1 min
Farewell and Thank You
Surrounding yourself with excellence is a key strategy for success in both one's
personal and professional lives.
As some may have heard, last week was my last at Rapid7. Leaving my team was a
difficult decision to make. Over the last two years, I've had the privilege of
serving as Global Security Strategist at a firm in hyper growth that executed a
successful IPO in a very tough business & financial climate.
I had the opportunity to play to my strengths and contribute in many ways: CISO
advis
5 min
CISOs
CISO Guidance on Building the Team
If I had a nickel for every time I read about the “security skills
shortage”…well, suffice to say that everyone seems to lament the lack of strong
talent in this industry, and the low number of eager young graduates seeking to
start a security career. So what better topic to explore by way of follow-up to
the 2-part blog [/2015/11/12/security-budget-tips-part-2-from-cisos-for-cisos]:
Security Budget Tips from CISOs, for CISOs? (To recap: I'm interviewing CISOs
for their guidance on select infos
2 min
Vulnerability Disclosure
Trey's InfoSec SitRep [16 Nov 2015]
First, if you aren't listening to the Risky Business [http://risky.biz/]
podcast, fix that. Patrick Gray [http://twitter.com/riskybusiness] is my go-to
source for infosec news.
In the News:
The insight we get into breaches is sparse, so be armed with these stories.
* JPMorgan's 2014 Hack Tied to Largest Cyber Breach Ever | Bloomberg
[http://www.bloomberg.com/news/articles/2015-11-10/hackers-accused-by-u-s-of-targeting-top-banks-mutual-funds]
* Arrests in JP Morgan, eTrade, Scottrade Hack
5 min
CISOs
Security Budget Tips [PART 2], from CISOs, for CISOs
CISO Series: Budgeting Part II
Hopefully you've read (and maybe even benefitted from) Part I of my CISO
Budgeting blog [/2015/11/02/security-budget-tips-from-cisos-for-cisos]. To
recap, I interviewed a group of CISOs about how they use budgetary discussions
for career growth, and what advice they'd give to others looking to set a budget
plan. There were five key takeaways that came out of these interviews; here were
the first three:
1. Whatever you do, don't under deliver.
2. Budgets are abou
3 min
Exploits
What is SQL Injection?
The SQL Injection [https://www.rapid7.com/fundamentals/sql-injection-attacks/]
is one of the oldest and most embarrassing vulnerabilities web enabled code
faces. It is so old that there really is no excuse for only a niche of people
(namely web security professionals) to understand how it works. Every time I
think we've beat this topic to death, SQL Injection finds its way back into the
news. This post is my attempt to help anyone and everyone understand how it
works and why it's such a persist
2 min
Verizon DBIR
Getting Started with VERIS
We did a webcast with @hrbrmstr [https://twitter.com/hrbrmstr] @gdbassett
[http://twitter.com/gdbassett] from the Verizon team last week, discussing how
to get started VERIS, the Vocabulary for Event Recording and Incident Sharing.
If you missed that webcast- check it out!
[https://information.rapid7.com/understanding-veris-the-dbirs-secret-decoder-ring.html?CS=blog]
If you joined us, thanks for coming out. We've attached an Excel spreadsheet
with a couple of examples to help you get started at
1 min
Trey's InfoSec SitRep [09 Nov 2015]
In the News
Man Who Tried to Hire Hacker to Wipe Out Court Fines Sentenced to 2-4 Years in
Prison| SoftPedia
[http://news.softpedia.com/news/man-who-tried-to-hire-hacker-to-wipe-out-court-fines-sentenced-to-2-4-years-in-prison-495675.shtml]
Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack | Wired
[http://www.wired.com/2015/11/hackers-claim-million-dollar-bounty-for-ios-attack/]
(Just in case you missed this publicity stunt...)
The cost of immaturity | The Economist
[http://www.econ
7 min
CISOs
Security Budget Tips, from CISOs, for CISOs
CISO Series: Budgeting
I have provided a brief overview of the genesis of the CISO series
[/2015/10/27/introducing-the-ciso-blog-series], and now it is time to tackle our
first topic: security budgets. Whether you're the CISO of a large public company
or leading security at an early-stage startup, rich in headcount or forced to be
tight with the purse strings, reporting into the CIO, COO, or elsewhere in the
organization, the fact remains that budget conversations are among the most
critical and
2 min
Verizon DBIR
What is VERIS?
Data driven security is all the rage, and laughably few of us encode and analyze
our programs… and for good reason. It isn't easy. This post will talk about
VERIS, a framework for describing security incidents in a precise way.
We all have a plan, a security program, compliance regulations, and super busy
calendars—but what is working? The answer is hidden in plain sight, it just
needs to be analyzed. And this is why we all love the DBIR.
If you aren't familiar with Verizon's DBIR (Data Breach
1 min
CISOs
Introducing the CISO Blog Series
Since joining Rapid7
[/2014/01/27/supporting-the-security-community-why-i-joined-rapid7] I've gotten
to work on some pretty cool projects, the most recent of which is capturing a
body of knowledge for the community… by CISOs, for CISOs.
The evolution of the CISO role, of course, is nothing new, and there's plenty of
analysis on it for anyone who's interested (for example, Forrester has a great
report called Evolve To Become The CISO Of 2018 Or Face Extinction
[https://www.forrester.com/Evolve+T
1 min
Trey's InfoSec SitRep [26 Oct 2015]
I keep getting asked about what's happening in the news. Because I'm so
efficient—and that's hacker-speak for lazy—I go to a couple key sources for
news. One of my absolute favorites is Patrick Gray's Risk.biz
[http://risky.biz/]
Since I'm often sharing links of note and important news, I thought I'd share
this information with a broader audience in case it helps you out, too. So for
this week, here's a small selection of some recent news:
Breaches you should know about:
* Hack Brief: Hacker
1 min
Building an Effective Security Team
Concluding our National Cyber Security Awareness Month webcast series
[https://information.rapid7.com/cyber-security-awareness-month-2015.html?utm_source=facebook&utm_medium=post&utm_content=csam-webcast-series&utm_campaign=facebook&CS=facebook]
, next week I'll be joining a discussion around how to develop, nurture, and
retain good security staff:
Building an Effective Security Team
[https://information.rapid7.com/building-an-effective-security-team-live.html]
Wednesday, October 28th at 11am E
4 min
Events
The Black Hat Attendee Guide Part 5a - The Magic of People
Joining us for the first time? This post is part of a series that starts right
here [/2015/07/13/the-black-hat-attendee-guide-part-1].
So this post is a bit of a bonus. I've asked my dear friend Quinton Jones
[https://www.linkedin.com/in/quintonjones] to share some wisdom and inspiration
on how he injects passion and energy into his introductions. He's simply
unforgettable, one of the greatest customer champions and business development
folks I know, thanks to his passion for people. Please enj
4 min
Events
The Black Hat Attendee Guide Part 8: Trip Reporting
This is the eighth and final post in our Black Hat Attendee Guide series—you can
start from the beginning right here
[/2015/07/13/the-black-hat-attendee-guide-part-1].
Big gulps, if you've made it this far in the guide—you've arrived, this is the
last post. When you get back from Vegas, you'll probably have a couple of
reports you're staring in the face.
First is the expense report. (Pro-Tip: Take cell phone pictures of everything
you spend a dime on!) Before you leave, double check the mini
5 min
Events
The Black Hat Attendee Guide Part 7: Your Survival Kit
Joining us for the first time? This post is part seven of a series that starts
right here [/2015/07/13/the-black-hat-attendee-guide-part-1].
Hacker Summer Camp is no joke, and you've got to have a game plan when you head
for Vegas. If you don't travel frequently, this is for you.
Ignoring sartorial conundrums and basic hygiene, this post is focused on keeping
your body operating at peak… or at least somewhat operational.
Vegas: It's nothing like home for most of us. Desert allergens, low humi