Andrew Hay

The final interview of this week is with Rob “Mubix” Fuller. I first met Rob at RSA 2009 and we hung out the whole conference. Interviewing Rob was difficult as he doesn’t (and isn’t allowed to) talk much about his day job but I did manage to get some information out of him.

Q: Tell us a little about yourself.

I’m a United States Marine assigned to 1st Civ Div. I have an amazing family, I’m a extremely proud father and I love what I do for a living, not much more to tell.

Q: How did you get interested in information security?

You can find the long drawn out story of that on Episode 9 of the grmn00bs podcast, but it boils down to `init 6`, game genie hex editing, being an open relay for Korean spammers, and Hak5. http://www.grmn00bs.com/2009/12/16/podcast-episode-9-when-they-were-n00bs-with-rob-fullermubix.

Q: We see a lot of ex-military getting into private information security roles these days. In your opinion does a military lifestyle foster the learning required for a long term career in information security?

That’s a really tough question to answer. I think that it really depends on which country’s military you are talking about and which section/service/faction of that military the member is from. Everyone has different experience in the military. However, my personal experience in the United States Marine Corps definitely altered my battle mindset, and increased my strategic awareness.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I don’t really have any certifications that I would like to mention, I think they are useless unless you are job hunting and I absolutely love my job. I would however like to scream great praises to muts and chris over at Offensive Security. The Pentesting with Backtrack (used to be OffSec 101) course was amazing. It sparked a fire in me that revitalized my thirst to learn that has been going strong for now almost two years after I took the course. When it comes to self-learning, I’m not really sure how to classify or answer that other than… yes.

Q: What did you want to be when you grew up? Would you rather be doing that?

A father. I was an odd kid, by the time I was a teenager I knew that I wanted a family, and that really was the only vision I had for my life. One might say that is thinking small or short sighted, but I pose to anyone who thinks that to ask any parent on the planet what their greatest accomplishment in their life is.

As far as job/career, I always knew I would be doing something with computers. I didn’t care what then because I knew that it would be constantly moving and growing. That is what really draws me to computers and more specifically security these days.

Q: What projects (if any) are you working on right now?

I’ve got one big project that I’ve been working on for a couple months now. I’m currently debating on how to release the details, but I have a ways to go before I have to decide anything. Some of the projects that I’ve done in the past is starting up a project called FireTalks, which is happening again at ShmooCon this year, along with the annual Podcasters Meetup. Grecs from NoVAInfoSecPortal.com will be running the FireTalks this year (http://www.novainfosecportal.com/2010/01/06/shmoocon-2010-firetalks/) and Tim Krabec from http://smbminute.com/ will be championing the Podcasters Meetup this year (http://www.podcastersmeetup.com/)

Q: What is your favorite security conference (and why)?

ShmooCon. I could name a number of reasons, but I think the brass tax truth is that it was my first one. But to put it all in perspective, I’ve only really been to RSA, DefCon, Phreaknic, and ShmooCon.

Q: What do you like to do when you’re not “doing security”?

At the fault of @cktricky I’m currently addicted to Call of Duty: Modern Warfare 2 (Steam). But spending time with my family is always on the top of my list. Other than that I don’t really have any others

Q: What area of information security would you say is your strongest?

I’d love to say Penetration Testing, Information Gathering, Reverse Engineering, or Exploit Development. However, a talent that I’ve always had out weighs all of those. Extraction. I can read or listen to something and extract what is important. To try and clarify, I’ve always been ‘the guy’ that knew what was going on, where things were, or how to do something. For example if you need a piece of software to do $function, I knew the best one to use, and the best way to get it.

However, this ‘feature’ is also a bug, it makes it extremely hard for me to read technical books since my mind will throw out what it doesn’t think is important (ie something that “will be explained in chapter X”). In other words, I have to understand every word or I can’t go past it. I only recently found that reading backwards (sort of, chapter count backwards, 12, ,11,… 1) works for me.

Q: What about your weakest?

Hands down it’s Cyptography and Exploit Development. Higher math kills me, Chris Eng has been a huge help there, with his presentation on Cyptography for Penetration Testers (http://video.google.com/videoplay?docid=-5187022592682372937#). But I am still extremely far of from just comprehending anything but the basics. Exploit Development is my current field of study, but each day of study I realize how very little I know.

Q: What advice can you give to people who want to get into the information security field?

First and foremost, checkout Dave Shackleford’s post titled: One for the n00bs over at http://daveshackleford.com/?p=277. He’s pretty much said everything I would say. But I would like to drive home the point that since security is still so new, you have an up hill battle to get people to adopt “security”. Just last year, my time deploying VMware data centers came in extremely useful when a client wanted to dispute some findings in a Vulnerability Assessment. However cliche it is to say, security _professionals_ are required to be jacks of all trades. Basically at a minimum, par experts in every piece of gear in their purview. So getting back to the point, get the experience, and security will just kinda.. happen.

Q: Our industry has a lot of people who tend to “grandstand” for the press and peers. Can you offer any advice on how to avoid falling into this mindset?

Nope, I think the people who would fall into that mindset need to learn the hard way, myself included.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter at @mubix, my site Room362.com of which I share with a few folks now (always looking for help on a permanent or guest basis), mubix@hak5.org and (503)-406-8249

As a special part of this interview I’m going to post the following picture. For those of you who know Rob you can ask him about the meaning at Shmoocon this weekend.

Today’s interview is with Dave “Shack-Fu” Shackleford. I’ve known Dave for more than a few years and he is one of THE guys to go to if you ever have a security related question, need a cake baked, or need a Mr. Clean stunt-double.

Q: Tell us a little about yourself.

Married with a 9-yr old, live in Atlanta GA, been in infosec for a long time, networking and sysadmin before that. Before computers, I was a professional chef.

Q: How did you get interested in information security?

I was interested in the subculture of hackers and hacking for a long time before I actually fell into the field. I started doing IT consulting while in college, then worked in telecommunications for a while. I went back to school for a 2nd degree, and one of my professors’ “day jobs” was Infosec Mgr at a Fortune 500 – he recruited me. Once I started there, I never wanted to do anything else.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a Bachelors in Microbiology/Psychology, another one in Computer Information Systems, and a Masters in Business Administration. I own over 3000 books, and read constantly, which I think is more important than schooling for our particular discipline. I have a slew of certs, from CISA and CISSP to MCSE and CCNA to GCIH, GCIA, GSEC, etc. All good for mental exercise, and some have been good for “selling” my consulting services or getting paid better.

Q: Do you find your Psychology Degree or your MBA to be more beneficial when communicating security concepts to those who aren’t in the trenches? Does one help more than the other?

It depends on the audience, but the psychology degree helps out in surprising ways! Having a general understanding of what makes people tick, how they’re likely to behave or react, and how to get them on board with your programs is beneficial in any discpline, not just security. In that regard, it may be somewhat more useful overall. However, in the average consulting engagement or internal security project, you’re dealing with business or IT folks, and the MBA helps a lot in the latter case. Presenting security as a business case in its own right tends to be more successful, I find.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a doctor – I originally studied genetic engineering. I still have a deep fascination with genetics and biology, but I found my passion in IT, particularly security.

Q: What projects (if any) are you working on right now?

Writing a whitepaper series on virtualization security and incident response. Putting together a few conference speaking abstracts. Working on a few SANS projects, of course.

Q: You’re always busy working on something. How do you find a way to balance your time and family life?

I’m pretty lucky – my career is also one of my major passions in life, so I don’t feel like I’m working half the time, truth be told. I’m a great example of someone who gets into trouble when I’m bored, so keeping me occupied is a good thing. However, I have a few ways to balance things. First, I do something outside or away from the computer every day. Usually, it’s something fitness-oriented, but not always. I work from home, so I’m deeply involved in my daughter’s life, from taking her to school every morning to going to see her gymnastics practices in the evening, but weekdays are tough just like most working families’ lives are. The weekends rock though – we always have some great family activities, from going to museums or movies to hiking and camping. We also do a lot of world travel together, with at least one or two trips outside the country every year. Finally, and this is good advice for anyone that’s married – find some time for you and your spouse. Turn off the blinking thing with the email and the Internet, and go let loose for a bit. My wife and I take several weekend trips every year while my daughter stays with the grandparents, and it’s good for all of us. Vegas is a good choice.

Q: What is your favorite security conference (and why)?

A tie between Shmoo and Defcon. Defcon wins, though – I like Vegas more than DC, and warm weather more than cold. Lots of people I know are at Defcon, so I can catch up with friends and relax a little bit. I hate “stuffy” conferences.

Q: What do you like to do when you’re not “doing security”?

I do “adventure races” – kayaking, mountain biking, running, etc. I’m a total fitness nut. I’m also a musician, been playing piano for 30 years and learning guitar.

Q: What area of information security would you say is your strongest?

Incident Response and Intrusion Detection. Next would be risk management and compliance…I know, it’s pretty diverse.

Q: What about your weakest?

Reverse engineering. Never had a reason to do it for a job or otherwise.

Q: What advice can you give to people who want to get into the information security field?

Don’t get in because it seems “cool” – you need to love it intrinsically, and lots of it is boring and repetitive. Also, spend some time in other areas first. Learn programming, networking, etc.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Blog is www.daveshackleford.com, Twitter ID is daveshackleford. LinkedIn works well too.

Please vote for my BSidesSanFrancisco talk entitled “My Life on the Infosec D-List” by tweeting (I think that’s a verb now) the following:

I vote for “My Life on the Infosec D-List” by @andrewsmhay #BSidesSF http://bit.ly/BSidesSFtalks

Abstract: People new to information security often find themselves wondering how to make a name for themselves in the industry. Andrew Hay has lived most of his career on the D-list but has worked hard to increase his status in the hopes of someday landing that coveted A-list position. Through this talk we’ll discuss how to expand your circle of influence, how to build your personal brand, and how to move up from the dreaded Infosec D-List.

I PROMISE it will be entertaining

Today’s interview is with the Defender of the Commonwealth, ham radio twit, and surly security guy – Ben Jackson.

Q: Tell us a little about yourself.

I’ve always referred to myself as “just another geek from Boston” as we seem to have our fair share up here. I’ve lived in Massachusetts for all my life, the first 25 or so years in Lynn, about 20 miles north of Boston, and now in New Bedford, about an hour and a half south. My family bought our first computer in 1991 when I was 11 and I have been addicted since. When my family went online in late 1994 on this then brand-spanking new thing called the “Internet” and it’s been a downward spiral ever since.

Currently I work for the Commonwealth of Massachusetts as a Senior Information Security Engineer. Laugh all you want about Government jobs, I’m lucky to work with a talented group of people and it still gives me the warm fuzzies to work in the public sector.

Q: How did you get interested in information security?

I think I can trace my beginnings with security when I was in college. First, my college had a fairly… permissive firewall ruleset on the Academic network and if you were running a Linux server on the network you got a lot of attention from folks all over the world. If you didn’t quickly learn how to secure your computer, you would soon have a lot of extra accounts. Second, at my co-op job, I was tasked with evaluating, installing, and maintaining the new centralized AV server. This caused me to start looking at BUGTRAQ and Full-Disclosure. Finally, my senior year the computer science college at my University started running a twice-yearly CTF competition and I dominated both contests. This kind of made me realize that I might have a knack for this.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a BS in Computer Engineering Technology from Northeastern University (Go Huskies!) and I hold GCIH and GIAC Silver certifications form SANS. A Professor at college said that in the computer field, all a College degree means is that you are willing to work at something for 5 years. I really didn’t learn much from classes in college regarding InfoSec but it did provide a lot of opportunities via my co-op assignments and extra-curricular activities. The SANS certifications were good and I recommend them. They were an excellent mix of hands-on and textbook. Getting the certifications were a two-birds-with-one-stone kind of deal for me, as not only did they show to others that I knew what I was talking about, they also proved to me that “Hey! I do know that stuff fairly well!”

Q: Do you find it difficult to “sell” information security in the public sector? What are some of the biggest barriers you encounter?

