#Ginfosec Las Vegas 2018

Although I will not be in Las Vegas this year for “Hacker Summer Camp,” the show must go on! My mentee Courtney (aka O3Awesomesauce on Twitter) has graciously volunteered to be my stand-in for this event. Maybe we’ll do some FaceTime and I can see everyone?

So, what’s #Ginfosec Las Vegas 2018? It is a no-host (meaning: you pay your own way) meet-up for laughs and conversation. We had a nice turn out last year and a good time was had by all.

You don’t *have* to order gin.
You don’t *have* to order any alcohol at all.

This is just a friendly meetup. All are welcome!

You are so InfoSec and you don’t even know it.

Date: Monday, August 6th

Time: 4:00 pm – 6:00 pm local time

Venue: The Bar at Lawry’s The Prime Rib
4043 Howard Hughes Parkway Las Vegas, NV 89169
It’s walking distance across the street from the Tuscany Suites & Casino
(the site of BSidesLV) NOTE: The restaurant opens at 5:00 pm, but the BAR opens at 4:00 pm. I confirmed this by phone.

Happy Hour: From 4:00 pm – 6:00 pm, the bar will have half-priced bites and select beverages on discount. See the menu here.

No need to RSVP. Just show up, say hello to Courtney and the others.
Use #ginfosec if you Tweet about it!


Storytelling as a Service in InfoSec

Storytelling. It’s not just for campfires and young children’s classrooms anymore.

It’s a method of communication that engages the listener and teaches or persuades them, often without them even realizing it. It’s been recognized for a while in the business world as a strategic tool, as evidenced by these headlines:

From Bedtime to the Boardroom: Why Storytelling Matters in Business (Entrepreneur, 11 April 2015)

The Irresistible Power of Storytelling as a Strategic Business Tool (Harvard Business Review, 11 March 2014)

Storytelling: The New Strategic Imperative of Business (Forbes, 04 April 2016)

Which keywords pop out at you from those three articles above? To me, I see the words strategic, imperative, and matters. What else is strategic, imperative, and very much matters? Information Security.

So, why isn’t the InfoSec industry embracing storytelling as a tool? Perhaps the easy answer is that storytelling can arguably fall more into that “soft skill” realm which is dreaded by many tech-brained persons. But, the reality is that communication skills are vital to InfoSec jobs, whether that communication be solely among your team, or externally with end users, vendors, or executives.

Stories make presentations better.
Stories make ideas stick.
Stories help us persuade.
(HubSpot, 01 February 2017)

My wish for the InfoSec community is that more people embrace improved communication and storytelling skills, whether it be written or oral communication. Many of the challenges we face as InfoSec professionals stems from end user behavior or resistance from executives or other departments who don’t understand what we do. If we all got better at communicating, some of those misunderstands or confusion could eventually be alleviated. We do a pretty good job communicating with each other as InfoSec pros, let’s take the next step and put in an effort to communicate with the people around us who are consumers of the security we manage.

It could also help your career. Now more than ever, businesses, workers, and leaders have opportunities to stand out, spread messages, and make change through storytelling. Look at this real job posting:

The skill Jason Haddix described there is storytelling. Notice I called it a skill, versus something innate. Sure, some people will be more naturally gifted storytellers. Some cultures and tribes have long traditions of skilled storytelling as a craft. But, that doesn’t mean that you can’t learn and hone this skill just as you learned and honed a programming language or other technical ability.

Think of a story as a mnemonic device for complex ideas.Annette Simmons

To get you started, here are some resources to put you on the path to being able to persuade, influence, encourage, support, and educate people through weaving words into storytelling.

Humans simply aren’t moved to action by ‘data dumps,’ dense PowerPoint slides, or spreadsheets packed with figures. People are moved by emotion. The best way to emotionally connect other people to our agenda begins with “Once upon a time…”Jonathan Gottschall

Where does your story begin?


Talking InfoSec with Strangers on a Boat (Or, “How I Spent My Recent Vacation”)

It’s common when taking a cruise that you are seated with fellow passengers in the dining room. I exchanged pleasant conversation with my fellow diners, when the seemingly innocuous question was asked that I had been dreading. “What do you do?” asked the couple across from me. I froze and glanced sideways at my husband. My mind raced while deciding if I should come clean and tell the truth, knowing that a series of questions would ensue. I made a decision. I smiled and said quietly, “I work in cybersecurity.” The couple exchanged excited glances and turned back to me to say, “Oooh! We have questions!” I reached for the bread basket and smiled again, “Sure. How may I help?”

Most of my fellow cruise passengers were retirees. I’m not saying that automatically means that they aren’t tech savvy. I met many who retired from STEM-related careers. (See this Twitter thread about the woman I met who oversaw the mainframes for her employer.) There were many people I encountered who had a curiosity to learn more about the tech they were using. As much as I wanted to be off the grid and away from InfoSec on this vacation, I felt that I had a great opportunity to educate people in a relaxed environment of willing listeners.

