(Full disclosure: This article firmly plays to my personal skill sets and career progression. Wherever possible, I have attempted to correct for my own bias) There has been a great deal of swirl lately regarding the topic of Chief Information Security Officers and what skills and/or qualifications are needed to position the organization for the best chance of success. On one end of the continuum, the existing pool of executives is brought in with highly-attuned business acumen. Perhaps the person has a Big4 consulting pedigree, [...]

I have recently attended a number of information security presentations. I honestly admire a presenter’s willingness to state a position in a public construct, regardless of whether I agree or disagree with the position or contents of the presentation. I will be honest… I have seen good presentations (watch Johnny Long’s Hackers for Charity Update at Derbycon for an example), and I have seen total train wrecks. At the end of each of them, the initial reaction is the same: applause from the audience. What [...]

I was at the inaugural Hack3rcon last year, and had an absolute blast. The quality of the speakers was fantastic, and this year they are raising the bar again. Dave Kennedy (R3L1k), Martin Bos (purehate), Adrian Crenshaw (Irongeek), Keith Pachulski (Sec0ps), and Boris Sverdlik (JadedSecurity), as well as a number of other established security professionals are scheduled to speak. The price is incredibly reasonable (it is Charleston, West Virginia), and a portion of the proceeds will be going to Hackersforcharity.org. Come see what I am [...]

Why do we continually blame the “user” for a lack of security awareness? Coming back from one of the most successful information security conferences in quite some time, it was difficult (but not impossible) to find something that needed improvement. I was confused and disappointed in the number of presentations that I attended that made statements to the effect of: • Users are dumb! • We need to tell our users to stop clicking ! • There is no patch for user stupidity! All of [...]

This morning, I was listening to the Social-Engineer.org podcast with a special interview with Kevin Mitnick. It has been suggested that I was trolling Kevin, that I had a personal problem with Kevin, or that I hated Kevin and/or was jealous of him. This is simply not accurate. In my blog post, I state that, “Unfortunately, some people feel they are simply far too important to pay it forward, too busy to bother with the little fish that wants to learn, too intelligent to ever [...]

Today, I am a little off-center, and some have questioned why I have so much venom in my words on Twitter regarding Kevin Mitnick. Since explaining my actions in 140 character morsels is less than effective, I thought that I would take some time and explain my rationale. For starters, I do not have a personal axe to grind with Kevin Mitnick or anyone else in the information security profession for that matter. Kevin has never directed any words or actions my way in an [...]

Information security perception is highly dependent on practitioner reputation. If a practitioner is foolish enough to plagiarize or damage the industry, sites like attrition.org are there to label the person as a charlatan. Recently, there were some rumors floating around about infamous, alleged charlatan Gregory D. Evans being unable to attend the major conferences (Black Hat, DEF CON and BSides) in Las Vegas, NV. Some have suggested that there were some financial constraints that prevented this. As I have noted in the past, I question [...]

Today, I am going to switch gears a little bit regarding my blog entries, and take a look at vulnerability scanners from an end user perspective. As you are no doubt aware, there are several to choose from. Rather than pander to a specific product, I would like to keep it general and list out some of the features that I would love to see integrated into the product that may not get as much attention, but important nonetheless. I apologize in advance if $product [...]

Lately I have received some curious responses to a tweet I posted to Mr. Gregory D. Evans expressing an interest in helping the accused charlatan in a path to legitimacy. “@GregoryDEvans If you enjoy getting beat on, continue on. If you want a path to legitimacy, DM me. It’ll be bumpy, but this is legit.” Responses have ranged from rage and disappointment to questions on whether my account was compromised. As I will try to explain in this post, the emotions that have been expressed [...]

As security practitioners, we are used to the notion of keeping our heads barely above water. Information Security is a thankless game, where our greatest success is when we remain at zero. If we succeed (or are succeeding), nobody notices. If we fail, everybody sees it or hears about it. The pressure to perform is intense and the margin of error is miniscule. During our careers, we make conscious decisions to either blend in with the herd, or stand out from the crowd. We may [...]