Thankfully, No. I was lucky. I came on board with my group when the new Administration came in and they took information security seriously. I am pleasantly surprised as to how many of the groups are “drinking the Kool Aid”, working with us, and baking security into their processes.

Q: What did you want to be when you grew up? Would you rather be doing that?

Easy question: I always wanted to be a firefighter. While I think that my current job has similarities, there is a slight difference between racing into a burning building and fighting a virus outbreak. I guess this is why they have a sweeter ride.

Would I rather be doing that? I guess I can call it my fall back career for another year as I think the application cut off is at 30 years old, but I don’t think they’d want someone who doesn’t enjoy heights.

Q: What projects (if any) are you working on right now?

My free time for projects took a dip 8 months ago when my wife forked our child process. I still try to find free time to muck about with fun toys. I maintain an Amateur Radio version of the Security Twits list called “Ham Twits”. I’m also in the process of trying to take some projects that have been on the back burner for far too long and breathe some life into them such as a simple windows based forensics tool.

Q: What is your favorite security conference (and why)?

DEFCON. I made it out to Las Vegas a couple times for DC12 adn DC13 and I always miss going when it rolls around. I feel it a really good mix of infosec, a social weekend, and booze.

Q: What do you like to do when you’re not “doing security”?

I am a new daddy so I’ve been slowly figuring out that role over the past year and loving every moment of it. I also am fairly active in amateur radio and enjoy a good book. Another strange hobby of mine is mess around on the telephone and calling numbers just to see what happens.

Q: What area of information security would you say is your strongest?

I’m pretty good at web application penetration testing and interpreting network traffic.

Q: What about your weakest?

Everything else? One thing I really wish I was better in is finding vulnerabilities exploits in applications that aren’t web based. SQL injection and XSS are cool, but there always seems to be some kind of heavy magic in work with shellcode and buffer overflows.

Q: What advice can you give to people who want to get into the information security field?

Learn how to write and how to explain yourself. 90% of your job in information security is to convince people your right. If you can pull this off, you’re going to save yourself hours of headaches.

Q: Are you at all worried about what the state of security will be when your son starts getting “online”?

Yes and No. I worry more about trying to walk the fine line of letting him get online and not having him shoot himself in the foot (or worse, shoot me in the foot) in the process. How do you teach a youngin’ about not clicking suspicious links, disabling Flash, or mitigating the latest 0 day? Should I start working “adjusting AdBlock and NoScript settings” between ABCs and sandbox time?

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

I have a blog at http://www.innismir.net and am active on Twitter on @innismir. There you can find me pontificating about InfoSec, Amateur Radio, and whatever else floats through my head. Also, just to be different from everyone else who may answer this, you can also find me on the 146.775MHz West Bridgewater, MA repeater every morning when I commute.

The results of a study show that the average cost of a data breach (based on 2009 data) is $204USD per exposed record. I often find it hard to value the data I’m protecting so this is really a good starting point to measure against.

Report: http://www.encryptionreports.com/2009cdb.html

Excellent writeup: http://www.scmagazineus.com/data-breaches-cost-organizations-204-per-record-in-2009/article/162259/

Highlights:

• Number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009.
• Data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.
• 42 percent of all data breaches last year resulted from third-party mistakes.
• 36 percent of breaches involved lost or stolen laptops or other mobile devices.
• Lost business makes up the largest portion of breach costs, totaling $135 per record lost on average, a slight decrease from $139 in 2008.
• Ex-post response activities, which include providing credit monitoring services and other assistance to breach victims, cost $46 per record last year, up from $39 in 2008.
• Most expensive data breach included in this year’s study cost one organization nearly $31 million to resolve, and the least expensive breach cost $750,000.
• Activities that enable organizations to detect the breach, which totalled $8 per record on average last year, and costs to notify breach victims, which totaled $15 per record.
• Those who notified breach victims within one month paid $219 per record exposed, on average, versus $196 paid by those who waited longer.
• Having a CISO, or equivalent position, could decrease data breach costs by 50 percent.
• Companies with a CISO paid $157 per compromised record, on average, compared to those which did not have a CISO ($236 per compromised record).