So, I was truthful about what I did for a living and listened to their questions. Without any judgment, and as FUD-free as I could, I gave tips to  everyone who asked. Tidbits that I thought they could take home with them as a cybersecurity souvenir from their trip. There was one woman to whom I briefly explained the strength of having a minimum of a 15-character password. For the remainder of the cruise, every time she saw me on board, she pointed at me and exclaimed, “15 characters!” It warmed my heart.

I ate lunch solo one day struck up a conversation with nearby diners who quickly asked “that question” and my dispensing of advice began as soon as I sat down. In the midst of me explaining Two-Factor Authentication, I realized that I was holding court. People came from across the cafe to sit around me to listen and ask questions. To be honest, it felt pretty amazing. I thanked them all for their curiosity and willingness to listen. Who knew cruisers wanted to enjoy scenic views and listen to me go on about VPNs?

I get that not every InfoSec professional wants to “talk shop” while on vacation. I tried my best to keep it light and stuck with the easy concepts that I know so that it was fun for me also. I admit that I don’t know it all, but I feel confident that I know the basic tips the help the average end user. I realized that I had an amazing opportunity to communicate with a willing audience and in the end, it might help a person or two.

Even though I didn’t spend my vacation “Hacking the High Seas”  (a @ChadDewey con talk), I do feel as though I helped move InfoSec forward by sharing what I know with retirees and seniors, a group that often gets overlooked when it comes to matters of tech and security. It made for a fulfilling vacation.

Empathy in Incident Response

His email message to the SOC was succinct. “I clicked on a suspicious link,” he wrote, “What do I do now?”

My first reaction wasn’t that of anger or contempt. I was relieved, actually. Relieved that he alerted the team. (I don’t think I even want to know how many clicks on suspicious links go unreported.) I was eager to take on this challenge and I quickly located the email in question and I examined it.

Then, I called him. On the phone. To talk to him. In person.

He seemed nervous to take my call. I could tell, even before he said it, that he had a cold. You could hear it in his voice and in his breathing. He apologized profusely for clicking on the link, that he was sick and wasn’t thinking clearly.

Not only did I channel my transferable skills of dealing with customers/end users from my past careers as a librarian and a travel agent, but also the advice and lessons learned shared by InfoSec pros like Lesley Carhart, Ariel Robinson, Jayson Street, and Swift on Security, to name a few.

I first thanked him for his email and letting us know. I told him that he did a good thing by saying something and that together we would work this out. Since I examined the email in my sandbox, I knew what the end result would be based on his clicks. I asked him to walk me through his actions. I never used the phrase, “what did you do,” because that sounds like blame. I would prompt him to his next step by saying, “and what was  your next action?”

To me, the email looked like an obvious phish. I was curious about his side of the story. Without any prompting, he explained that he was on a lot of cold medicine and used poor judgment. I could hear the stress come back into his voice as he said this, and he apologized profusely.

I walked him through some troubleshooting steps on his computer and based on his answers, coupled with my own findings, and told him that it seemed like he dodged a bullet. I described to him the steps to engage a virus scan, just as a precaution.

I ended the call basically the way it began. I thanked him for alerting us. He sounded less stressed and thanked me. I genuinely told him that it was my pleasure to help. I told him that I hoped he got well soon. I told him to be careful online and to have a cyber safe day.

This entire incident response took less than 10 minutes total. I realize that one can’t take 10 minutes for every end user who clicked on a suspicious link. But, for when you can spare some time, show empathy. The language I used and the steps I took were towards the greater goal of creating a culture of security.

When I first started at this SOC job four months ago, I used to surprise people by merely letting them know that real humans worked on the security team. I think they assumed a bunch of blinky boxes were involved. But, I am human and I do have empathy for the end user in a time of incident response.



That time when coming in 3rd place really felt like winning

I smiled to myself this morning on my drive to work. A happy memory popped into my head and it gave me a nice feeling. My memory was the time that I came in 3rd place in a high school swim meet.

I swam competitively from age 10 until age 18. I use that term, competitively, loosely in my mind because I wasn’t particularly fast nor did I have a perfect stroke. But, I liked to swim. I attended practice consistently and I liked being part of a team. So, I swam.

In my 8 years of being on a swim team, I can’t recall ever coming in 1st place in a race. Once, at age 10, I came in 2nd place in a 25-meter butterfly event. It was me against three of the other team’s swimmers. I was the only one who represented my team in that race because nobody else wanted to swim what is arguably the most difficult swim stroke. I wasn’t upset that I didn’t win. I was happy that I made it to the other end of the pool.

It never upset me when I did finish last in a race. I still attended practice. I still liked being on a team. I still liked swimming. I knew that I was doing my best and liked doing it. I didn’t give up and I kept going, marking things like personal best and not comparing my times to the record-setting ones that were displayed on the wall.

My bronze-that-felt-like-a-gold moment happened my senior year of high school. I was assigned to lane 1 for the 100-meter backstroke. If you are unfamiliar with swimming events, lanes 1 and 6 are reserved for the not-so-fast swimmers, leaving a wake-free zone of lanes 3 and 4 for the faster competitors. The race felt like any other to me. I concentrated on my breathing and counting my strokes to the wall. It was when I went into the last turn to begin the final lap did I suspect something was different. I saw my teammates had lined the side of the pool next to my lane to wave and cheer excitedly.

I turned my head slightly to the left and saw that I was tied with a swimmer from the other team. Based on my prior swimming experience, I assumed that she and I were in a race for last place. In an instant, I dug down deep and decided that this time I wasn’t going to come in last. I was going to swim as hard as I could and come in 5th.

Even though my limbs were tired and I didn’t think I had any more strength in me, I was bolstered by all the muffled cheering I could hear through my ear plugs. When I saw the flags overhead, I knew how many strokes I needed to touch the wall and I stretched my fingers forward to ensure that I could just beat out that other swimmer for the finish.

A loud cheer went up when I touched the wall. I vividly recall my confusion when I saw the three swimmers from the other team still finishing the race. It was in that moment that getting 3rd place was everything to me. But, that’s the thing. It felt like winning then and it still feels like winning to me today. It was my personal best and it felt great.

It isn’t that I’m not competitive and don’t like winning. (Have you ever seen me at Trivia Night?)  Rather than get discouraged by all the faster, more skilled swimmers, I concentrated on improving my own skills and maximizing the effort that I could give.

I’m truly proud of the swimming trophies I received over the years for being “most improved” in a season. I improved myself and did my best. That’s winning.



Shameless Self-Promotion, Las Vegas Edition

I’m getting ready to leave for Hacker Summer Camp and wanted to share some events that are important to me. Click on the dates of each event for more detailed information. Hope to see you there! Follow me on Twitter @InfoSecSherpa for updates from Sin City.

Monday, July 24th from 4:00 pm – 6:00 pm
#Ginfosec meetup! This is a casual, no-host gathering.
Lawry’s The Prime Rib, across from the Tuscany Suites [BSidesLV HQ]. Meet in the bar.

Wednesday, July 26th at 7:30 am
Networking with people meets mild exercise with NET-WALKING.
After about a 2-mile walk, go as a group to breakfast inside the Tuscany Suites.

Friday, July 28th from 11:00 am – 11:30 am
The Diana Initiative (formerly, TiaraCon)
Networking with Humans to Create a Culture of Security

Friday, July 28th from 3:40 pm – 4:25 pm
DEF CON’s Recon Village
Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool


You are so InfoSec and you don’t even know it.

#Ginfosec Meetup in Las Vegas

What is “Ginfosec,” you ask? Technically, it’s the act of enjoying a Gin & Tonic while engaging in lively conversation about Information Security matters. HOWEVER, this definition has been expanded to include the beverage of one’s choice, alcoholic or not. It’s just a fun name and a way to gather up people to meet and talk.

I will be holding a Ginfosec meet-up in Las Vegas. It’s all pay-your-own way, and BYO sparkling personality and conversation. It’s a great way to meet people in a relaxed setting and talk shop!


Net-Walking at BSides Las Vegas

Do you want to network and meet new people?

Do you like to walk?

Do you like to eat breakfast after walking?

Networking meets walking with…NET-WALKING!

Join Tracy (@InfoSecSherpa) and Marcelle (@marcelle_fsg) for an early-risers meet-up to say hello to new people, get some mild exercise, then pay-your-own breakfast afterwards! We will walk for about 40 minutes (~ 2 miles) then eat at Marilyn’s Cafe at the Tuscany afterwards. (The first regular BSidesLV session begins at 10:00 AM PDT.)

Bring water and dress for walking in the desert in July, as you do.

  • Wednesday, July 26th at 7:30 AM PDT
  • Meet in the lobby of the Tuscany Suites & Casino (aka BSidesLV HQ)
  • All are welcome! No need to RSVP. Just meet us there.
  • Want to join us just for breakfast? That’s cool, too. Look for us there.

The Battle for OSINT – Are you Team GUI or Team Command Line?

The Battle for OSINT – Are you Team GUI or Team Command Line?
BSides Charm (Baltimore) April 29, 2017
Presenters: Tracy Z. Maleeff and Joe Gray

PDF of the presentation slides:
The Battle for OSINT – BSides Charm Presentation – 29 April 2017
(check back for updates to get the Github link to Joe’s Python scripts)

View the video recording here!

There’s more than one way to hack open-source intelligence. In this session, the presenters will demonstrate different ways to acquire information online. Tips and tricks to getting information through point and click will be compared and contrasted with the results of API scraping and coding Python scripts. After all that data is obtained, what do you do with it? The presenters will then discuss the multitude of applications for the data gained as well as the optimal ways to analyze and interpret it. You’ll come away from this session with a better understanding of how to get data from a variety of sources and utilizing different methods of retrieval.

Tracy Z. Maleeff, @InfoSecSherpa, is an independent information professional providing research and social media consulting, with a focus on information security. She is a frequent presenter about best practices of data mining from social media, professional networking, and introduction to information security topics. Tracy has 15 years of experience as a librarian in academia, corporate, and law firm industries and earned a Master of Library and Information Science from the University of Pittsburgh. She is the Principal of Sherpa Intelligence LLC – your guide up a mountain of information.

Joe Gray (@C_3PJoe ) joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own blog and podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone.