At least the friendships did, and through the conversations over on the BSides threads that have been going on for sometime now, the direction has changed to history. Even though there has been much controversy around BSides, it is time that it moves forward with the ideas and principles that it was set out with. One of the ideas of BSides was being the opportunity to get talks/presentations to the public that the “big-box” conferences would never accept.

In 2009 for DefCon 17 a group of us girls (Ladies, Women, whatever makes you happy to be called… I prefer girls in this context) were planning a “Sec-y Pillowfight” to support EFF. What a mess this became as it brought into question how we view females and especially how females are treated and viewed in the InfoSec field. It was because of the first BSidesLV being planned that the idea of a panel discussion (Feathers will fly Panel! – Professional Image and Gender Issues for Women in Security) about the Pillowfight and the gender issues around it came to be. I knew a few of the people already that were going to be on the panel, like Jennifer Jabbusch @jjx and Stacy Thayer @StacyThayer,  but it was because of the collaboration that I became friends with four other incredible women in information security (Leigh Honeywell, Leigh Hollowell, Nicolle Neulist, and Magen Hughes)! The idea sharing and discussions have lasted far past the first panel, and well into today.

This is what SecurityBSides is to me. SecurityBSides is an opportunity to share ideas, have open dialogue with presenters during presentations, bring about new ideas, and foster lifelong friendships (professional and otherwise).

The idea of BSides will live far beyond the brand because the entire community is what creates the heartbeat of BSides. Yet, I would prefer the brand heal, as it is very special to a lot of us.

It started with about 8 of us in the lobby bar of the W Hotel in 2008 and has grown every year! I’ve met some of the coolest people who I have the privilege of considering them friends at these happy-hour social events, and I look forward to many, many more! So, if you are in San Francisco for RSA, or just in the area and want to swing by and say “Hi”, please feel free to RSVP to our Facebook Event’s page or just come on out!

4th Annual Security Sociability RSA Happy Hour!

Monday, February 27th, 2012

4:30pm – 7:00pm

]]> http://www.secsocial.com/blog/?feed=rss2&p=596 0 http://www.secsocial.com/blog/?p=587 http://www.secsocial.com/blog/?p=587#comments Wed, 11 Jan 2012 15:38:50 +0000 SecBarbie http://www.secsocial.com/blog/?p=587

Recently there has been a great deal of discussion with the continued budget limitations in organizations about the concept of bring your own device (BYOD). Utilizing devices as an organizations’ vessel to delivery virtual workspaces and leverage personal investments in technology to save on budgets isn’t a bad concept. From the perspective of an employee, they can now use whatever hardware they choose, and in some cases whatever operating system as well. The employee can have one device to carry, personal satisfaction of being able to make their own choice of device preference, and ability to administer their own machine. Wait! Is that a good idea? Most organizations restrict the ability to administer local computers for many security reasons, but there is also the IT support aspect. Who is going to support this army of employee’s with personal hardware/software/etc.? Geek Squad?

In a perfect world, let’s assume that the employee’s can self-support just fine. Now, what about the policies? The organizations who are developing these BYOD environments are also having to sit and evaluate all the policies and compliance issues that may arise. Like David Wilson wrote in his blog post Technology and the Workplace: BYOD:

“… a policy in place and do it now. Don’t just throw something together piece meal as you go along, do it right. “

Organizations need to start with policies around the physical device, minimum requirements have to be published for interoperability with corporate systems. Now what about policies around device maintenance and uptime, what are the requirements around the user ensuring their hardware/software is up and available for a workday? A general guideline for system maintenance and how much troubleshooting the corporate helpdesk should extend and to what types of devices and OS also needs documentation.

This is just the tip of the iceberg when working through these types of decisions. The security team needs to be involved in application testing to ensure the host is isolated completely from the corporate network and only a pass-through. Evaluation of the type of data that can or should be access needs to be taken into consideration by the security team. Should a person on their iPad in an airport network be able to access the most critical organizational information (Not that this is just a BYOD discussion).

Like all concepts, BYOD isn’t terrible, and as IT and Security professionals we all should embrace the fact that it is already occurring in environments we work for or with right now as people bring in their personal devices with and without permission. The time to take a look and define the organizations thresholds for acceptance is now. At least begin the discussion with Legal, IT, Operations, and Finance.

