Today’s interview is with Erin “SecBarbie” Jacobs. Arguably the “social butterfly” of the D-List, Erin can easily debate compliance issues, plan the nights party schedule, and argue gender issues in the field with a perfect stranger, all while ensuring everyone is involved and having a good time. I hear she can also leap tall buildings in a single bound but she can’t outrun trains like she used to.
Q: Tell us a little about yourself.
I often play a little Jekyll and Hyde on the internet. By day I am a CSO in financial services and have played this role for over 9 years in two different organizations, and by internet I am a security evangelist, apple fangirl, and social butterfly. If you follow my tweets then you would also know that I have 2 dogs and 1 parrot, and I would have more but with my hectic travel, they are enough!
Q: How did you get interested in information security?
Geek from birth, been programming since I was 7, and running social bulletin boards since I was 13. When I was in High School, a group of us used to make a game of defacing each other’s BBS’s ANSII pages. Fast forward through college, corporate software development, consulting, and IT Management and I ended up back in information security through a friend of mine. I was always just excited that there is actually a career track for doing what I used to do for fun.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I have a Bachelor in Business Management with a minor in computer science, I have an alphabet soup of certs, and have relied heavily on self-learning. I feel the only thing that truly adds value is hands on experience. Too many people have advanced degrees, multiple certifications, etc, but can’t DO information security. They just don’t have the grasp of the actual functionality of security initiatives. There best lessons are often learned in failure, and academia cannot teach those. I find value in education, but taught by those who have actually attended a classroom called life.
Unfortunately, unless you have the schooling and certifications, you won’t make it past HR in most organizations!
Q: What did you want to be when you grew up? Would you rather be doing that?
I want to be a princess…. I think I am, but I really wish I had that snazzy castle with the moat around it, and a fire-breathing dragon would be nice too!
Yes, I would rather be doing that, but who wouldn’t. In the meantime, I have plenty of jesters on Twitter to keep me amused!
Q: What projects (if any) are you working on right now?
More Gender Panel talks, Compliance on Paper talks, some cute hacking project that involves gym equipment…. and a few other this and thats.
Q: Do you see the gender issue as being a barrier in the information security space? Why or why not?
Gender is a problem in the information security space, there are statistics showing that there are very few women-owned tech and high-tech firms, corporations such as Apple (Executive Management) don’t have a single woman in their management team. I don’t believe that this is because the men are scaring all the women away, I’m sure there is still some gender friction at times, but this is a bigger issue! As a whole, we are loosing young women from entering the Information Security field. The gender panels are held to start to answer the question of what we can do. The panels are never about ‘men bashing’ they are about the cultivation of women in the information security space.
Q: You deal with compliance on a daily basis. Do you think we’re any closer to seeing “compliance” as something more than a check box or a risk avoidance technique?
Oh-boy! I have to reference Avatar in this. Compliance is the human race, and nature is security. The humans have no connection to nature, and neither does compliance to security.
Just because we can check things off a list doesn’t bring us any closer to being less insecure. Perhaps if they no longer allow the loophole of “In Scope” and “Out of Scope” the two concepts might make headway. I could go into a tirade on this, but to sum it up with:
We need to wipe the slate clean and start measuring actual risks to organizations based upon their line of business against known threats and making realistic compliance metrics based upon solid framework.
Q: What is your favorite security conference (and why)?
Black Hat/Def Con – Sometimes this can be a stressful week, but it’s like a family reunion each year! The networking is great, talks are generally a lot of fun, very energetic, and I have always left with a great deal of new knowledge and less brain cells.
Q: What do you like to do when you’re not “doing security”?
I feel like I’m always ‘doing’ security, but when I am unplugged, I’m an avid motorcyclist, musician, amateur photographer, and social butterfly!
Q: What area of information security would you say is your strongest?
Social Media Information Leakage, Compliance, Management, and Regulatory Audit.
Q: What about your weakest?
Cryptography, it is on my list of side-project to learn how to decrypt more effectively, but I always bow to those who I know that are fantastic at the art of crypto!
Q: What advice can you give to people who want to get into the information security field?
NETWORK-NETWORK-NETWORK! The people you know are just as important as what you know! If you have a strong base of people with different expertise, you will have a vast resource of knowledge for when you need expert opinions! Also, never burn bridges in InfoSec, it’s entirely too small of a community!
Q: How can people get a hold of you (e.g. blog, twitter, etc.)
BLOG: www.secsocial.com
TWITTER: @SecBarbie
The final interview of this week is with Rob “Mubix” Fuller. I first met Rob at RSA 2009 and we hung out the whole conference. Interviewing Rob was difficult as he doesn’t (and isn’t allowed to) talk much about his day job but I did manage to get some information out of him.
Q: Tell us a little about yourself.
I’m a United States Marine assigned to 1st Civ Div. I have an amazing family, I’m a extremely proud father and I love what I do for a living, not much more to tell.
Q: How did you get interested in information security?
You can find the long drawn out story of that on Episode 9 of the grmn00bs podcast, but it boils down to `init 6`, game genie hex editing, being an open relay for Korean spammers, and Hak5. http://www.grmn00bs.com/2009/12/16/podcast-episode-9-when-they-were-n00bs-with-rob-fullermubix.
Q: We see a lot of ex-military getting into private information security roles these days. In your opinion does a military lifestyle foster the learning required for a long term career in information security?
That’s a really tough question to answer. I think that it really depends on which country’s military you are talking about and which section/service/faction of that military the member is from. Everyone has different experience in the military. However, my personal experience in the United States Marine Corps definitely altered my battle mindset, and increased my strategic awareness.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I don’t really have any certifications that I would like to mention, I think they are useless unless you are job hunting and I absolutely love my job. I would however like to scream great praises to muts and chris over at Offensive Security. The Pentesting with Backtrack (used to be OffSec 101) course was amazing. It sparked a fire in me that revitalized my thirst to learn that has been going strong for now almost two years after I took the course. When it comes to self-learning, I’m not really sure how to classify or answer that other than… yes.
Q: What did you want to be when you grew up? Would you rather be doing that?
A father. I was an odd kid, by the time I was a teenager I knew that I wanted a family, and that really was the only vision I had for my life. One might say that is thinking small or short sighted, but I pose to anyone who thinks that to ask any parent on the planet what their greatest accomplishment in their life is.
As far as job/career, I always knew I would be doing something with computers. I didn’t care what then because I knew that it would be constantly moving and growing. That is what really draws me to computers and more specifically security these days.
Q: What projects (if any) are you working on right now?
I’ve got one big project that I’ve been working on for a couple months now. I’m currently debating on how to release the details, but I have a ways to go before I have to decide anything. Some of the projects that I’ve done in the past is starting up a project called FireTalks, which is happening again at ShmooCon this year, along with the annual Podcasters Meetup. Grecs from NoVAInfoSecPortal.com will be running the FireTalks this year (http://www.novainfosecportal.com/2010/01/06/shmoocon-2010-firetalks/) and Tim Krabec from http://smbminute.com/ will be championing the Podcasters Meetup this year (http://www.podcastersmeetup.com/)
Q: What is your favorite security conference (and why)?
ShmooCon. I could name a number of reasons, but I think the brass tax truth is that it was my first one. But to put it all in perspective, I’ve only really been to RSA, DefCon, Phreaknic, and ShmooCon.
Q: What do you like to do when you’re not “doing security”?
At the fault of @cktricky I’m currently addicted to Call of Duty: Modern Warfare 2 (Steam). But spending time with my family is always on the top of my list. Other than that I don’t really have any others
Q: What area of information security would you say is your strongest?
I’d love to say Penetration Testing, Information Gathering, Reverse Engineering, or Exploit Development. However, a talent that I’ve always had out weighs all of those. Extraction. I can read or listen to something and extract what is important. To try and clarify, I’ve always been ‘the guy’ that knew what was going on, where things were, or how to do something. For example if you need a piece of software to do $function, I knew the best one to use, and the best way to get it.
However, this ‘feature’ is also a bug, it makes it extremely hard for me to read technical books since my mind will throw out what it doesn’t think is important (ie something that “will be explained in chapter X”). In other words, I have to understand every word or I can’t go past it. I only recently found that reading backwards (sort of, chapter count backwards, 12, ,11,… 1) works for me.
Q: What about your weakest?
Hands down it’s Cyptography and Exploit Development. Higher math kills me, Chris Eng has been a huge help there, with his presentation on Cyptography for Penetration Testers (http://video.google.com/videoplay?docid=-5187022592682372937#). But I am still extremely far of from just comprehending anything but the basics. Exploit Development is my current field of study, but each day of study I realize how very little I know.
Q: What advice can you give to people who want to get into the information security field?
First and foremost, checkout Dave Shackleford’s post titled: One for the n00bs over at http://daveshackleford.com/?p=277. He’s pretty much said everything I would say. But I would like to drive home the point that since security is still so new, you have an up hill battle to get people to adopt “security”. Just last year, my time deploying VMware data centers came in extremely useful when a client wanted to dispute some findings in a Vulnerability Assessment. However cliche it is to say, security _professionals_ are required to be jacks of all trades. Basically at a minimum, par experts in every piece of gear in their purview. So getting back to the point, get the experience, and security will just kinda.. happen.
Q: Our industry has a lot of people who tend to “grandstand” for the press and peers. Can you offer any advice on how to avoid falling into this mindset?
