Tuesday, December 13, 2016

Recent events: ITPalooza and SecureMiami

This past week I attended a couple of events here in South Florida.

First up was the 5th ITPalooza.  A bigger event then last year, the South Florida Technology Alliance organized the event and moved it to Signature Grand, a large banquet/conference center here in the area.  The event took over the whole place, which I've never seen.  Usually I'll be there and there will be 3 or 5 other events going on.

They had a large exhibit hall with various vendors, organizations, schools, and recruiters.  Unlike past years, they didn't have the recruiters relegated to another room.  I was there helping man the South Florida ISSA booth, promoting our org.  Had several people drop by, so hope we will get more members.  We also talked with some vendors and local universities.

In addition, there where several tracks of speakers.  The CIO track was exclusive to the iCoast CIO Council, others were open to all.  Here good things about those, but missed out.

For a first time event with new people in charge, I saw good and bad.  There is always room for improvement.  They have already set the date for next year's event as December 7th, 2017.  Look forward to it.

A new event held this year was SecureMiami.  This was held in conjunction with the existing BrewMiami event at FIU.  SecureMiami was organized mainly by DigitalEra and was located at the Graham Center from 2-5pm.  There was a keynote speaker, Jack Daniels, with speakers from 3 other vendors followed by a panel discussion with several VP Infosec/CISOs.  All the speakers were good.  It seemed the bad weather in the area discouraged some from coming, but they missed out.

Afterwards most went over the BrewMiami, where we had a VIP section just for the SecureMiami folks.  Here one could sample various beers and food from local brewers and vendors.

Not sure if they will do this event again, but if so, they will have a lot of work to top this one.

Monday, December 12, 2016

South Florida ISSA Security Conference 2017

Well the South Florida ISSA Chapter has announced our 2017 Security Conference.

Our conference website is setup HERE with full info, including call for sponsors and call for presenters.  Registration is already open.

Check it out.  We have some new ideas for this next conference.

Wednesday, November 30, 2016

SecureMiami 2016- Dec 10th @ FIU

If you're in the South Florida area, we have a new one day security event coming up down at the FIU main campus in Dade:  SecureMiami.

This event is being organized by DigitatEra, FIU, and the South Florida ISSA Chapter and sponsored by several vendors.

Its a 3 hour event starting at 2pm at FIU's Graham Center Balllroom (GC 140), located at 11200 SW 8th St, Miami, FL 33199.  Not sure about parking, but I assume will be in either the Blue or Gold parking lots near the Graham Center.

Tickets are FREE and can be obtained from the above website.

Following the event is BrewMiami at the FIU Stadium.  More info on that can be obtained from the SecureMiami event page.

Tuesday, November 29, 2016

ITPalooza 2016

If you're in the South Florida area, the 4th annual ITPalooza is coming up next week on Dec 8th, 2016.

This event, now sponsored by the South Florida Technology Alliance, is planned to be bigger then even and has moved to the Signature Grand.  Now an all day event of speakers and activities, there will be booth from vendors and user/professional groups and a job fair with a variety of recruiters and companies in attendance.

Full info is available at their website.  Tickets can be obtained there.  As always, you can get a free ticket if you bring 2 new unwrapped toys.


Friday, November 25, 2016

SANS Miami 2016

A couple of weeks ago I attended the SANS Miami 2016 conference.  While I have taken a few SANS courses, this was actually the largest SANS event I've been able to attend.  The previous events I was at were SANS Community events, one with only one course over several weeks, another was a week-long event with just 2 courses.  The rest I did on-line.

For the last few years SANS had been doing small events in our area, first in Ft Lauderdale before moving to Miami.  These events had about 5 courses.  The first few ones were mainly focused on forensics courses, which were not of interest to me.  This one had a more devise set of courses, and took one of their security management courses:  MGT514: IT Security Strategic Planning, Policy and Leadership.