As I blow the dust off of Security Sociability from a 2011 that included three posts I must apologize to all who check this site from time to time. 2011 was a year that prompted a great deal of change for a number of people who I call friends in the security industry, but for myself was a year of great reflection on the industry, career, and life in general. Without getting sappy on everyone, there was a great deal of fun and education that occurred throughout 2011, and new friendships forged!

So what’s new in 2012? I feel a great deal of change about to occur this year, with the beginning being the updated Security Conference list on this site. 2012 dates for conferences have been updated, as always additions will be added throughout the year as events unfold. Additionally, 2012 is the year of content for Security Sociability, vacation time is over for me! So let’s bring forth the new year!

As we all learn from the past and progress to our future, I employ you all to make a difference and reach out from the echo chamber!

Cheers,
SecBarbie

For all the out-of-towners who are going to take a pilgrimage to Chicago for THOTCon and BSidesChicago, I thought I would help you understand our language a bit better.

G’bless dis here town! An a course…Mike Di’ka

How to speak Chicago-ese…

1. Grachki (grach’-key) is Chicago for “Garage Key” as in, “Yo, Theresa, waja do wit da grachki? Howmy supposta cut da grass if don’t git intada grach?”
2. Uptadaendada (up-ta-da-en’-dada) as in, “Joey, you kin ride yur bike uptadaendada alley but not acrost or I’ll bust yur butt…”
3. Sammich. Chicagoese for sandwich. When made with sausage, it’s a sassage sammich; with shredded beef, it’s an Italian beef sammich, a local delicacy consisting of piles of spicy meat in a perilously soggy bun.
4. Da. The definite article is a key part of Chicago speech, as in “da tree bears” or “da Mare” — the latter denoting, for as long as he wants it to, Richard M. Daley, or Richie, as he’s often known.
5. Jewels. Not family heirlooms or a tender body region, but a popular appellation for one of the region’s dominant grocery chains, to wit, “I’m goin’ to da Jewels to pick up some sassage.” As in most Chicago pluralizations, the “S” is pronounced with a hissing sound, rather than the usual “Z” sound of American pluralization.
6. Field’s (Even though it’s now Macy’s we don’t care): Marshall Field, a prominent Chicago department store. Also Carson Pirie Scott, a major department store chain, is called “Carson’s,” etc.
7. Tree. The number between two and four. “We were lucky dat we only got tree inches of snow da udder night”
8. Prairie. A vacant lot, especially one on which weeds are growing.
9. Over by dere. i.e. “over by there,” a prolix way of emphasizing a site presumed familiar to the listener. As in, “I got the sassage at da Jewels down on Kedzie, over by dere.’
10. Kaminski Park. Perhaps the high concentration of ethnic Poles makes people want the White Sox to be playing in this mythical ballpark, rather than in their true home, Cellular Field (or The Cell) formerly known as Comiskey Park.
11. Frunchroom as in, “Getottada frunchroom wit dose muddy shoes.” It’s not the “parlor.” It’s not the “living room.” In the land of the bungalow, it’s the “frunchroom,” a named derived, linguists believe, from “front room.”
12. Use. Not the verb but the plural pronoun “you”. “Where’s use goin’?”
13. Downtown. Anywhere south of the zoo and north of Soldiers Field near the lake.
14. BoysTown: A section on Halsted Ave., between Belmont and Addison, which is lined with gay bars on the west and east sides of the street. “Didn’t I see uze in Boystown in front of da Manhole?”
15. Braht: Short for Bratwurst. “gimme a braht wit kraut”
16. Cashbox: Traffic reporter slang for tollbooths. “Dere’s a delay at da cashbox on da Skyway”
17. Goes: Past or present tense of the verb “say.” For example, “Then he goes, ‘I like this place’!”
18. Guys: Used when addressing two or more people, regardless of each individual’s gender.
19. Pop: A soft drink. Don’t say “soda” in this town. “what kinda pop you got?”
20. Sliders: Nickname for hamburgers from White Castle, a popular Midwestern burger chain “Dose sliders I had last night gave me da runs”
21. The Taste: The annual Taste of Chicago Festival, a huge extravaganza in Grant Park featuring samples of Chicagoland’s fine cuisine. Takes place around and before the Fourth of July holiday.
22. “Jieetyet”: this is used to ask “did you eat yet”?
23. Winter and Construction: Punch-line to the joke, “what are the two seasons in Chicago?”