Nope, I think the people who would fall into that mindset need to learn the hard way, myself included.
Q: How can people get a hold of you (e.g. blog, twitter, etc.)
Twitter at @mubix, my site Room362.com of which I share with a few folks now (always looking for help on a permanent or guest basis), mubix@hak5.org and (503)-406-8249
As a special part of this interview I’m going to post the following picture. For those of you who know Rob you can ask him about the meaning at Shmoocon this weekend.
Today’s interview is with Dave “Shack-Fu” Shackleford. I’ve known Dave for more than a few years and he is one of THE guys to go to if you ever have a security related question, need a cake baked, or need a Mr. Clean stunt-double.
Q: Tell us a little about yourself.
Married with a 9-yr old, live in Atlanta GA, been in infosec for a long time, networking and sysadmin before that. Before computers, I was a professional chef.
Q: How did you get interested in information security?
I was interested in the subculture of hackers and hacking for a long time before I actually fell into the field. I started doing IT consulting while in college, then worked in telecommunications for a while. I went back to school for a 2nd degree, and one of my professors’ “day jobs” was Infosec Mgr at a Fortune 500 – he recruited me. Once I started there, I never wanted to do anything else.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I have a Bachelors in Microbiology/Psychology, another one in Computer Information Systems, and a Masters in Business Administration. I own over 3000 books, and read constantly, which I think is more important than schooling for our particular discipline. I have a slew of certs, from CISA and CISSP to MCSE and CCNA to GCIH, GCIA, GSEC, etc. All good for mental exercise, and some have been good for “selling” my consulting services or getting paid better.
Q: Do you find your Psychology Degree or your MBA to be more beneficial when communicating security concepts to those who aren’t in the trenches? Does one help more than the other?
It depends on the audience, but the psychology degree helps out in surprising ways! Having a general understanding of what makes people tick, how they’re likely to behave or react, and how to get them on board with your programs is beneficial in any discpline, not just security. In that regard, it may be somewhat more useful overall. However, in the average consulting engagement or internal security project, you’re dealing with business or IT folks, and the MBA helps a lot in the latter case. Presenting security as a business case in its own right tends to be more successful, I find.
Q: What did you want to be when you grew up? Would you rather be doing that?
I wanted to be a doctor – I originally studied genetic engineering. I still have a deep fascination with genetics and biology, but I found my passion in IT, particularly security.
Q: What projects (if any) are you working on right now?
Writing a whitepaper series on virtualization security and incident response. Putting together a few conference speaking abstracts. Working on a few SANS projects, of course.
Q: You’re always busy working on something. How do you find a way to balance your time and family life?
I’m pretty lucky – my career is also one of my major passions in life, so I don’t feel like I’m working half the time, truth be told. I’m a great example of someone who gets into trouble when I’m bored, so keeping me occupied is a good thing. However, I have a few ways to balance things. First, I do something outside or away from the computer every day. Usually, it’s something fitness-oriented, but not always. I work from home, so I’m deeply involved in my daughter’s life, from taking her to school every morning to going to see her gymnastics practices in the evening, but weekdays are tough just like most working families’ lives are. The weekends rock though – we always have some great family activities, from going to museums or movies to hiking and camping. We also do a lot of world travel together, with at least one or two trips outside the country every year. Finally, and this is good advice for anyone that’s married – find some time for you and your spouse. Turn off the blinking thing with the email and the Internet, and go let loose for a bit. My wife and I take several weekend trips every year while my daughter stays with the grandparents, and it’s good for all of us. Vegas is a good choice. 🙂
Q: What is your favorite security conference (and why)?
A tie between Shmoo and Defcon. Defcon wins, though – I like Vegas more than DC, and warm weather more than cold. Lots of people I know are at Defcon, so I can catch up with friends and relax a little bit. I hate “stuffy” conferences.
Q: What do you like to do when you’re not “doing security”?
I do “adventure races” – kayaking, mountain biking, running, etc. I’m a total fitness nut. I’m also a musician, been playing piano for 30 years and learning guitar.
Q: What area of information security would you say is your strongest?
Incident Response and Intrusion Detection. Next would be risk management and compliance…I know, it’s pretty diverse. 🙂
Q: What about your weakest?
Reverse engineering. Never had a reason to do it for a job or otherwise.
Q: What advice can you give to people who want to get into the information security field?
Don’t get in because it seems “cool” – you need to love it intrinsically, and lots of it is boring and repetitive. Also, spend some time in other areas first. Learn programming, networking, etc.
Q: How can people get a hold of you (e.g. blog, twitter, etc.)
Blog is www.daveshackleford.com, Twitter ID is daveshackleford. LinkedIn works well too.