infosec star thumb

Infosec Star

Being a RockStar isn’t easy. Just ask Nickleback, they’ve faced harsh criticisms for many years… and for what?

But that’s a walk in a park compared to being an Infosec Star.


gc promo

The Grand Canyon, Grand Roadtrip

There are two things I’ve been wanting to do for a while. One is to visit the Grand Canyon, and the second is to start a podcast.

Adrian and I have actually spoken about doing a podcast of sorts for a long time. We’ve even recorded 4 episodes, but each were considered inadequate for public consumption.

So, I ended up combining the two. We had a 4 hour drive ahead of us to go visit the Grand Canyon, which also served as a good opportunity for us to discuss important security topics, like how we would on a podcast.

We either nailed it by creating the best of both worlds, or we failed at making a decent podcast and road trip video.

Regardless of how we did, I’m glad we took the time out to go visit the Grand Canyon. Pictures and videos do not do it justice – the sheer scale and natural beauty is awesome. Plus, it is a very welcome relief to leave the confines of Las Vegas during a conference.



drift hd ghost

It’s not about the technology

Excluding phones or tablets, I have four video cameras in total. A flip cam, a DSLR, a mirrorless camera and an action camera, the Drift HD Ghost.

Surprisingly, despite having a ton of really cool features in my other camera’s, particularly the DSLR, I most frequently find myself reaching for my Drift.

It’s a rugged, but basic camera, has a fish-eye lens and that’s pretty much it. Aperture, shutter speed, ISO… none of that matters.

For all intents and purposes, one could say it’s a useless camera for making any video of significance. Unless you’re one of those crazy kids who likes to strap a camera to your forehead and then illegally climb cranes to hang from them with no safety harness. In which case it makes a pretty good case study on the reckless arrogance of youth.

In this short video I highlight a few of the memories I’ve been able to capture with this little camera, ranging from cycling, driving, days out with the family, holidays, conferences and a bunch of other activities.

The long-winded point that I’m trying to make is that, the camera itself means very little when it comes to making a short video or telling a story. That’s all done by making sure you capture the shots to begin with and then stitching a narrative together in the edit.

You could give the best camera in the market to someone, but if they don’t have the mindset of capturing the right shots to edit later, then they’ll give you something that may as well have been shot on a potato.

A fact that rings true when you compare this to what happens in information security. There is an almost blind race to go and buy the latest and greatest bit of security kit with little or no thought put to how it will be used or whether it is indeed appropriate for needs.

The ugly underbelly of this means that there are lots of people who are very good at using or even creating tools or technologies that mistakenly believe the tool itself will solve all problems.

For example, you have certain tools that will keep you private or anonymous on the internet. Encryption, TOR, Tails, etc. all come up when speaking of maintaining online security. However, these tools are just that – tools. The user themselves need to be educated in how to think and act in a more secure manner. What information is actually good to share, and what should never be shared even with the protection of tools.

Many enterprises experience buyers remorse for this very reason. It’s not that enterprises shouldn’t invest in tools. But why invest in a SIEM when all you really need is a log management system?

Before investing in any tool or equipment, it makes sense to evaluate whether the lack of desired results really is down to the lack of tools, or does it lie elsewhere? I know that if I had spent some time attending a video editing course, I would have probably avoided making some software purchases. Or bought fewer cameras.

This checklist of questions to ask yourself before investing in a tool may help:

1. Why
Are you clear on the reason why a particular product is being purchased? Does it align to your business needs? Is it actually a technology problem, or can it be solved by simply changing some internal processes.

2. Stakeholder support
Stakeholders should be engaged early and often. C-level acceptance should be as wide as possible and there should be a mutual acknowledgement of the security value that the product will provide.

3. Deployment plan
Do you have a detailed deployment plan prior to acquiring the product? Better results are often achieved via a phased approach that enables only a subset of features to begin with. Once it’s tested and proven, the scope and capabilities can be extended.

4. Out with the old
If you’re buying something to replace older / ageing technology. You should have a plan to retire old technology and its associated business processes.

5. Verify product capabilities
Undertake a proof of concept or trial within your own environment to evaluate product capabilities outside of a test lab. Only then will you truly understand whether the product is an appropriate fit.

6. Negotiate
Do negotiate with your provider. Not only for cost, but also with regards to training or support provided. Jeremiah Grossman recently wrote a good post  on getting good deals from your security vendor.

7. Do your homework
This is a point that cannot be stated enough. Don’t just listen to one point of view to form your opinion. There are many hidden costs and challenges associated with acquiring, deploying and using any security product. Additional staffing requirements or training are often overlooked amongst other things.

Network with peers at conferences or online forums. Read independently written reports, reviews and blogs. Make sure you’re fully aware of what you’re committing to.

There you have it, what started out as a nostalgic look at my 3 year-old Drift HD Ghost has turned into 7 tips to ask yourself before buying a security tool.


How to have an epic RMISC experience

I made a short video on how to make the most of your time if you ever find yourself in Denver, CO for the Rocky Mountain Information Security Conference.

Of course, any conference experience is a lot more fun if you have some friends.

Which reminds me about a simple tip my friend Scot Thomas gave me when at Defcon about 3 years ago.

I was walking down the corridor and saw Scott sat on a bench, so I stopped to say hello and sat down next to him. I asked how things were going and he let out a slight sigh and motioned to people walking past. He said how a lot of people seemed to be in a competition to quickly say hello to as many people as possible. Literally a quick handshake and exchange of pleasantries before going off to repeat the 30 second ritual with someone else.

Those Jerry Maguire words stuck with me and I’ve found that simply stopping to have a 10-15 minute conversation with one person. Or grabbing coffee with 2 or 3 people can lead to a far better interaction. You get to understand what others work on, their experience, knowledge etc.

Ultimately, it boils down to what your objective is when attending a conference. For some people, attending talks or workshops is all they require. Myself, I value the networking opportunities and getting to meet and know other people. Others just want to attend the parties and collect swag… I guess there’s something for everyone.



Building a billion dollar security company, with John McAfee

At RMISC I got a chance to catch up with the infamous John McAfee.

Prior to meeting John, I only knew him through what I’d read about or watched of him in the media. I’m not sure I’m much wiser about the man behind the mystery after this brief meeting.

What I can say though, is that John is an independently wealthy man that is running for President of the U.S. (granted his chances are slim). Considering these, he had no reason to speak to me and certainly nothing to gain. But he was very generous with his time and completely open to the idea of us having a slightly satirical interview.