Welcome to Brazen Careerist!
There are networks on Brazen Careerist to discuss all the career issues you are thinking about right now. Join now to start moving your career in the right direction.
Brazen careerist
Where ambitious young professionals connect and grow
InfoSec Professionals
Aspiring or current professionals in the information security business.
It's a tough job. Maybe one of the toughest in the tech field, as we need to be prepared for anything to happen to everything. Let's share wisdom and help each other.
Network Leader: Ray Pompon
Jared Sperli
Does anyone have any experience they would like to pass on about how to work with resellers and/or outsourced sales team? I am looking to learn best practices about both as my security software company grows. Thank you.
Susan Jett
I'm curious about Info Sec Professionals, a colleague of mine is search for several positions (full-time) that requires this background. Where do you typically post resumes, etc? If you'd like details about these positions, please let me know.
Ray Pompon:
100% of the jobs I've gotten in infosec have been through word of mouth and colleagues. Same is true in reverse, whenever we've needed folks, ...More100% of the jobs I've gotten in infosec have been through word of mouth and colleagues. Same is true in reverse, whenever we've needed folks, I've always gone to my professional networks first. Neither of these things helps you, as a recruiter. Perhaps something useful to say, is we also announce jobs at professional meetings (such as the local InfraGard chapters, etc).
27 weeks ago
27 weeks ago
John Meyers
I will be teaching the SANS GCIH class Hacker Techniques, Exploits and Incident Handling starting July 27 in Pittsburgh PA.
Please see http://www.sans.org/info/59313 for course details and registration information.
If you are in Pittsburgh, drop me a line, I am always interested in meeting fellow InfoSec Professionals.
Jared Sperli
At #ISACA SV, I asked how will information security change when those who first started it retire? Linked is a great response post from one of the panelest, Dr. Eugene Schultz. The man knows his business very well. http://goo.gl/iXCpu
I would like to get the pulse of Info Security folks on this specific site in terms how they future may look for upcoming generations when we take over the C-level security jobs.
Thank you,
Jared
Jared Sperli:
we are still looking only at enterprises, but I will let you know if we make the switch
63 weeks ago
63 weeks ago
JRandom42:
I'm still waiting for the Alt-Del-User control that was supposed to cause the old teletype terminals to overload and explode. Wonder if it's being ...MoreI'm still waiting for the Alt-Del-User control that was supposed to cause the old teletype terminals to overload and explode. Wonder if it's being coded by NSA for modern systems. That's going to be the next step in eliminating security threats! :)
62 weeks ago
62 weeks ago
John Meyers
I have a new web site I built. I plan on adding it to the top of my resume to aid in my job search. I am still generating content, but I wanted to get some feedback on it. http://www.attackdefendsecure.com
Ray Pompon:
It's a good start for a site. The landing page is a little generic, which is fine. I think the next step content-wise would be to sketch in your ...MoreIt's a good start for a site. The landing page is a little generic, which is fine. I think the next step content-wise would be to sketch in your specialties. From your blog, it seems that this is forensics and malware analysis - both hot areas. I'd make sure any articles, papers, talks, and major cases you've done in those areas are featured prominently. For example, your SANS Mentoring... perhaps some info close to the top with some bullets on what you'd be covering... a few words of wisdom... and 2-3 sentence war stories.
65 weeks ago
65 weeks ago
John Meyers:
@ Jared, I checked out your site, I think what you are doing is the future of malware detection. I don't think signature detection can keep up. ...More@ Jared, I checked out your site, I think what you are doing is the future of malware detection. I don't think signature detection can keep up. When I can write malware with Metasploit that bypasses most detection on Virus Total, thats a pretty good indication that we need a better solution.
@ Ray, Thanks for the feedback, it has given me some ideas on how to improve my site.
64 weeks ago
@ Ray, Thanks for the feedback, it has given me some ideas on how to improve my site.
64 weeks ago
Ray Pompon
My VB2010 paper on "Case study - successes and failures apprehending malware authors" avail for DL at http://www.planetheidi.com/Pompon-VB2010.pdf
Ray Pompon
Though experiment from a colleague -
This is a hypothetical – If I operate a store where you buy stuff and every time you use a CC, I perform a 1 way hash of the card # to reference a database and stuff the purchase info in, theoretically the only way to get the data for customer X from the database is to have their CC.
Is there ANY PCI implication of associating the one-way hash with the purchase data, even if I include EVERY other PCI trigger (name, address)?
Ray Pompon
Rather than asplode a bunch of 2010 predictions, I thought I'd just focus on one big one with many facets http://assumebreach.blogspot.com/2009/12/everyone-else-is-doing-predicti...
Paul McGinley:
Great post Ray. (In regards to number two:) As one in the physical security sector I can say that this has a huge potential for loss and damage ...MoreGreat post Ray. (In regards to number two:) As one in the physical security sector I can say that this has a huge potential for loss and damage in the physical world as well. Information gained in phishing attacks can easily be used to breach a physical perimeter as well as gain access to data in a virtual environment.
108 weeks ago
108 weeks ago
Ray Pompon:
Thank you. Indeed, physical attacks are often a blind spot for most infosec folks. And blended attacks -> use cyber to enable a physical ...MoreThank you. Indeed, physical attacks are often a blind spot for most infosec folks. And blended attacks -> use cyber to enable a physical attack or vice-versa is common avenue but often overlooked in assessments.
108 weeks ago
108 weeks ago
Dr. Anton Chuvakin
>breaks usefulness
Well, I've seen cases where is a little creative thinking allows them to skip PAN storage and still preserve business usefullness.
In some cases, this is clearly impossible; but maybe they can outsource to somebody who can protect the data better..
Ray Pompon
PCI mandated encryption is a fare - other than laptop encryption, how many people under PCI actually implement crypto for their applications that process PANs (ccard #s). Most of what I see are "compensation controls" because crypto is too expensive to do. What's you're take?
Dr. Anton Chuvakin:
Yup, my point exactly: tokenization or simply not touching the data by using other technologies works wonders to PCI scope, cost, etc.
113 weeks ago
113 weeks ago
Ray Pompon:
But what about those who cannot tokenize or remove the PANs from their applications because it breaks the business usefulness of the system? I've ...MoreBut what about those who cannot tokenize or remove the PANs from their applications because it breaks the business usefulness of the system? I've seen quite a few cases of large corps where it wasn't cost effective to alter the data in any way within the legacy app.
113 weeks ago
113 weeks ago
Ray Pompon
Blogged Art & Science of infosec. Hint - the art is the hard part. http://assumebreach.blogspot.com/2009/10/art-and-science-of-infosec.html
Ray Pompon:
Thanks to Anton Chuvakin blogging a link to this article, I've got some terrific feedback and comments going. I'm thinking of combining this idea ...MoreThanks to Anton Chuvakin blogging a link to this article, I've got some terrific feedback and comments going. I'm thinking of combining this idea with my deceptive defense talk (http://www.iedtalk.com/) and doing something more with it.
115 weeks ago
115 weeks ago
Ray Pompon
Culling through about a half decade of my talks, I decided to dig up some more exclusive content for this forum.
Kevin Durbin:
Not specifically your sites/links, just computer/network security words in general;we are a lower-tier site, but still are IS/IT so not good
124 weeks ago
124 weeks ago
Ray Pompon
Wishing I was at BruCon. Notes from Chris Nickerson's talk http://c22blog.wordpress.com/2009/09/19/brucon-red-team-testing/
Ray Pompon
Just published an article on risk analysis that some may be interested in. DL here http://www.planetheidi.com/Communique-Aug%2009-Risk.pdf
Dean Soto:
Mind if I pass this along to some of my IA classmates? This is some good stuff! Timely too.
124 weeks ago
124 weeks ago
Ray Pompon:
Sure. Some of the material is actually based on a lecture I did in the UW IA program.
124 weeks ago
124 weeks ago
Kevin Durbin
Hello from NC! While not an official title - still, infosec is a big part of my job. Good to see there is a group dedicated for this area.
Ray Pompon
My mentor had lunch with Peter Newmann today. Lots of interesting things heating up in SmartGrid security.
Michael Stephen Ruiz:
Have we (meaning those heavily involved in the SmartGrid development), integrated preventive security measures through the process lifecycle? And ...MoreHave we (meaning those heavily involved in the SmartGrid development), integrated preventive security measures through the process lifecycle? And if not, why not?
114 weeks ago
114 weeks ago
Ray Pompon:
Sounds like you need to come to the SmartGrid conference our chapter is putting together this summer.
114 weeks ago
114 weeks ago
Ray Pompon
Aspiring infosecers may be interested in this blog post http://assumebreach.blogspot.com/2009/05/losing-your-infosec-innocence.html
Ray Pompon:
There should be an Atom link at the bottom of the main page MoreThere should be an Atom link at the bottom of the main page http://assumebreach.blogspot.com/
127 weeks ago
127 weeks ago
Kevin Durbin:
I didn't realize initially the Atom link would work for RSS feeds in Google reader; thankfully it does and I'm suscribed
125 weeks ago
125 weeks ago
