JeffBolden.net

Sorry for the lack of updates the past month or so, and it’s not for lack of events to share. In fact, it’s been quite the opposite and I’ve just been too busy to check in. It’s funny how fast time moves by when you have a lot going on. =)

So, the big news for me is on the career front. As it turns out, about 4-5 weeks ago I left my glamorous jetsetting (ahh, sweet sweet sarcasm…) Internal IT Auditor position for some real RockStar status. I can hear all of you asking, “Jeff, what could possibly make me want to leave the excitement and thrills of internal IT audit?” Seriously though, the past 4 months or so I’ve been really examining my career and taking a long hard look at what I like and dislike in my day to day grind and came to the conclusion that being an auditor was not the direction I wanted to continue in. Add that to the fact that after working in the banking/finance industry now for almost 8 years I was quickly reaching the point of complete and utter PCI/GLBA/FFIEC burnout, and I could see the writing on the wall.

I like to keep my hands “dirty” so to speak and not being able to directly solve the security and IT problems I see on a daily basis was just too much for me. Quite frankly, I’m an ops guy, I like getting in and actually working on the tech. I knew that already, but sometimes it takes me longer to figure things out than others. =)

So, during this period of realization one day in April, I just happened to stumbled across my “dream opportunity”. I’ve always wanted to find a position where I could get in to a small startup on the ground floor and build a world-class IT dept/infrastructure from the beginning. Someplace small and nimble yet with the same IT needs and issues as the big boys. Someplace I could go that I didn’t have to worry about what FFIEC says, but how things really should be. Not “security for regulatory’s sake”, but real, common-sense security. After years of shaking my head at the PHB’s stupid IT decisions I wanted to go someplace I could “put my money where my mouth was” (so to speak) and see if I could do it better. Careful what you wish for… =)

So, the opportunity presented itself and things moved extremely quickly from there. Suddenly I’m no longer in banking, and I’ve had more fun in the past 4 weeks then I have in the previous 4 years! It’s been hectic and challenging as I shake off the rust on some of my technical skills, but I have not had this much enjoyment going to work in years.

The new position? Director of IT for an up and coming startup here in Portland called Iterasi. We’ve just gone beta, so be sure to check it out.

Tuesday and Wednesday were both full days for me, covering the ISO27002 controls as well as hitting lunch and learns, some great after-hours talks, and a trip or two down the strip as well. The highlight of the past 2 days was a couple of excellent talks on bluetooth eavesdropping as well as a talk on VM Escape issues.

Josh Wright’s Wednesday evening talk on bluetooth eavesdropping was excellent (as usual, great talk Josh!) and showed just how bad bluetooth security is. He has a great YouTube video up showing the issues as well as a great paper on Dispelling Common Bluetooth Misconceptions that he just released. I highly recommend taking a look at both. Also, be sure to check out his website www.willhackforsushi.com for lots more wireless info.

Tonight is the PaulDotCom security podcast live here at SANS and I’ll be dropping in for that. It’s only fitting since I was lucky enough to be at their first podcast at SANS 2005 in LA. They’ve come a long way since then! =) They will be running a live stream as well as taking questions over IRC, so be sure to jump over to their site and get the info, then join us tonight!

It’s been a fun  couple of days down here at Vegas! I flew down Saturday night and got to Caesars around 8pm and got settled in. A nice surprise was getting bumped up to a nicer room in the Augustus Tower, with a great view of the Bellagio Fountain right out my window. It’s been awhile since I’ve been to Vegas, and man the strip sure has changed! After class yesterday I managed to get out and do a little exploring, then went down to the Hilton and checked out the Star Trek Experience. I have to say it was pretty cool, but I was ready to hit the sack after all the wandering around.

I’m heading down to check out the vendors, pick up some swag, and mingle with the security elite. =) Also on the agenda for after-hours Wednesday night is a talk from Josh Wright on Bluetooth Headset eavesdropping, as well as a presentation from Ed Skoudis on VM Escape. I’m also going to try to get over to the PaulDotCom sec podcast on Thursday.

SANS Network Security 2007 is almost upon us! It’s been over 18 months since I’ve been to SANS so I’m really looking forward to going to the Vegas conference this year, even if it is a management track. I’ll be doing the MGMT411 track this time, covering the ISO 17799/27001. It’s a good overview to refresh my memory on the “official” security framework in my new role, but I would be much more excited about the malware or forensics tracks. I guess it can’t alway be fun and games… =)

If anyone reading this (all 2 of you…) is going to the Vegas conference and would like to get together, be sure to drop me a line and we can schedule a night. I always like meeting fellow netsec geeks for food and fun!

What a summer! Time is flying by, and I just noticed it’s been almost 2 months since I posted. Nothing like starting a blog just to ignore it. It seems like the past few months have been a flurry of work, kid’s summer activities and stress over career. I guess the old adage is true, the older you get the faster time seems to slip by. =)

On the job front, I have some changes to announce. After a lot of contemplation I decided it was time to move on from my Security Architect role at US Bank, I role I’ve been at for the past 15 months. I met a lot of great people, learned a few things about myself, but in the end decided the position was just not a good fit for me. I’m grateful I had a chance to meet some truly talented security people while I was there and made some great friends. It was a tough decision, but I’m excited about the change.

I’ve accepted a new position at a great financial software/solution company in downtown Portland that I’m extremely excited about, and will be starting Monday. It’s a role I’ve been resisting for over three years but circumstances seem to keep pushing me in that direction, so after a lot of thought and discussions with my new employer I’ve decided to accept the inevitable and become an Information Security Auditor.

So for those of you that know me, yes i’ve moved to the dark side. I can hear you chuckling from here. =)

The summer is flying by so fast I had almost forgot about my CISA test and that I was still waiting for results. It had been weeks since I last thought about it, so I was pleasantly surprised to get an email from ISACA on Thursday with the results. Long story short, I passed with flying colors! I’m glad, as I did not relish the thought of having to study and retake the test in December during the holiday season.

All in all, this was one of the more interesting (read stressful) certification tests I’ve taken. Now that I can look back at it knowing I passed, it was a test that I probably worried more than I needed to, but one I had to prepare for the most due to it covering areas that I did not have as much experience in as I’ve had with other certification subjects in the past.

Now comes the fun part, filling out the application and documenting my past security experience so I can claim a new set of letters to add behind my name. All of which really means nothing in the grand scheme of things… =)

After a month or two of pretty regular study I finally got my Certified Information Systems Auditor (CISA) test done a week ago and then promptly took a much-deserved week off for vacation. Now comes the 10-week wait for the results. You would think in this day and age they could get you the results a little faster, but such is life I guess.

The test itself was one of the more difficult ones I’ve taken due to the subjectivity of the questions. There were too many questions where you had to make a decision on the “most right” answer, and it seemed to me like it tests your ability to decide what ISACA wants you to say more than your actual knowledge of the material. I’ve yet to fail a cert test, but I’m really unsure as to my success on this one.

As an FYI, I used the Sybex CISA Study guide and found it to be an excellent guide of the material. I also used the official ISACA CISA Test Question CD for review.