Attacker Mindset 101 — Welcome to the Red Team

Security engineers who possess red team skillsets are the most powerful offensive weapon toward uncovering risk across an organization — but they must also know the technology basics in order to be most effective.

A dedicated group that assess security methodologies through adversarial simulation is commonly referred to as a “red team.” These exercises are a hallmark of the information security lifecycle due to their ability to identify systemic risk that had not been taken into account. This model provides incredibly valuable insights to security teams. From testing security controls to assessing the human element, the ethos of a red team embodies reflection, awareness, and a constant determination to disprove assertion through real world action.

In security, we use the Johari Window to analyze the delta between our systems defenses and from what we’re defending our systems. By bucketing threats in this way, we gain better understanding of our weaknesses, which ultimately make us safer and more secure.

The most difficult quadrant to defend against is the “blind spot.” In the last few years, we’ve witnessed some of the world’s largest organizations become compromised in overwhelming fashion. In 2010, a high-security French bank was breached by unknown attackers in ways the bank had previously considered impossible. This is just one of several examples where the cunning criminal drastically outsmarted well-funded, and frankly overly confident, defenses.

So, how can companies develop defenses for complex risk that, by definition, they have no awareness?

Enter the world of the red team.

A red team’s mission is to simulate threats to identify previously unknown and unmitigated risk. Through a unique blend of adversarial engineering and standard penetration testing methodologies, red team exercises are meant to challenge your organization’s belief in the strength of their security. By emulating a wide array of threat actors, red teams bring perspective uniquely suited to the iterative development models commonly practiced in information security programs.

As my career has progressed, I’ve developed a firm belief that security engineering candidates should possess red team skillsets. It’s often, and truly, said that the best defender is also the best attacker. We live in a world where nerds are attempting to outsmart criminals — being able to embody an attacker’s mindset is a top priority. Even if your organization doesn’t have an official red team, your security engineering team will be much more effective and strategic if required to hone red team skillsets. Following the practice of screening candidates for these skillsets will help you develop a stronger team that will uncover issues at a reliable pace.

One caveat: your work will include much more than red teaming. Eventually, you’ll have engineers scattered across your security organization with a fantastic ability to uncover risk. Some of them might be building logging pipelines, while others are doing forensics. Fortunately, there are amazing opportunities that enable your team to continue to sharpen their skills.

One of the pinnacle events for me is the annual Collegiate Cyber Defense Competition (CCDC). CCDC is a purely defensive security competition designed to measure college students’ abilities to protect and secure information systems. During the event, competing teams of eight students, known as a blue team, are placed in identical enterprise-grade networks that are configured to emulate a real company. The student teams must then race against the clock to secure the systems and maintain the integrity of the services they provide.

In order to make this work, the competition recruits a singular red team to emulate real world threats. The red team will measure the effectiveness of both the competitors’ security methodologies, as well as conduct gap analysis to identify vulnerabilities the students have missed. These are documented and factored heavily into the overall score and outcome of the competition.

CCDC is nationwide, with everything from state-level competitions to the national championship hosted by the Center for Information Assurance and Security. They employ several full-time staff to design and architect the complex infrastructure required for the event. Last weekend was my sixth time red teaming the National Championship. I’ve used this opportunity over the years to improve my capabilities, regardless of my day job. While the blue teams spend the months leading up to the competition practicing security hardening and vulnerability management, I take the opportunity to improve my skills by studying cutting edge offensive security techniques. These skills are invaluable, for both the competition and my day job.

One of the questions I am asked the most is, “How do I get into red teaming?” or “How do I become red team?” Red teaming has such broad appeal in our industry, and it’s a hotter topic than ever right now. It’s also a bit taboo because, after all, you are breaking rules to expose flaws, so people are even more drawn to it. Attacks are often mystifying because, as stated previously, the unknown unknown will leave the mind wandering, attempting to uncover the methods.

Thusly, I’ve started tweaking my response to that question. One of the most common mores I witness is how worshipped offensive security is by a large segment of our community. With hacker culture moving from underground to mainstream populism in society, the security community has evolved into a global industry. This has shifted the power of balance in a number of ways. The Pareto Principle is stretched incredibly thin, with the vast majority consuming tools and software produced by a small but growing group. This phenomena leads to misconceptions about what is really involved in participating in a red team.

As valuable as it is to able to channel the attacker’s mindset, it is incredibly beneficial to be able to develop your tools. No effective outcome has ever occurred from leveraging only offensive tactics before developing more basic, albeit seemingly mundane in comparison, skillsets. Writing effective software takes both strong muscle memory and lots of practice. Learn to embrace the less glamorous, often overlooked skills. Developing software engineering skillsets, including a deep knowledge of computer systems, libraries, and protocols will act as a force multiplier in your security career.

I’d also strongly encourage people with those questions to really understand the effort that goes into red teaming. Dave Cowen, our NCCDC red team captain, and I were chatting after the competition and talked about the traits that really make a strong red teamer. These are the four:

Knowledge – Possess a broad understanding of the systems and technology you’re attempting to circumvent. This is where I strongly encourage folks to study and read about emerging technology. The more you’re familiar with databases and web servers and routers, the better you’ll be able to understand their weaknesses.

Methodology – Adhere to a methodology that best sets you up for success. Red teaming can be frustrating and if you abandon your principles, you’re going to end up down the wrong rabbit hole with nothing to show for it.

Agility – Adapt to chaos. In the real world, things change for thousands of reasons. It’s not your job to figure out why, it’s your job to adapt and continue moving forward.

Grit – Persevere. I can say first-hand the difference between success and failure can be measured in grit. Though last on the list, this is most important.

For example, when I was at Lares, I learned so much from Chris and Eric. The most valuable lesson of all was learning to stand up to adversity and see the job through. I’ve never met a more determined group of individuals and the results speak for themselves. Again, at Western Regionals, while everyone was hunting vulnerabilities, I sat and made wordlists by hand. I scraped IMDB for potential usernames. I used awk and sed to generate the wordlists. I narrowed a password list down. Miraculously, one of them worked. It was the much-needed entry point to our first shell of the competition. It wasn’t pretty, it wasn’t glamorous — but it got the job done by the force of sheer will.

I want to see more companies embrace the practice of red teaming as one of learning and self assessment. I want to see our community stop glorifying red teaming as the end all, be all. We only cover one quadrant of that Johari Window. There are three times the amount of work needed to cover the other three. Don’t follow the crowd, be yourself. The required grit I wrote about above will show success in any career path you take. I promise.

I’m working on a more detailed, technical post about the infrastructure tech we built for red team this year. You probably saw in Dave’s NCCDC debrief about our infrastructure and were wondering “WTF?” I’ll try and answer your burning questions in that post set to come out in the next week or so.
Cheers!

Alex

CCDC 2015 Debrief: Red Team Identity

Welcome back folks! It’s been almost a year since I updated this, but given that the Collegiate Cyber Defense Competition (CCDC) has wrapped up for this year, a new post is needed.

This was an important year for the competition. It was the 10th anniversary and Dwayne, Kevin, and Jessica put forth the best competition I’ve experienced yet. They’ve refined their craft over the years and the final product has become the pinnacle information security competition event in the country in my opinion.

For me, it marks my 11th CCDC event and 8th time red teaming. The last four years, I’ve red teamed both the Western Regionals and National competitions. As those hours have added up, I’ve thought a lot about the dynamics of the red team. We have a rather complex relationship with the whole event that I think should be better understood. A few of the hats we wear while at the event are:

Simulated Adversaries

The competition couldn’t claim to be a test of defenses without an offense to face off against it. The red team must effectively hold a realistic adversarial position against the competitors. We are comprised mostly of experienced information security professionals who use their skills and knowledge to emulate a top skill attacker on the network.

The best red team members not only bring technical knowledge to the table, but a metaphorical mask by which they become this digital assassin, executing attacks with precision and ingenuity. When you sit down, you are the bad guy. You are the adversary. A speaker during the closing ceremony today described the red team at Nationals as a “Motley Crew” of mad hackers. It’s true. We have different backgrounds and mindsets, but when you put us in a room together we become the enemy in fierce pursuit of the blue teams.

For me, that passion is fueled by a desire to demonstrate a world class threat. It’s rare you get to experience an attacker first hand outside of a real breach. As a former competitor, I can tell you that’s a huge selling point of the event to blue team members.  No longer are you inside of a lab at school or messing around with virtual machines at home. A real person who’s job is to infiltrate your systems is sitting on the other end of a wire and if you don’t act, it will have consequences.

Which brings me to my next job of red team:

Human Scoring Engines

Our impact on competitors has direct consequences to the competition. A successful breach will cause a competitor to loose points. That means we have to take our job every bit as seriously as the white team. Our Motley Crew might appear to be a band of trolls to an outsider, but we fully understand our ethical responsibility in fairly and accurately scoring the competition. Underneath the fun, there is stone cold dedication to the success of the competition.

While often the term “RED VS BLUE” is used to describe the competition, I find it to be inaccurate. This competition is about BLUE VS BLUE. The red team is no more competing than the white or the black team is. While we wear the mask of the hackers, we are there as a learning simulation with scoring implications. Period.

But maybe the most important role we take on is as…

Mentors

A large part of the reason the concept of RED VS BLUE continues to persist is the camaraderie weaved throughout the event. Those of us who have previously been blue team, have come through the program and become friends and co-workers with the red team. I don’t believe that kinship would exist without the fun and humor of the back and forth between the blue teams and the red team. Every year we see pictures in debriefs of funny hacks and situations that we can all laugh about for years to come.

That builds just the sort of relationships that blue teams need. In the end, we’re there to help you learn and develop your skills that will ultimately define your career. It’s no secret that we exist in a small industry and building connections to the red team has incredible benefits, regardless of the outcome of the event.

When I blue team’d at Nationals, we didn’t even place, yet the connections I made there are now directly responsible for my employment with Lares. I encourage every competitor to engage with the red team.We are there to support you, your career, and share in the memories of the competition with you. Next time you see us hanging around a table in the hotel late at night after the competition ends, come hang out and lets talk about the entire experience.

Which at the end of the day is what this competition is all about.We might be rebels, loud and opinionated, but we’re there to fill the void that no one else can and volunteer an experience that competitors year after year will find no where else.

Conclusion

Thanks again to EVERYONE involved – white, black, red, blue, orange, gold teams – this competition wouldn’t be what it is without it. Congratulations to the University of Central Florida for their 2nd win in a row! Now my work begins planning and building new stuff for next year.

CCDC 2014 Year in Review

As I’ve been sitting on this plane heading back to San Francisco from the 2014 National Collegiate Cyber Defense Competition (CCDC), I’ve been trying to come up with one word to encompass my views on this event. This will conclude my fifth year involved in CCDC. The first two I spent as a blue teamer; the latter three as a member of the regional and national red teams.  What is it about CCDC that keeps bringing me back? I’m not getting paid nor am I hiring anyone. Yet, I keep returning year after year. I think I get it now.

passion |ˈpaSHən|
noun
• an intense desire or enthusiasm for something

Thats the word I’m looking for. Passion.

From my very first year competing, there was something indefinable that pushed me to pour every ounce I had into the competition. Even though at that time I was a junior member of our team, the desire to learn as much as possible was very real. I think this is what professional athletes must experience. There is something beyond your skill that keeps you up at night, fueling your train down the tracks.

And I think the reason CCDC and I have such a strong bond is because it’s one of the rare places where others bring that same energy to the table. All teams (white, red, black, orange, blue, gold) and sponsors are continuously adding to that pool, mixing and stirring a fervency you simply can’t find anywhere else.

This is why the competition is getting better from all angles. The tradecraft is getting refined by all parties. It’s an incredible effort to be a part of.

On that note, I’d like to now take some time and give some positive feedback to individual sets of those involved (both regionally and nationally).

To red teams:

Don’t get complacent in your duty. The blue teams are getting better and as they do, so will we. Our participation, while energetic, is only a single component to this competition. Others are expecting you to challenge blue teams in a way only you can do. Embrace that and play your part. Contribute and coordinate – the more you do, the better your red team will be.

To white/black/gold teams:

Continue to make the competition as real world as you can. It’s easy for those of us who have worked in the security industry to understand what a real corporate environment is like, but there is a very real possibility a blue teamer has had zero exposure, and therefore zero understanding. Even in the immense differences CCDC environments have versus a real enterprise, it is still a goal worth chasing because that is what makes CCDC participants valuable. They’ve had that exposure to something other than a class room or text book in a situation that will push them to think critically under pressure.

To blue teams:

Don’t worry about the results. The most valuable part of CCDC is not the trophy – its the experience. You spent months preparing for this – learning every moment along the way. As someone who’s been in your shoes, let me tell you – thats the true prize. The knowledge you’ll walk away with is priceless. Yes, the competition side is fun especially when you develop a rivalry with another team, but once you graduate and are out, you’ll be working side by side with the same people you competed against and who won or lost will seem trivial. Focus on getting better, and be proud of yourself and your team when you do.

To sponsors:

Thank you for your support. Without you, all CCDC events would not be possible. My only feed back to you is this: When you send volunteers to the competition, who you send will reflect on you far more than the amount on the check. And that image will been seen by more than just competitors – other sponsors, red teamers, and other volunteers will pick up on it.

One of the best examples of this I’ve seen was FireEye‘s choice for their red team seat at Nationals. They sent Dan Borges, a young, but talented engineer, to fill that seat. They picked someone who possessed passion just as I talked about above – and that passion drove Dan to produce tangible results in his position. That dedication can only come from someone who deeply understands what CCDC is about – something Dan can bring to the table given his previous security competition experience.

I encourage all sponsors to take seriously who they send – recruiters, management, and even technical folks. You want to connect with the participants. Having someone like Dan who can connect and relate to the competitors is the single best contribution you can make to the competition.

To those not involved:

Seriously ask yourself why.

If you’re faculty or an administrator at a college which doesn’t participate – what are you waiting for? The fact that schools such as Stanford and MIT who have long been attributed to the best and the brightest don’t participate is disappointing. Get on board. You will very quickly learn whether your curriculum is adequately preparing graduates for jobs in the information security space (likely not).

If you’re an organization, what is stopping you? I’m looking at all the companies out here in the Silicon Valley. I’m shocked that you don’t throw more support behind this. Your fast moving companies are on the forefront of technological innovations, yet you don’t tap into one of the deepest veins for young, fresh security talent. It’s not just about filling positions. This is the next generation of professionals in the security industry. Connect with them in a rich, meaningful way.

Lastly, to myself:

Keep giving into that passion. Every year I come through with more skills than previously, and it’s only making me better. I have no certifications worth mentioning nor do I frequent regularly frequent conferences. CCDC is my venue to give back to those who have made me better. I have to give a huge thanks to my employer Lares Consulting for all their contributions to me and CCDC as well. Chris and others have been strong supporters of CCDC events both regionally and nationally. Without question, they supported my desire to contribute as much as I could because they have recognized the theme of this post: passion. These are the most passionate group of people I’ve ever worked with and I couldn’t be happier.

Truth be told, I wouldn’t have the opportunity to work with them today if it wasn’t for a CCDC event four years ago.

 

And that concludes the 2014 CCDC season. Congratulations to University of Central Florida on your win, and huge kudos to everyone else involved. Time for me to go back to the drawing board and begin cooking up new ideas for next year.

Times to Let Pass

In the last six months, my two remaining grandparents, my dad’s dad, and my mom’s mom, have passed away. Both of them were fantastic individuals, dedicated to their families. They couldn’t have been more opposite if they tried. Grandpa “Buzz” was a scholastic enthusiast, constantly pushing everyone around him to learn more. “Mimi” was the epitome of the “Southern Belle”, a classic woman born and raised in Alabama who’s spirit was always vibrant. One would feed me books, the other, biscuits and gravy. Their presence in my life now forever seared into my memory. The good, the bad, and the ugly.

In a few months, I’ll hit 25 in age. According to Wikipedia, life expectancy in the US is a little over 77 years old. Take that down to 75 to account for my less than acceptable habits, and I’ve just marked the first third of my life complete. The three generations I grew up with has now reduced down to two.

The question I keep pondering is by what metric is our satisfaction derived from? Accomplishments? Experiences? Financial stability? I think it’s obvious that each of us has to figure that out for ourselves, but do we really contemplate it? Nevertheless act upon its guidance.

I don’t think I’ve figured out my answer yet. It could be something that evolves or that you constantly chase? It’s a question to at least try and get out in front of.

As I sat next to Mimi on her final days, it became clear to me that when you find yourself approaching deaths doorstep, finding salvation might be the most important thing. That salvation isn’t simply a religious experience, although I don’t deny it is the most critical part to some. I put myself in her shoes over and over again. “What would I tell myself? How would I come to terms with the situation?” She loved her life, just as I do. Putting the macho-ness of our masculine society in it’s place for a moment, I’m going to say that I believe the vast majority of us aren’t prepared for that reality. Witnessing someone else I deeply loved and cared for go through that was a wake up call for me.

I’ve made the choice to live a life of broad experiences. As I passively survey my Facebook friends I grew up with, it becomes clear I’ve taken the plunge out of the nest of normality. That’s not to say I’m doing better or worse than others – it just happened to be the decision I made. Look at the United States in the late 1700s. Much of the country continued to develop along the eastern seaboard while others, for whatever their reasoning was, moved west into the unknown. Regardless of the motivation, I deeply understand that thirst.

As the last 25 years has been one hell of a ride, I now look to the future. My salvation lies in that quest to charter the unknown, to brave the storm, and come out on the other side into the oasis untraveled. The wilderness is calling. Time to do what I do best.

Stay tuned for future updates.

CCDC 2013 Red Team Feedback

Thanks to the efforts of so many people, we’ve finished another great Collegiate Cyber Defense Competition season. I was fortunate to be invited to take part of the Western Regional and National red team. Being a former blue teamer, I thought it’d be worthwhile to share some feedback from my red team point of view. While related to CCDC, many of these points have been valuable for me in the work place.

Disclosure: My attacks targeted *nix systems, as well as web and databases, so my feedback will be scoped as such. The principles though should apply across the board.

Good Operations are a MUST

Any time I’m at a USCC or CCDC event, I ask the competitors about what they want to do. The most common answer I get is “I want to do penetration testing” or some other form of “offensive” security. While I don’t deny it’s a fun area within security, the parity of offensive and defensive skills cannot be underestimated. If you want to attack a network, show me you can defend one. Period. So how do you do that at CCDC?

When I was on blue team, I debated with others whether it was more valuable to be good at security or good at systems administration. Having now gone out into the field and worked as both an operations and a security person, I think I’ve settled on a conclusion.

They are symbiotic, and without one, the other WILL struggle.

You should practice being an operator of systems. Run linux at home. Use it. I can’t tell you how many times at CCDC I’ve watched a blue teamer Google search (while we watch through VNC) something like:

– How to reset MySQL password
– How to stop a service on Fedora
– How to install a package on FreeBSD

If you find yourself doing this, then you need to spend more time learning how common operating systems and network services work. To secure a system, you’ll have to know how that system works. You’ll never be effective until you do. Here is a short list you should know how to do without Googling on multiple OSes:

– OS User Administration: Users, Groups, Sudo, Permissions, Change Passwords
– Remote Access: OpenSSH Server, FTPd, VNC/RDP, Define ACLs
– Database Access Control: Change Passwords, Set Host Masks, Investigate possible PII

You should know how to use operating systems just as you know how to use Facebook or your cell phone. Which brings me to my next point:

Please, know how to use logs.

Since I started red teaming, I hear blue teams talking about rumors of kernel rootkits or “0day” that the red team has deployed. While complex attacks like that can happen, there is absolutely no need for me to use it if I can just log in via SSH as root with a default password. Carl, a fellow red teamer, put it best:

“Why would I waste valuable time packing malware in a way that won’t get detected if blue teams aren’t going to install anti-virus anyway?”

At both Regionals and Nationals, I start by leaving breadcrumbs of my access on a system. If you catch it, I know I need to cover all my tracks, but if you don’t, hell, I won’t waste my time. This is one of the key areas where good operations will create the foundation for good security.  Knowing where the important logs are on a system are and how to tail and search them is going to determine whether you retain ownership of your server or I claim it as my prize and eat popcorn while watching you Google.

You can do this in several ways. You can get fancy and use Splunk (free trial available) or simply use some tail -f log | grep. With these skills, you’ll be able to identify breaches more rapidly and begin the proper incident response process to fix the problem. Which is another great segway into my final point:

Think twice before killing my shell.

When you see (where root is not you):

alex@ccdc-test-1:~$ who
alex pts/0 2013-04-23 18:24 (192.168.1.1)
root pts/1 2013-04-23 17:14 (192.168.1.129)
alex@ccdc-test-1:~$

Figure out how root got access before killing his shell. This gets brought up every red team debrief, but I cannot stress this enough. I know the feeling. I was blue team once. When you know that red team is on the other end of a keyboard logged into your box, you want nothing more than to fix the situation, you panic and overreact. In that moment, you need to rely on your operations skill and do quality incident response. The basic incident response process should look like this:

  1. Gather Information: Figure out what is going on, gather evidence from multiple sources
  2. Create Hypothesis Based on Information: Now you have a global view of whats going on
  3. Determine Remediation Steps: Note Plural. If this comes out to be “Kill The Process” or “Kick Him Out!” then you’ve failed this step. Make this technically detailed. It should be supported by your evidence and hypothesis.
  4. Execute Plan: Now you act.
  5. Detail Report: If you’ve followed steps 1-4, you’ll have already done the work to submit quality incident reports to the white team. Every point counts and following this process will help ensure you get something for the inevitable breach.

Conclusion

Whether for CCDC or work, these points will make you a better security professional. I don’t care if you’re interested in offensive or defensive security, your operations kung fu will be a valuable asset to you and your team.

For all the competitors this year, great work. Regardless of winning, simply competing is experience that you will use for a lifetime and thats worth more than any medal or award. I do want to extend a special congratulations to my old school RIT for taking home the Cup. Feel free to join myself and others in the #ccdc channel inside Freenode. This is a great community and I’m proud to be a part of it.

$ ssh 2014.ccdc
$ /etc/init.d/planning start

The Biggest Need in Cyber Security

After seeing this come across my news feed and several people comment on it, I thought I’d dump some thoughts. Maybe someday I’ll collect this into a more coherent editorial, but for now this will have to do (lots of code to write, haha).

Basically, if you didn’t read the article, the White House Military Office had a piece of malware installed on it through a spear-phishing attack. Someone clicked on a link in an email that infected their system. The White House has confirmed it, but also confirmed what I suspected – it was on a declassified civilian network and not the ones with the “nuclear codes” or other top secret information. And while everyone freaks out over this, I’d like to present some thoughts on why the WHMO hack is less important than you think, and this other problem is far more urgent than anyone, IT professional or otherwise, realizes.

My biggest fear is not that the US Government is going to get hacked and a nuclear weapon is going to be launched. What keeps me up at night is the fact that hundreds of thousands of US businesses don’t maintain any sort of security in their computer systems. Estimates have put the figure as high as 85% of small to medium businesses are not doing enough to secure themselves and are therefore vulnerable. Their failures are not negligence either. Technology has progressed at such a high rate, the systems administrators have hardly been able to keep up. Information Security used to be a job that could be managed by the administrators, now it’s such a complex science(see: art) that you need highly specialized people just to meet requirements. This is a very hard subjects for Republicans and Democrats alike. Democrats cry out for regulation. Republicans cry out for defense spending.

Here’s the problem with both: there is no where near the resources needed to do either. Same with Republican defense spending. You can give the DoD all the money in the world or regulate all you’d like, we simply don’t have the human capital to protect the countless computer networks our world has grown to rely on. Half the reason US Government networks are insecure is the man power. Regulation auditors or Cyber “forces”. Take your pick, the skill sets required for each are very similar.

And the estimates right now for human capital say we need 10,000 top tier cyber experts immediately and another 30,000 over the next 5 years. Currently, it’s estimated that there are less than 1000 people in the United States with enough skill to be effective. The Chinese can hammer our government networks all they’d like. They do, but don’t get far. Trust me.  I’ve worked closely with several people on this problem. Alan Paller, Chair and Director on Board, at the SANS Institute as well as Karen Evans, Former CIO of the United States under President Bush, have both extensively researched this lack. Here’s a paper delivered to President Obama in November 2010 outlining this issue.

Hackers also hammer any business they can in the United States, with most small businesses completely oblivious to their penetration. They infiltration, they steal – and usually not money, mostly intellectual property – and they spread. They maintain a low profile and most anti-virus that even up to date won’t protect against it. Good luck having your contract IT worker cleaning them out. As the young generation grows up learning technology, it becomes taking candy from a baby to do these things. If Sony’s breach showed us anything, it was that even the biggest companies are extremely vulnerable. And the best hackers? You never hear about their work. That’s how good they are.

It’s these businesses that are being hurt, and in turn our economy, by this cyber “war”. Being part of that elite 1000 has motivated me to attempt to grow the size. Although I’m blessed with some of the best job security of any career field in the world right now, it pains me to see us losing this fight. I have dedicated a substantial amount of my time to volunteer high school and college programs geared towards training and identifying the best young cyber talent in the country and put it on a path to an effective career. So far in the US Cyber Challenge (USCC), we have brought through over 1000 competitors nationally who have shown potential in the cyber field and gotten them in better training programs.

How do I know these programs work? I was one of them. I came through the US Cyber Challenge in the Summer of 2010. I’ve since dedicated as much time to them outside of work as possible. I also have strongly supported the Collegiate Cyber Defense Competition (CCDC). I was a competitor throughout my time as a student at the Rochester Institute of Technology and also as a volunteer red teamer, both regionally and nationally. CCDC now has over 100 schools competing in a national bracket. It is truly the NCAA of cyber security. Dwayne Williams and his staff are the best in class for competitive cyber security.

The biggest gap in security we have is security education. And as much as I have spoken about above, there is still a huge need.

  • We need to find and groom the best young talent to increase the work force.
  • We need to re-tool our current IT work force with more security knowledge that they can apply to their jobs.
  • We need to bring security into the mainstream. Typing classes are nice, but with kids sitting behind screens from such young ages, it’s important that we train all youth in good cyber “hygiene”.

Wherever you fall in those three points, make a difference. The safety of our digital world depend on it.

Romney Video Exposes More Finance Collusion

In case you haven’t seen, Presidential Candidate Mitt Romney likes to have big fancy dinners, reportedly bringing in $40,000 a head. In these private good-ole-boys club meetings, he likes to show his true form. Many secret videos of him are taken. Check them out if you haven’t seen them here.

What has now come to light is the identity of who owns the estate this party is held at. A gentleman by the name of Marc Leder. Marc has been a long time friend of Mitt. But here’s some more interesting facts.

Looking back at the analysis I did, we’re able to see Marc’s name actually show up as someone who gave $225,000 to Romney’s main SuperPAC (who’s run by former Romney aides).

Not that I think they’re any good in the first place, but aren’t SuperPAC’s suppose to run independent of Presidential Campaigns?

My two cents on this matter.