Who am I:
What do I do at Secure Ideas:
Like James, I end up doing just about anything. As a sysadmin by background, I am usually the one who gets asked to do something on the servers. I spend quite a bit of time working on client engagements doing penetration testing or architecture reviews. I’m also responsible for coordinating speaking opportunities. So if you would like someone at Secure Ideas to speak at your event, please let me know.
What is my security background in a nutshell:
I started out as a systems administrator and bounced back and forth between Windows, FreeBSD and Linux. My experience was heavy in infrastructure and operating large web applications. Somewhere along the way I got interested in security and looking for chances to take on those responsibilities. Fortunately, I was one of the few interested in the topic, so I got lots of work to do. A major turning point was when I wrote Reconnoiter because of an argument over appropriate controls on a system. I found myself meeting and learning from a lot of folks in the security field. While I’m on the offensive end of things right now, I’m still very interested in defense. Hence, the reason why Tactical Security Operations is being written right now.
What is my favorite attack:
Cross Site Request Forgery (CSRF) is one of my current favorite attacks right now. It’s one that is more difficult to explain to folks, but can do some really damaging stuff. Usually my attacks involve abusing the business logic of an app in some way, but it’s very cool when you can use it to embed Cross Site Scripting into an app and hook your victims with BeEF.
What am I learning about now:
I’m spending a lot of time reading and thinking about defense. I’m pretty firm believer that an attacker will find a way in if they really want to, so we need to have the capabilities to detect and respond to them. It isn’t enough to stand up basic defenses and passively wait for one of them to send us an alert. We need to be out there hunting down systems and issues in our networks. Don’t wait for the bad guy to find them first.