Wednesday, April 13, 2011

Security Think Tank

On Monday April 4, I did a presentation at the Scandinavian ISACA conference, held in Oslo, Norway. The title was "Board Member Security" (Link to Slideshare), and were part of the governance track. I will get back to the contents of the presentation later, first of all I would like to introduce the people behind the presentation.

I have set up a local "think tank" on security with some friends here in Bergen, Norway. Most of us have known each other for many years already, personally from school and by working together.

Erlend Dyrnes is the Security Manager of Norwegian ISP NextGenTel. (I should probably say triple-play provider or something to be more correct). A former pentester and auditor at Ernst & Young, he now has to face the consequences of his previous recommendations. With a bright mind, he manages to bring the important aspect of ROSI (Return On Security Investment) into our discussions. He also holds the CISA and CISM certifications from ISACA.

Odd-Terje Karlsen is our "Grand Old Man", and one of my work colleagues. He actually remembers the introduction of IBM PC's with MS-DOS! :-) With more years of experience from the IT industry then any other in the group, he can thoroughly draw the lines from the introduction of IBM PC's to one of the hotter topics in the business today: BYOPC (Bring Your Own PC). "Been there, done that" is natural for him to say whenever the rest of us has a new, bright and shiny new idea to discuss. Being able to benefit from earlier failures, pitfalls and success stories is of great value to us all. Oh, and he's a fan of Maltego. :-)

Alexander Hoogerhuis is our "foreign guy". Not just being a citizen form the Netherlands, as an independent consultant, he travels the world for his clients, installing and fixing networking problems (and more!) all over. He never did the final lab exam for Cisco CCIE, but the written exam as well as other certifications were a breeze. Through his work he sees a lot of challenges as well as solutions for a wealth of different enviroments, across borders and cultures. He is pretty creative on describing attack scenarios that involves social engineering in combination with exploitation of commonly known defaults and bad habits.

Lars Erik Bråtveit is our true CCIE, pentester and social engineering expert. At the time of writing this, it's just a week ago since he told me that he just won the CTF at a SANS course on pentesting in the US. Congrats! I do consider him a little paranoid, but then again.. doing social engineering and pentesting almost on a daily basis should make many people paranoid. Creativity on both the attacker as well as the defenders side of the table is of great value to our discussions.

Thomas Tjøstheim probably represent the strongest academic side of our group.With a Ph.D in computer security, he represents the analytic mind who organize lots of information very fast, if needed. He even take notes from our conversations! :-) With a passing score on the CISSP exam and working with risk analysis during work hours, he is also my nemesis in our highly informal "Pwn2Own" competition.

Per-Arne Hoff works in the public sector, just like Thomas has done for a couple of months now. With a positive attitude and perspectives from the public sector, he helps us see challenges as well as solutions from a different perspective than the rest of us. Supporting a very large organisation that needs to be open and available to anyone, he faces other challenges in his daily work that we - luckily - don't have to worry too much about on a daily basis. Oh, and he knows his firewalls, wlans, vlans, routers and switches pretty well. :-)

Thomas S. Methlie is our (secure) programmer. With a master in informatics, looking at different security aspects, he's one of those guys who usually have something really smart to say every time he speaks. He's also part of the "Thomas & Thomas" team (see above), my nemesis in our "Pwn2Own" competition. He passed his CISSP exam with ease, and practices confidentiality every day by being married to a journalist. ;-)

Oddbjørn Steffensen is also one of my colleagues. I usually refer to him as the inventor of PERL (he doesn't really like me saying that...). I think he can actually figure out the question that will give you "42" in less than 42 lines of PERL code, but that wouldn't be any fun, right? he can do mind mapping faster than you are capable of speaking, he eats any log format for breakfast and will tell you exactly who did it in minutes. And that with a complete profile, including a Google Street View of where the culprit lives by night. (If you try to hire him, I'll shoot you). Maybe I should say that he passed the CISSP exam many years ago, but didn't bother to report his CPEs. Too bad, but I'd hire him any day, no matter his price.

Jan Fredrik Leversund is another colleague, and yet another consultant in our group. Oddbjørn says that his own PERL code just works, while Jan Fredrik documents his code (!) in addition to making it work through a more structured approach. I have never ever met anyone more capable of turning down any and all suggestions that I can come up with, replacing them with either nonsense or even better ideas than what I thought of initially. I like that. :-) A programmer, risk analyst and pentester, he's a fan of Apple products and like Oddbjørn has a genuine interest in photography. He currently holds the CISSP-ISSAP certifications from (ISC)2, and needs to do a bit of paper work before officially becoming a CISA as well. He's also the mastermind behind quite a few lines of PERL code that does password analysis for me.

Yours truly? Well, you probably have an idea about me already, based on this blog and other sources. I'll leave it to somebody else to give a description of me, I'm really not objective here. :-)

1 comment:

  1. It is interessting to see that 2 of there gentlemen are from the old BBS/IRC scene in Bergen :-) Hola!


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.