(Totally nabbed this from Sean Parnell )

1. Witness Bar fight over PCI DSS 2.0 debate
2. Collect 10 Business Cards from “Security Consulting Companies” with less then 2 employees.
3. Find one product in the Innovation Sandbox that solves a security need of TODAY, not a compliance need.
4. Create a drinking game based on how many times you hear about  attacks that target smartphones.
5. Take a picture with a vendor at the Expo if they DON’T use APT as part of their presentation.
6. Create a ‘Wall of Sheep’ via your ipad and a network sniffer.
7. Collect “Application Security Specialist”, “Hacker”, and “Broke the Internet” Badge Ribbons
8. Witness a Hot Security woman mistaken as a woman in Sales, Marketing or PR.
9. Witness a Not so hot woman in Sales, Marketing or PR mistaken as a security woman
10. Collect the light-up bouncing balls from the Expo floor, use them as “ShmooBall” replacements during sessions to shake things up a bit.
11. Attend EFF’s big 20th birthday fundraiser hosted by Adam Savage of MythBusters on Wednesday, Feburary 10th at DNA Lounge in San Francisco.
12. Collect 5 vendors shirts that are not White or Black
13. When a vendor says “Man in the Browser” ask them if they are sure it’s not a women
14. Take a picture of 5 people checking their corporate email or Facebook from the RSA Internet Kiosks in Mascone
15. Have a great time!

With 2010 drawing to a close, I took a look back at my position as a Chief Security Officer at a financial service firm and defined what I feel are the 5 core components of my team’s success, and they don’t cost a thing to implement!  I’m sure I could write entire books on each of the 5 items, so my apologies to my brevity of the explanations of each.

Can’t have Risk Management unless you know your data

A security team, professional, or executive cannot manage the security program without understanding what data is floating around the organization. Having a program in place that has the executive buy-in and definition of Risk Ratings and Data/System Classification for the organization is critical. Taking the time to identify critical data by working with each department head and understand what data they handle, and how it is currently processed and stored will define the organization’s risk exposure and risk appetite levels.

Create a partnership with departments, this will allow for improved communication and understanding of security initiatives. Let the departments drive down the security road, most department leads will have ideas how to improve security once they understand what they need to protect.

Information Security professionals for an organization should know at a minimum the following:

• Key contacts for each of the organization’s departments
• Risk Ratings for their organization
• Data Classification for their organization
• What systems critical data is stored on
  • How this data is created, secured, and handled
  • Who has access to these systems
  • Owners of the data and the system
  • Data handled at the departmental level
    • Risk rating of this data
    • How this data is transacted and stored
    • Who has access to this data, who owns the access provisioning for the data

Top Down Security – Let’s go down further!

We all are aware that security initiatives are never successful without top-tier buy-in. Let’s push it a bit deeper, let’s ensure that every single manager is responsible for security controls of their area. This is a point that we don’t concentrate on nearly enough as security professionals. Ensuring that everyone understands what security means to their operational areas, and how they can contribute to the overall security process. Security committee’s are good ways of implementing this, but so is just getting out in your organization and soliciting feedback and conversation!

Security as a job function for operational areas

After we ensure that every functional area understands the type of information that they process, transact, or store (both physically and logically), let’s ensure that the preservation, proper handling, and protection of this data is incorporated into their job function. A security team is not ever going to be able to be everywhere at once, no matter how ‘good’ the GRC and DLP products are.

Enabling the workforce

Humans make functional areas of organizations very dynamic. Pick up the book ‘Hacking Work’ if you don’t believe that people have, will, and are currently circumventing the system. Security teams and executive cannot approach security in a ‘restrictive’ mode any longer. Understanding actual risk to an organization is vital. Taking some time to talk to a person in a different operational department about their frustrations with controls, or policies to understand what needs to be modified to allow the workforce to function optimally and still maintain security controls for protection. Feedback is everything, and organizations will not get it to the right people until the right people start asking the right questions.

