Keep Doing Your Thing!
#keepgoing #movingforward #enjoylife #dontfeedthetrolls
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well, 2019, you’re almost over, and it’s been a much better year than some. Though grueling at times, it has been a rewarding journey. This year involved may air miles and hotels and the chance to meet and hang out with lots of amazing people. I hope this post will inspire anyone who’s been knocked down recently to get up and keep going — because that’s how I felt at the end of last year. Forget the naysayers. When times seem dark, just keep doing your thing.
If you are not familiar with the term Don’t Feed the Trolls it’s from a 2012 talk by Nicole Sullivan that I love. If you haven’t seen it I highly recommend it.
One of the challenges this year was attempting to both write and teach a cloud security class at the same time. I am incredibly grateful to my first customer. I must have been crazy thinking I could write a 5-day cloud security class in about two months. Luckily, with the help of some amazing people, we had five days of material and at least four labs for each day. We started out with a beta class, which was pretty rough, but it was a good trial run. Thank you to all my beta students that put up with that. Next, I taught the first live class. I was exhausted and got caught in a bit of a snowstorm, but the class seemed to go well. I am so grateful to all my students who clapped for me at the end. They were also incredibly nice when we hit a few glitches, which we have since resolved. I cannot thank you enough for the opportunity to teach that class!
Over the year, with the help of my team members, some of whom have varied based on availability, we enhanced and improved the labs. I also finally finished all the detailed notes for the class. I didn’t estimate very well how long it would take to write detailed notes for close to or over 200 pages per day on each day, sometimes with multiple pages of notes per page. Besides that, the cloud providers are continuously improving in exciting ways, and I’m continually revamping everything and updating the content. Luckily, we have designed the class so we can do that easily.
Since that class, I’ve taught to Cisco as well as students from major cloud providers, large corporations in the U.S. and Australia, CERT NZ, consulting organizations, and startups with intriguing new products and services. Everyone was so great, and I was impressed by the quality of the students! Some of them were incredibly smart to the point of being intimidating — like say, a person Ph.D. in compilers!? I was very touched after my class in Melbourne, Australia, when my students gave me hugs, gifts, and thank you cards! These acts of appreciation absolutely made my year. It’s the reaction and support of all the students that keep me going.
Of course, they also had to remind me who has the best coffee in the world. I, on the other hand, had to teach some Melbourne restaurants about Baileys and Coffee.
OWASP AppSecDay — Melbourne, Australia
I had the great pleasure of going to Australia in the first place to speak with my friend SheHacksPurple. We had a great time speaking at OWASP AppSec Day in Melbourne, followed by an incredible week of travel. Australia is a truly amazing country.
ServerlessDays London
I also had the opportunity to speak at ServerlessDays London and hang out with Ant Stanley for a bit and see a few sights with a friend that happened to be free. What a great conference. I love the vibe, and the people were really into it. My favorite comment on Twitter was, “Teri Radichel is scaring us.” That was definitely not the intent, but whatever it takes to get you to secure your systems! I’ll be giving a talk on Serverless Attack Vectors at RSA 2020 and other serverless security topics at Serverless Days Hamburg and elsewhere. Follow this blog, Twitter, or LinkedIn for updates.
Bienvenue au congrès ISACA Québec 2019 — Quebec City
One of the other highlights was a trip to Quebec City to speak at Bienvenue au congrès ISACA Québec 2019. I’ve been to Quebec City before, and it is a truly beautiful city. They offered me a book in English or French as a gift, and I chose French because I do hope to learn it better someday. There is not enough time in a day for all the things I would like to learn and do and see!
All the conferences and events…
The year was full of many other destinations and people, including IANS Security Forums in several states, AWS re:Inforce, AWS re:Invent, a few BSides conferences, Microsoft Build, OWASP, ISACA and IIA events, and of course, Seattle AWS Architects and Engineers Meetups which I organize with Kolby Allen. It’s always great to see people I know at these events like the AWS Heroes and community leaders and meet new people. I am especially grateful for invitations to speak in Germany, India, and Poland.
Writing my book
In addition to classes and conferences, I’ve been trying to write a book on Cybersecurity for Executives. Anyone following on Twitter @teriradichel or @2ndsightlab or LinkedIn (Teri Radichel) knows this because I’ve been posting chapters free online while writing it. Thanks for all your support and feedback. Some people told me to use a publisher and not to publish the book I had entirely written it, but I care too much about cybersecurity. I wanted to share the information as quickly as possible to help companies stop the onslaught of cyberattacks. I decided to publish most of the chapters of the book for free on my blog. The final version will have a few extra chapters. I took a break to go to Hawaii to try to finish my book. I didn’t quite finish but got pretty close — and it was beautiful.
Update: I published my book in February the day before my talk on Serverless Attack Vectors at RSA 2020! I also led a Birds of a Feather session on Cloud Risk which is closely related to the topics in the book. It was a monumental effort. I didn’t quite get the printed version out but maybe by the time you are reading this it will be online. Writing the book was only about half the work. The other half was going through multiple rounds of review, editing, spelling and grammar checks, and ensuring all the references were correct. Even after all that more typos popped up after the initial version was published. Thanks to everyone who helped along the way! Reviews are appreciated ~ especially the 5-star kind that enable me to keep writing! I’m also very happy to receive any corrections or edits on LinkedIn or Twitter private messages.
My History of DevSecOps
While writing my book, I started inserting this blog post into my book, but then I realized it was something different. It as the story of how I got into Cloud Security and my own version of DevSecOps. People argue about the meaning of words a lot, and I’m not really into that. This story simply introduces where I first heard DevSecOps and how I got into Cloud Security. I think a lot of people have jumped onto the Cloud Security train. I started to realize I’ve been thinking about these things for a very long time — probably before the cloud even existed. This whole idea of automating ops and security is something I wanted a long time ago.
Cloud Security Blog
I reviewed my blog stats for the year, and first of all, Medium stats are pretty limited as far as what you can view. It does not let you break down views by a custom time period or see the referrals for all your stories as a whole, only individual stories. It appears that most of my referrals are from Twitter and direct link or referral by instant message or email, followed by LinkedIn. A few of my posts are starting to get Google referrals. I tried putting my stories behind a paywall initially, but Medium doesn’t pay much. Most of my views and reads were coming from other sources, so I dropped that. I might actually switch to a new blog platform later if I have time where I can display ads and get more statistics.
As for what stories are most popular, I can list by views, reads, read ratio, and fans. Here are some of my top stories so far for 2019. I just posted a whole bunch of new stories in the last month, so they don’t yet have a lot of statistics. We’ll see how those do over time.
The blog post I wrote about the Capital One breach, What’s in Your Cloud, got the most views, the most fans, and second to most reads, but the read ratio is not high for whatever reason.
One of the posts on the top in the views list is Getting value from security testing. That one has a lot of views (supposedly), but the read ratio is abysmal. The reason for this poor performance has to do with the fact that I advertised that post on Twitter. Apparently, doing so brought a lot of bogus traffic to my blog. It is far and away the outlier and only post with such a low read ratio. That probably means that people were just clicking the Twitter ad to waste my money, such as competitors or people who don’t like ads. The other explanation is that Twitter has some sort of bot clicking links to make themselves money. So far, Twitter has not offered to refund my money. I cannot recommend Twitter ads. This post is the third post in a three-part series on pentesting, assessments, and audits.
Typically pentesting blog posts, presentations, and tweets are popular. When I posted that AWS dropped their requirement for advance approval for penetration tests this year, the tweet went viral, and GeekWire reported about it. Apparently I got this message before it was even on the AWS website. I was trying to get the approval for pentesting activities in my labs during my beta class. I went back to class after posting this and had no idea it had created such a stir until after class that day.
One of my other AWS Pentesting blogs has also been extremely popular — Why one of your favorite pentesting technique doesn’t work on AWS. This blog post also had the second most claps (what people do on medium when they like your story.)
Third in terms of claps was my story on How to never have a public S3 bucket. It seems a lot of people are looking for a solution to that problem. I’ve also answered consulting questions on this for IANS Research.
A lot of people wanted to know what it was like to take the SANS GSE. What is interesting is that even though this is one of the most popular posts, Medium doesn’t put it or other of the more popular posts at the top. I’m not sure how they order things. This post appeared in the top five for views, reads, and fans.
Many people forwarded my post explaining why you might want a VPN to other people. This post appeared on all three top lists — views, stats, read ratios, and fans. I feel like shortly after this Google started pushing DNS over HTTPS, but that does not solve the problem. There are many protocols other than HTTPS and DNS that will still traverse the network unencrypted. Also, putting DNS in HTTPS breaks the way a lot of security appliances work, so we’ll see how that shakes out.
My posts related to my book, including the Cybersecurity for Executives: Table of Contents and the first chapter entitled Cybersecurity for Executives, appeared high on the lists — views, reads, and fans. I posted several stories recently in this series, so they are too late to get on the list. The table of contents has the most claps of all my posts in 2019.
My nephew asked me if he could help test my class labs with a Chromebook. I presumed it would work. After we figured it out how to SSH to an EC2 Instance with a Chromebook (and I bought one) I wrote about it. That post immediately jumped to one of my most popular blog posts in reads and views. It didn’t get as many fans, but it got a lot of retweets and likes on Twitter.
There is an on-going debate in the AWS community about which is better — CloudFormation or CDK. I think a lot of people struggle with CloudFormation initially. Once you get the hang of it, then it is pretty straightforward. A use case for the CDK also exists. I wrote a blog post about this the last day of AWS re:Invent. This post took off and got a lot of hits but didn’t get as much traffic as the Chromebook post.
Various other posts rise and fall in popularity. I feel like some people are working their way through my Cybersecurity for Executives blog posts. For some people, it may be easier to read the book, which I hope to get out on Amazon very soon. I just have four chapters left at the time of this writing.
Why I don’t speak about Women in Security
Some of the posts about how I got into cybersecurity and being a woman in tech and cybersecurity got a lot of claps and fans, but they did not get into any of the other categories — reads, views, or read ratio. I don’t enjoy talking about women in security in the first place, because I don’t want to be known as a woman in tech. I want to be known as a competent cybersecurity professional. On the flip side, I’ve had multiple people call me a “Bad Ass,” and I’m not sure what that means, so I don’t know how I feel about that. I just want to be good at what I do.
I added the posts on Women in Tech to my blog because a lot of people ask me about this topic or want me to speak about it. I also get requests from people who want me to mentor them. I am always overloaded, and honestly, I don’t know if I am a good mentor for anyone working in corporate America. Rather than try to support one or two people, I wrote those posts to try to help out a lot more people than the few I would have time to talk to about such things.
I decided I would speak on one women’s panel because it was at AWS re:Inforce, and I had not done it before. Then they scheduled I think two or three women’s panels. I wondered if they were trying to fill a quota for women speakers. It was nice of the thirty or so people who showed up to attend and show their support. However, I’m guessing all those people already support women in tech. I don’t think we had to convince them of anything. Two crypto talks were going on at the same time that I would have preferred to attend if I wasn’t on that panel.
Then I look at my blog stats, and very few people are looking up or reading the women in tech stories. These statistics reinforce my belief that talking about women in tech isn’t making a difference. What makes a difference is more technical women as role models doing what men do. More security organizations, conferences, and events with competent women speakers talking about technical topics that men want to learn about will have a more significant impact than women in tech panels. Doing so will help women more than talking about women in tech — and that’s what I hope to continue doing!
Of my posts on women in tech, my favorite post is the one about my niece learning cloud for the first time and helping me with my class. In that post I provide suggestions for women who are trying to get into tech or advance in tech. It had a lot of fans — more than the blog post I wrote about the work I did with my nephew, but not as many views. Since helping me with this class, my niece had to interview someone about their job for her high school homework and she chose me, her geeky aunt!
Seattle — Home, Sweet Home
For the rest of the year, I’ll probably be at home, and that’s quite alright. I’ve still got a lot to finish by the end of the year, including class updates which I promised to students, the book, and get the class schedule online. I’m answering calls through IANS Research and working on a pentest.
I hope you all have wonderful holidays and are making plans for positive, productive, and joyous 2020. I’ll see you next year, hopefully, at a conference or class near you. Otherwise, I hope to connect with you on Twitter @teriradichel.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2019
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