Overall I thought this course was good.  For me, it was a mix of stuff I knew, stuff I had heard of but didn't know much about, and new stuff.  A lot of what I've learned has been learned on the job vs in a course, so I often have gaps in my knowledge, or I might not know the "proper" way of things.  So this kind of course helps me fill those gaps.

SANS already has SANS Miami 2017 on their calendar for next year, but haven't yet announced the 5 classes they will be offering.  Will see if I'm able to attend.

Wednesday, November 23, 2016

2016 ISSA International Conference

Well, a bit behind in this posting.

November 2-3, 2016, the Information System Security Association (ISSA) had their International Conference in Dallas, TX.  I was part of the Steering Committee and also attended the ISSA Chapter Leaders Summit held the day before.

Overall this was a great conference.  I had been to the previous 2 conferences (Chicago and Orlando), and this was an improvement over those.  We had more attendees and more sponsors then before.  We had a lot of great speakers and some great additions to the conference.

We had a "party in the skill" in the Reunion Tower connected to the Hyatt Regency where the conference was held at.  During the party, we had a Capture the Flag game going on.  They had a job fair (first time), with several recruiting companies.   There were 2 books given to participants and the authors were there to sign them: Becoming the Customer by Peter McLaughlin  and Managing Risk and Information Security 2nd ed by Malcolm Harkins (I have the 1st edition, so this was a welcome update).  And there was a special deal for training and testing for the CEH and C|CISO cert from EC-Council.

On a personal note, I was honored at the awards luncheon with ISSA Fellow status.

The next conference will be October 10-11, 2017 in San Diego.  I plan on being on the Steering Committee again, as I want to see certain things continued and other things improved.  Will see if I'm able to attend it.

Monday, September 26, 2016

FFIEC updates (finally) their Information Security IT Examination Handbook

Well, after ten years, the FFIEC has finally updated their Information Security IT Examination Handbook.

So probably some are wondering what this is and why should they care.  If you don't work in the financial industry, you may not be aware of all of this.

The FFIEC is the Federal Financial Institutions Examination Council, which is a government interagency body that sets down uniform principles, standards, and report forms regarding the examination of financial instituions.  The Council is make up of Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), and the State Liaison Committee (SLC), which itself includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

So basically if you work for banks or credit unions, you have dealt with this.  If you do IT Security consulting in this realm, you have come across them.


Monday, September 19, 2016

Updates to the CIS Critical Security Controls

Hopefully most people are aware of the Critical Security Controls, which are too often called the "SANS Top 20" or the like, even tho SANS no longer manages them.  (they do offer a course and cert on them.)

SANS actually turned them over to a group called the Council on CyberSecurity in 2013, and put out at least version 5.0 of the controls.  The Council merged with the Center for Internet Security in 2015, who released version 6.0.  Properly they are the CIS Critical Security Controls, or CIS CSC.

With v6.0, they did some revamping and re-ordering the controls.

And CIS has continued to support the CSC.  They have released some new items!

Wednesday, August 31, 2016

I recently attending the 2016 GRC Conference.  This conference was a joint event of IIA & ISACA, and was held in my area in Ft. Lauderdale.  It was a two day conference with speakers in several tracks, along with an exhibitor area.  There were some special sessions before and after the main conference.  This is the sixth time they have done this conference.  Next year's event will be in Texas.

For me, I attended because they had several sessions on cybersecurity.  I was able to attend for free because I volunteered at the conference as a member of ISACA.

Monday, August 29, 2016

SFISSA's 2016 Hack the Flag/Chili Cookoff FINAL UPDATE

The South Florida ISSA Chapter is again holding our annual Hack the Flag/Chili Cookoff in 2016.  This is looking to be our biggest ever.

New location.

New stuff,

Want to be a part of it???  Register TODAY!!!  Go HERE to register.  Want to be a sponsor?? Let us know!!  Only a few slots are available.


Monday, July 25, 2016

SFISSA 2016 Hack the Flag/Chili Cookoff UPDATE

The South Florida ISSA Chapter is again our annual Hack the Flag/Chili Cookoff in 2016.  This is looking to be our biggest ever.

New location.

New stuff,

Want to be a part of it???  Register TODAY!!!  Go HERE to register.  Want to be a sponsor?? Let us know!!

Tuesday, July 5, 2016

Intel meets Arduino: Galileo, Edison, Curie

When I was getting into computers, we had a variety of companies making different microprocessors.  There was Intel, Zilog, Sun, IBM, Motorola, MOS Technology, National Semiconductor, TI, Acorn, HP, and several others.

It seemed that in the home market, at that time made up of Apple, Atari, and Commodore (and a few others), most chips were derived from the Motorola 6800.  (the 6502 was a derivative of the 6800).  So these were called the "6ers".  Their next generation systems were all based on the Motorola 68000 processor and successors.

In the business market, most were first based on the Zilog Z80 (the CP/M machines), later supplanted by the Intel 8088 and follow-on chips.  So these were called the "8ers".

Within the Unix workstation world, most started with the more powerful Motorola 68000 before going with a variety of RISC-based processors (Sun SPARC, HP PA-RISC, IBM PowerRISC, etc).

Eventually things shook out, and Intel and Intel-based processors came to dominate pretty much all of the desktop and laptop market and most of the server market (for Windows Servers and Linux Servers).  Intel has won out.  (please note this is a very simplified version of history)

Friday, July 1, 2016

Upcoming Security Events (I plan to be at) in 2016

Well, there are several upcoming events I hope to be involved within the coming months.  Several of these I hope to have further postings to promote them, but here is a quick run down.

Tuesday, June 28, 2016

20 Books: The CERT Guide to Insider Threats

This is part of a sub-series of postings based on the "20 Books Cybersecurity Professionals Should Read Now".

 The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud).  By Dawn Cappelli, Andrew Moore, Randall Trzeciak.  Addison-Wesley, 2012.

For those not aware, CERT is the Computer Emergency Response Team, a division with the Software Engineering Institute at Carnegie-Mellon University.  Its a research group looking into various aspects of cybersecurity threats.  Often times it reports on new threats, alert organizations about them so they can take action.  It was formed by a directive from DARPA in the wake of the Morris worm, which formed the CERT Coordination Center.

Saturday, June 25, 2016

C.H.I.P. unboxing

Hopefully most are aware of C.H.I.P., the interesting $9 micro computer from the Next Thing Company.  They launched this with a Kickstarter campaign and have been shipping them out this month.

I finally got mine and took some pictures.

Thursday, June 23, 2016

The so-called InfoSec/Cybersecurity Skills Gap

Several groups are pushing the idea that there is a InfoSec/Cybersecurity "Skills Gap".  Basically the idea is that there are WAY more info sec positions then available people to fill them.

Sorry, but as an experienced infosec professional who has been looking and seen the market out there, and know of others who had have similar experiences, I'm not buying it.  MAYBE in some areas there are not enough people (DC area?).  MAYBE in certain skill areas (say pentesters or SOC folk) there are not enough people.  But I don't think that is a general issue across the board.

Sadly, these groups pushing this idea think that pumping out newbie infosec folks is the solution.  Really?  Companies are looking for EXPERIENCED people, not those with 'book learning'.

Monday, June 20, 2016

South Florida ISSA's 2016 Hack the Flag/Chili Cookoff event

For as long as I can remember, the South Florida ISSA Chapter has been hosting an annual Hack the Flag/Chili Cookoff.  We have a 'capture the flag' event, where teams work against each other to hack a system and collect 'flags'.  We've accompanied this with a chili cookoff (along with food and drinks), as not everyone does the CTF.  Most years we've had some kind of theme (russian, brazilian, asian, etc), and the last few we've had t-shirts.  Over the years we've been in a few different places (I can recall 5 different ones).  A couple of years ago we added a lockpick village as well.



Our event was bigger last year as we were celebrating our 15th Anniversary.  We had a bounce house and some other things.

Friday, June 10, 2016

Updates on the NIST Cybersecurity Framework

I've previously posted on the NIST Cybersecurity Framework, and was very surprised that in the last week there has been some new development in that area.

I especially found this interesting because on June 11th I am presenting my "NIST CSF at 2" presentation to the HackMiami meeting at the Broward Main Library.  This is the presentation I gave at BSides Tampa 2016, and had made a few tweaks.  And so I am doing some updates in light of these developments.


Wednesday, May 18, 2016

HackMiami 2016 Conference Report

This past weekend, May 13-15, the 2016 HackMiami Conference was held.  This was the fourth time for this annual conference.  Been to every one and this was my second time speaking.

A change for this year is they have a new venue:  Miami Beach Deauville Beach Resort.  They had some problems with the past location, so hopefully there were no issues this year and they will be back there next year.

Wednesday, April 27, 2016

Book Notes: Beautiful Security and The Myths of Security

Been awhile since I've done any book reviews or the like on this blog.  Am a little behind on my series looking at the "20 Books".

I'd thought I should bring to peoples attention a pair of books that came out a few years ago.  No so much technical security works as more philosophical:  Beautiful Security and The Myths of Security.  Both are from O'Reilly and came out in 2009.  And both share an author (kind of).

Friday, April 22, 2016

New in the Internet of Things

While I await my CHIP to arrive, I thought I'd note some of the other new items that have popped up in the last few months in terms of new boards for IoT.  I think most should be aware of these, but some may not be aware of all of these.


Wednesday, April 20, 2016

Security BSides Tampa Report

On Saturday, April 16th, the third Security BSides Tampa was held.  This year it was hosted at Stetson College of Law- Tampa Campus.  This was the third year of this event, but my first time attending.  I also gave a talk.  They had 3 keynotes, about 15 speakers broken up over 3-4 tracks, and in addition had a Maker/Hacker Space, capture the flag event, lockpick village, and vendor space.



Monday, April 18, 2016

One of my slides from my NIST CSF presentation

When I did my recent presentation on the NIST CSF at BSides Tampa, I had some ask about the source of one of the pictures in my presentation.

All the pictures I got off Google Images, btw.

Here is the picture in question:


The source is this article on the ISACA website, in the section on "Information Security Management at HDFC Bank"

Hope this is of use to others.



Wednesday, April 13, 2016

NIST hosts a Cybersecurity Framework Workshop for 2016

For two days, April 6 and 7 2016, NIST (National Institute for Standards and Technology) hosted a workshop for the Cybersecurity Framework (CSF).  This is the 7th they have held.

In developing the CSF, NIST held a series of 5 such workshops to gather feedback which was used in developing the Framework.  A 6th workshop was held shortly after the Frameworks release.  As part of the process in further developing and supporting the Framework, NIST put our a Call for Information (CFI) on the Frameworks use as well as solicite comments on possible improvements or revisions (say a 1.x update or a 2.0 update).  This CFI ran from December to February of 2016.  This workshop was held to review the outcomes of that CFI, as well as to gather further feedback.



For more info on these past workshops, go HERE.  At present, their report on this workshop won't be available until mid May, however, the webcast recordings should now be available.

Wednesday, March 16, 2016

Security BSides Orlando 2016 Report

The weekend of March 12-13, the 2016 Security BSides Orlando Conference was held.  As last year, this was done just before SANS Orlando, which moved from April (its long time traditional time) to March.  And like last time, it was held at the University of Central Florida, but in a new building.



This was my third year attending and my second year speaking.  I gave a 2 hour workshop on various security standards, frameworks, and regulations such as NIST CSF, ISO/IEC 27001, HIPAA, PCI-DSS and more.  Sadly, it seem a lot of people didn't understand it was a 2 hour workshop and left halfway thru it.  I recently posted the various resources for the workshop (references, training, certifications) here on the blog.

Attendance was over 400, and I understand they got a lot of students, who got to come for free.  There were 2 tracks of talks, along with some workshops which run longer, tho I think it turned out mine was the only workshop.  In addition, they had a Capture the Flag game going on, a Lockpick Village, and several vendors and orgs in attendance.  So a great event overall.

This year's badges were different, being different colored cassette tapes depending on if you were an attendee, speaker, sponsor, staff, silver or gold.


There was a conference t-shirt and stickers.  Speakers got some extra nice things.  I'll have to take some pics of those and upload them.

Check out their Facebook group for pics.  Not sure when videos of the talks will go live on their YouTube channel, but think very soon.  Sadly, my workshop was not taped.

I look forward to next year's event.  I have some ideas for next time.  I think my topic this year was too broad, so am looking at some more focused ones.  I really hope SANS 2017 will be in April for a couple of reasons.


Sunday, March 13, 2016

Resources for workshop on security standards/frameworks/regulations for information security professionals

At the 2016 Security BSides Orlando conference, I gave a workshop on security standards, frameworks, regulations for information security professionals.  While not an exhaustive survey of such, I focused on the ones that seem the most known, and which I typically see on job descriptions.

Not covered were enterprise architecture models like Zachman or TOGAF.  Left out are other security frameworks like SABSA or things like RESILIAFedRAMP or Cloud Control Matrix, SSAE 16/SOC, Secure DevOps, or Maturity Models for security.

Covered were:
  • CIS CSC
  • NIST CSF (plus FFIEC CAT)
  • ISO/IEC 27001
  • FISMA
  • HIPAA
  • GLBA 
  • SOX (plus COSO)
  • PCI-DSS
  • COBIT 5
  • ITIL

Wednesday, March 9, 2016

HackMiami 2016 Conference

The 2016 HackMiami Conference will be coming up in a few months on May 13-15.  This will be the fourth time for this annual conference.  Been to every one and plan on attending again as I will be speaking (for the second time).

A change for this year is they have a new venue:  Miami Beach Deauville Beach Resort.  I think they had some problems with the prior location.  Hopefully things will be better with this one.

They have announced their keynote speakers, and John McAfee is returning as an announced speaker.  (last year he was a surprise keynote speaker).  This year's general theme is a return to the start of the hacker/cracker culture.  They are still taking proposals, so don't yet know what will be the speakers and tracks.  There will again be the lockpick village and "capture the flag" event as before, and training on the first day.

If you are in Florida, check out this conference.  It's a lot of fun.



Monday, March 7, 2016

Security BSides Orlando & Tampa 2016

Well, here we are in 2016.

This year I am working on speaking at several upcoming conferences.  Two are coming up this month and next:  BSides Orlando and BSides Tampa.


Security BSides Orlando 2016 will be held the weekend of March 12-13, just before SANS Orlando.  This is the 4th year of the conference, and the conference again returns to the University of Central Florida, but in a different building from last year.

I will be giving a 2 hour workshop on various security standards, frameworks, and regulations such as NIST CSF, ISO/IEC 27001, HIPAA, PCI-DSS and more.  I will be posting here a list of the recommended sources of info, training, etc for this presentation.



Security BSides Tampa 2016 will be held on Saturday, April 16 at Stetson College of Law – Tampa Campus.  This is the third year of the conference and my first time attending.  I will be giving a presentation on the NIST Cybersecurity Framework on its second year of existence.  I have something special in regards to this presentation which I will review later.

I took forward to both conference.  If you have never been to a BSides Conference, check to see if there is one coming up in your general area.  Just in Florida we have 3, tho I'd love to see one start here in South Florida.

As I learn about the other conferences I have submitted proposals to, I'll post them here.