Education

As an industry, we talk about security education all of the time, but spend the least amount of money on it. People are not going to be able to do the right thing if they have never been taught what the right thing is. Security evolves daily, so the thought of only executing training once a year seems a bit ridiculous. Security education needs to be a daily event. Intranets are very powerful that way, and low-low cost as well. Get creative people, but get the message out to the masses about why policies are in place, what they are,  how they help everyone, and just explain it all in every day terms! Make October, Cyber-Security Awareness Month, an exciting event. Again, get feedback from the masses about questions they have about corporate security, or even other information security topics. Make very good friends with the physical security teams and HR, these are resources that generally will help enable the education process.  Take a sliver of the budget and hire a firm who specializes in security training to train the development teams in a fun way, make security FUN for everyone.

Education can make a substantial impact, and this is by far the most powerful tool a security practitioner could ever use, and few do it well.

Welcome to the new and improved Security Sociability. It has been a wild and crazy 2010, and with that a lot of content that is beginning to get queued up for the end of the year.

Notable additions to the site are:

• Security Conference listing | Thanks to a conversation about just how crazy ‘conference’ season is, it lead to us learning that the information security conference season is nearly year-round.
• RSS Feeds are working again!
• Social Buttons are updated!

Enough work for the moment, but new additions and content will be arriving much more frequently! Thank you all for stopping in!

Unless you have been living under a rock for the past few weeks, you know about HacKid Conference that was held over the past weekend in Boston at the Microsoft NERD (New England Research and Development) Facility. HacKid was founded by Christopher Hoff and facilitated by an amazing advisory board and volunteers. I was very fortunate to be able to share this experience with my own little me as well the little me’s of a lot of my favorite InfoSec people and what a fantastic time it was!

It was absolutely amazing that with the amount of children at the event and how well behaved they all really were. As if we need another reason to reaffirm that the information security community is truly something different and more like an extended family, this event was a testimony to that. From high-level executives who will teach you how to manage your hair such as Akamai’s Andy Ellis, to the many volunteers devoted their time even when they did not have children involved. A great example of that was Leigh Hollowell and Chris Lyte who taught kids, early in the morning none the less, the science of Cryptography and Stenography! Leigh Honeywell and some of the HackLab.To crew who spend the weekend teaching kids all about MakerBots, CNC design, and the open hardware revolution.

If you are curious as to what these participants were exposed to, I urge you to gander at the schedule for HacKid. Yet, just like the ‘big kid’ conferences, the hallway tracks were priceless, exposing kids to have the opportunity to network, and build friendships with others who have parents with like schedules and roles. Again, Amazing!

My take aways:

• The prime age for all the tracks seems to have been around 8 – 15, the younger kids seemed to enjoy things such as the magician, lego derby, face-painter, etc., but the 8 – 15 year olds really embraced the concepts. I agree that exposure at the younger age has value too.

• Watching a room full of children learning about soldering and electronics, especially when there are 7 girls and 10 boys, will bring a tear to my eye.

• LOVED the parents of the girls that heard about HacKid from the girl scouts and brought their kids. Loved, Loved, Loved that they were exposed to this event and I only hope that more diversity of participants will continue! After all, we are an amazing community that more people should be exposed to!

• PVC pipe, Mason Jar, Circuit Boards, and batteries are not the best things to try to get through TSA at Logan. Thanks to the TSA folks for allowing @LilSecBarbie to give an impromptu demo so she could keep her projects from HacKid

• The selfless act of generosity by one child who won the Tony Hawk autographed skateboard and refused to take it because “He already had a skateboard and wanted someone who didn’t have one to win it”, will also bring a tear to my eye and warmth to my heart! His parents should be extremely proud of the values that they taught him. I only wish that some of the parents would have done the same thing when they won and given a child an opportunity to win.

Amazing event, and I hope that it shows up in more cities, and I will personally make every effort to assist in every way possible for such an amazing movement.

Thanks to all the speakers and volunteers, I can’t say how much I personally am grateful to be a part of such an amazing community.

Many rounds of applause for all the sponsors that took a chance on a first conference of its kind: