Honing the Blade for the Next Generation

•01-Mar-2014 • Leave a Comment

I volunteered for the Rocky Mountain Collegiate Cyber Defense Competition yesterday. The RMCCDC is a regional competition for college students that specifically focuses on the operational aspect of managing and protecting an existing “commercial” network infrastructure. This winners of this event, along with its 9 sister events around the country, go to the National CCDC held in San Antonio, TX. This year will be the 9th annual competition at the National level.

Schools in each region form teams of 8 to 12 students, and the students don’t quite know what to expect it seems. They are told they will be defending a network and given some guidelines. They probably don’t really understand that during the competition they will experience problem solving in the midst of a stressful, real world simulation. They will be dealing with attackers, malware, user support issues, and priority requests for “status updates” and “security questions” from the CEO. The teams are not given too much info, they are given some rules of conduct and instructed that they are entrusted to defend the network and keep services up and available, and that they will receive support calls and email from the CEO as if they were in the employ of a company and protecting it during an incident.

It’s actually a lot of fun. The Red Team is not bound by the same degree of restrictions that the Blue Teams are (again, realistic simulation.) Social Engineering was off the playlist this time, but mostly because of the layout and space and difficulty conducting the event safely. Some of the questions from the CEO are very much “WTF” types of queries. For example, “I would like to know how we can leverage Social Media to improve business. Please provide an executive report.” Of course, that sort of non sequitur request isn’t at all realistic…

The competitors are scored on systems uptime, services availability, and their response to customer requests and CEO queries; all support calls and queries have a specific time limit, and if not addressed by the deadline provide no points. It’s not always obvious to the team that ignoring or blowing off the CEO temporarily might be a legitimate tactic, if they can earn more points with the time they would spend on answering Social Media questions by instead hardening that web server that was DoS’d again!

Vendors, employers, and even the professionals that volunteer to staff the event pay attention to the competitors, making these events an excellent opportunity for students to network within the industry for a career come graduation time. If you are a college student pursuing a CS or Technology degree or simply interested in network security I suggest you look into the NCCDC website. If there isn’t a team at your school, form one! If you are like me, you are a professional and want to help teach the next generation and network with colleagues it’s a great opportunity to do so.

New Pastures

•04-Oct-2012 • 1 Comment

I have made noises for a couple weeks now about my impending change of employment, and I’ve dodged the obvious questions so far mostly to keep the buzz at my current job to a dull roar. But it is true, I have accepted an offer and am going back to security consulting; I will once again join the ranks of QSAs, performing risk assessments, network testing, and traveling where all the other Road Warriors have gone before…although not nearly as much as some do.
Monday is my first day with AppSec Consulting, and I am pretty excited. It’s a small group of talented people and from all appearances a great organization; I’m glad to be joining their ranks. I’m still in the biz but I’ve left Govt work behind (for the second time!) and I doubt I’ll return; well, perhaps as a private sector consultant…

What is your employers BYOD position?

•16-Jul-2012 • 2 Comments

I’m formulating a paper on this subject and I would like to hear your experiences. Let me know how Bring Your Own Device works – or doesn’t – at your place of employment.

I’m back!

•12-Jul-2012 • Leave a Comment

After a hiatus of – what, 1.5 years? – I’m back with a few more musings. I have things to say, and darn it, someone should listen! 😉
Well, maybe, maybe not. But I have things to say, and hopefully it will be insightful, or at least amusing, for you.

BSidesSF and RSAConf – day 1 wrap up

•15-Feb-2011 • 4 Comments

The weather is stereotypical San Francisco; rainy, cloudy, and wet. The RSA conference crowds are not unbearable (yet), and the vendors sling buzzwords, FUD, and promises of unicorns. The sessions have ranged from great to meh (InfoSec Leadership – Program Development) ..at which point I went next door to BSides SF.

What can I say about BSides except this is where the real learning sharing is going on. I’ve heard about BSides for some time now and decided to give it a swing…I mean hey, the price is right. The presentations are top notch and include audience participation. I’m sitting next to people that I knew only as twitter handles, blog authors, and podcast voices. And they are all incredibly cool and passionate. I listened to BSides founders Jack Daniels, Mike Dahn, Amber talk about how to create your own event. I’ve sat at the feet of thought leaders…And then we had drinks, awesome roach coach tacos, and rhymes from Dual Core.

What can I say. RSA day 1 was big, commercial, lots of free food and drinks, schwag, etc. If I get lucky, I could win 2 s.m.a.r.t. cars, a Harley night-rod, and a Vespa. If I don’t get win that stuff…well, I’ve already been to day one of BSides! WIN

If you go to an industry event that has a BSides next door…make it an effort to go to the non-con. It is worth every moment. The dog-and-pony-show at the convention will still be there later, don’t worry.

BSidesSanFrancisco and RSA Conf. 2011 – Day 1

•14-Feb-2011 • Leave a Comment

Holy criminy, my feet hurt. Day #1 down, and let met tell you it was worth every moment.

BSides was indescribable. It was very much as described, the “anti-conference”. RSAC was good too. Got some tsotchkes, met a few reps I need to build relationships with, got some free bread and spirits. All in all, a really good first day.

More tomorrow, with details…I hope.

Facebook Privacy: 10 Settings Every User Needs to Know

•07-Feb-2011 • Leave a Comment

Facebook Privacy: 10 Settings Every User Needs to Know.

I often harp…mostly at my kids, family, and friends…about privacy, 3rd party apps, and the general nasty crap that can target your information and share it in ways you never imagined with people you’d never agree to.

This article provides a rock solid foundation to taking control of your privacy on Facebook. I said foundation on purpose…this is a good start, but to keep up with the changes you’ll have to read the change of service announcements and regularly review these settings. This isn’t a do it once, fire and forget scenario.

So, I wish you luck, and I hope you take this advice to heart. Happy posting!