Leaders Summit.  The CISO Forum was only open to members of ISSA's CISO Forum, and the Chapter Leader Summit brought together chapter officers for workshops and sessions to help them improve their chapters.

This is the second ISSA Conference I've attended.  I thought this was was pretty good.  We had a couple of good keynote sessions (Vinton Cerf and Dan Geer).  There were several sessions organized into different tracks, and all were tied to the ISSA's Cybersecurity Career Lifecycle model.  There were a few other special events, such as CISO Forum luncheon and the awards luncheon where several were recognized with ISSA Awards.  There was also a reception at 360 Chicago at the John Hancock Center.

This year they had a conference app, which I've seen such used at other events I attend.  This one also had people scan QR codes on name badges, at the vendor tables, and at events and sessions.  Those who got the most would get prizes.  So, obviously, at an infosec conference, some hacked the app.

They had a good number of vendors this year, tho many I had never heard of.  Disappointed that some of the major security vendors weren't there.

As a chapter officer, I also attended the Chapter Leaders Summit.  A good event.  I almost wish it was longer.

Next year's conference will be in Dallas around the same time.  Hopefully I can attend.

Resources for the Internet of Things Security

At the HackMiami Conference  on May 16, 2015, I did a presentation on an Introduction to Internet of Things Security.  The presentation is now up on YouTube.  I have the link below.

As a tie-in to the presentation, I am providing here links to the various resources that I covered in the presentation, along with others I didn't have the time to.  If you come across other items of interest, please add them to the comments.

"The Frugal CISO" by Kerry Anderson

Currently I am reading thru Kerry Ann Anderson's The Frugal CISO (CRC Press, 2014).

I am always on the lookout for good infosec books, and one area that I think is under served are those that are aimed at the top-level security professional on how to implement a good information security program.

This one I had discovered thanks to a related article the author had in a recent issue of the ISACA Journal on information security maturity models ("From Here to Maturity—Managing the
Information Security Life Cycle" v6, 2014). She makes use of the Nolan Model, which I wasn't familiar with (being more familiar with the CMM/CMMI based models).  The article was interesting, and I wanted to know more on the idea and she spends a chapter on this concept, which is good.  I think this would be a better maturity model for infosec groups to use then a CMM-based one.

I am currently reading thru the book, basically jumping around based on my interests.  What I see is pretty good.  She has stuff on hiring and building an infosec team, policies, controls, and more.  Her main theme overall is being frugal, being smart with you are spending money on, an important concept in today's cost-cutting attitude.

This is not a full review of the book.  I will probably post something like that later on.

Resources for the NIST CSF

At the recent Security BSides Orlando conference, I gave a talk on the NIST Cybersecurity Framework (NIST CSF).

As an aide to that talk, here are a collection of resources on the CSF.

Security BSides Orlando 2015 Report

This past weekend, April 11 & 12 2015, we had the third Security BSides Orlando.  This was my second BSides Orlando and this year I also presented.  For those that may have missed it, this is my report of the event.

Sadly, I was not able to attend on Saturday, due to another event I went to.  I was disappointed by that, as there were a few talks I wanted to attend.  Each day there was a keynote, along with a second keynote on Saturday.  Talks were organized into 2 physical tracks, and the topics fell into one of 4 broad areas:  Foundations, Construction, Wrecking Ball, and Ground Truth.  Foundations was the more intro topics, construction built on that with tools, techniques, knowledge to build your program, Wrecking Ball was the red teaming, awesome tools, and Ground Truth was innovative comp sci/math.

In addition, there were all-afternoon workshops, 2 each day, a lockpick village all day each day, and the Capture the Flag game both days.

SFISSA's 2015 Anniversary Party/Hack the Flag event

The South Florida Chapter of ISSA is celebrating their 15th Anniversary this year.

Every year an event they put on is the Hack the Flag/Chili Cookoff.  At this event, they usually have 2 "hack the flag" events, one for beginners and another advanced.  The advanced game had been done by our local friends at Kommand && KonTroll CTF (part of HackMiami).