Today’s interview is with SMS smartphone researcher Georgia Weidman. Georgia is is currently Director of “Cyberwarface” at Reverse Space and resident videographer at NoVa Hackers. Oh and then there is that full time day job thing.
As usually we would like to give a big shout-out to Andrew “@andrewsmhay” Hay, who started this whole Information Security D-List Interview idea. Similar to how we created the NovaInfosec Twits concept based on the popular Security Twits lists, we decided to bring this interview format to our blog but just focused on people that live, work, or play in NoVA, DC, and MD. The whole idea is to help the local infosec community get to know one another a little bit better. Finally, if you’d like to nominate someone for a NovaInfosec D-List Interview, please Contact Us and let us know why they should be featured.
And without further ado, here’s the interview…
Q1: How did you get started in infosec and end up in the metro-DC area?
A: I didn’t get started in infosec until graduate school. My mother always said I should be a hacker when I was younger, but my only exposure to it was reading a book about hackers going to jail, so I wasn’t that interested in following that particular career path. In graduate school I got involved in the cyber defense club and Collegiate Cyber Defense Competition (CCDC). I was hooked. Soon I had to be reminded to leave the infosec lab to go to class.
I first came to Virginia to attend an early college program. My first job was as a government contractor doing vulnerability management, so I found myself in the DC area. It was a good choice for me, since a lot of the contacts and mentors I met through the CCDC are DC-metro based.
Q2: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
A: I have a M.S. in computer science with emphases in secure software and information security, but most of what I have learned about infosec has been self taught. I learned a lot in the CCDC, both as a student team captain and since graduation as a red team member. I have an Associate CISSP and the Offensive Security Certified Professional (OSCP) certifications. I recommend the OSCP to anyone interested in pen testing. In order to get the certification, you have to penetrate real systems rather than just take a written test. While certifications and education certainly help get you in the door for the positions you want, I think a passion for learning infosec on your own time is most important for making the most of an infosec career.
Q3: What advice would you give to people who want to start an infosec career in the local area?
A: We are lucky in this area that there are so many meetup opportunities with others in the field. I personally recommend the NoVa Hackers group. The meetings are structured around participants presenting their work to the group. It’s a great place to get feedback and practice presenting in an informal setting.
There are also several Hacker spaces in the area. I am personally involved in the directorship of Reverse Space, the Northern Virginia hacker space. Joining a hacker space is another good way to network, get involved in projects, and learn more about infosec.
Q4: What was your favorite local infosec assignment (and why)?
A: I love being on the red team at cyber defense competitions. In addition to the CCDC, local companies sometimes sponsor these events and have schools from the area come in to compete. I once did one that had high school teams; that was especially fun. This is a venue to go all out and practice your techniques. Having been on the defending side myself, I know it’s really frustrating to get hacked and lose points, but seeing the really showy post exploitation helps get participants interested in learning the attack side of infosec.
Right now I’m always teaching a Metasploit Unleashed class at Reverse Space. It’s a great opportunity for me to practice speaking and teaching, and it’s a chance for me to help others get started in pen testing. I feel like starting out in infosec can be difficult since there is so much information that it can get overwhelming and be difficult to develop a plan. I hope I’m helping others get over that hump. A lot of people have come out, and it has been one of my favorite experiences as well. Additionally, having to write slides every week is good for my self discipline.
Q5: There are a lot of metro-DC infosec meetups and conferences. Which ones do you recommend attending (and why)?
A: Shmoocon was the first infosec conference I ever attended as well as the first venue where I presented my research. I’ve always had a good time and learned a lot there, and I recommend it. Again, the DC area is a hotspot for infosec, so there are several other conferences throughout the year that are great. Shmoocon is just special to me since it was my first speaking gig. Some of the smaller community driven cons such as Dojocon are excellent as well.
For meetups, there are several in the area. I mainly attend NoVa Hackers and events at Reverse Space, but check out the rest of NovaInfosecPortal for other groups. There are chapters of ISSA and OWASP and several others I’m forgetting in DC area.
Q6: What are your favorite locally based infosec resources (e.g., blogs, podcasts, email lists, IRC channels, forums, and social network lists/groups/fan pages) (and why)?
A: NovaInfosecPortal is my go to resource for what’s going on in the DC area. Mailing lists wise NoVa Hackers has active discussions about various topics. I listen to various podcasts many of which have members in the DC area. Maybe we should start a DC Infosec podcast with a catchier name than that.
Q7: If you had advice to give to the federal government and their contractors to improve “cybersecurity,” what would it be (and why)?
A: Mom answer this question. It’s too hard for me. Honestly, I don’t have that much experience with government security. I was a contractor at one agency for a short period of time. I would give them the same advice I’d give anyone, end user awareness of security is vital to a successful security program regardless of how many shiny pieces of equipment you deploy. However, a lecture on email encryption policies is not dynamic and engaging to the audience. Instead bring in infosec guest speakers or have your security team demo possible attacks and talk about the real issues in infosec. That will have a lot bigger impact on users and might even get them interested in infosec themselves.
Q8: What projects (if any) are you working on right now?
A: Since my first release at Shmoocon of the SMS controlled smartphone botnets I’ve done a lot of additional work. Look out for more stuff on my website and at conferences for the rest of the year. I’ve got more stuff with the bots, some encryption work, mobile app security, and more in the works.
Another one of my major projects right now is the cyberwarfare center at Reverse Space. My goal is to build a community driven facility for research, development, learning, and fun. We are going to have everything from a forensics study group, to malware analysis and exploit development labs, to capture the flag and cyber defense competitions.
Q9: Is there anything else you would like to let your fellow infosec pros know?
A: I’d be the first to say that infosec can seem somewhat intimidating when you are first starting out. People are doing some pretty amazing stuff. But I recommend getting involved as much as you can, giving talks, volunteering to help with events, etc. On the whole infosec folks are very accepting and willing to help you. I’ve gotten a tremendous amount of support and feedback from the community on my work.
Q10: How can people get a hold of you (e.g. blog, twitter, etc.)?
Blog: http://www.grmn00bs.com (I’m the G in GRM). We do a podcast too.
Email: georgia [at] grmn00bs [dot] com
Or just come by Reverse Space. That’s where I usually am.