This page is also available as a PDF.


Josh More: Master Resume

Certifications: CISSP, GIAC-GSLC Gold, GIAC-GCIH

 

Profile

 

I am a security advisor, author and presenter with over 15 years experience in information technology. I focus on Lean and Agile approaches to security challenges, including CISO services, technical assessments and remediation assistance. Through the use of continual improvement techniques, I help businesses increase their security posture over time while minimizing impact to production.

 

 

Experience – Full Time

 

September 2011 – Present

Director of Security Services

RJS Smart Security

 

Security Strategy:

 

  • Created Lean Security strategy for consultancy, from marketing to service delivery, including profitability studies.

  • Created flow-based project management methodology for internal use and guiding client projects.

  • Devised rapid assessment processes to reduce costs and speed delivery for traditional assessment types.

  • Revised traditional security assessments to focus directly on business needs: Data, Disaster Recovery, Compliance.

  • Defined Security consulting team’s core technology suite, balancing discovery needs against cost to clients.

  • Performed CISO services to companies in Development, Financial, Health and Entrepreneurial industries.

  • Provided strategic consulting for application tracking credit card data, linking to individuals and handling credit monitoring.

  • Designed new data assessment process for multi-national hospitality chain.

  • Created long-term PCI compliance strategy for state-wide training company.

  • Created data security management strategy for development firm’s primary product offering.

  • Redesigned network security for a multi-branch automotive dealer.

 

 

Security Tactics:

 

  • Assessed vendor technologies to vet solutions for internal and external use: Global Velocity, Bit9, Sourcefire, Barrier1.

  • Analyzed legacy ASP.NET/SQL Server application for HIPAA/HITECH compliance with focus on data storage issues.

  • Assessed outsourced billing services business to determine changes needed to meet HIPAA/HITECH requirements .

  • Designed and managed strategic plan to develop new business units for expanding services to consumer market .

  • Performed vulnerability and data assessment for national retirement community management servicer.

 

 

Business:

 

  • Created new business partnerships to provide vetted solutions to security clients

  • Heavily involved with marketing efforts to develop website, blogging and collateral strategies.

  • Traveled within territory presenting on new consulting approaches.

 

 

November 2004 – September 2011

Senior Security Consultant

Alliance Technologies

 

Security Strategy:

 

  • Researched public data to detect data leaks and prepare for penetration tests.

  • Devised plans for both short-term emergency issue mitigation and long-term business strategy.

  • Reviewed threat and attack trends, developed mitigation and awareness strategies.

  • Wrote custom reporting system to save $25,000 yearly in licensing costs.

  • Redesigned networks to improve segmentation to reduce scope of attacks.

  • Guided intrusion recovery efforts for clients for malware incidents with thefts in excess of $500,000

  • Developed response plans to the termination of internal employees.

  • Devised technical responses and communication strategies to data loss and defacement incidents.

  • Reviewed, analyzed and wrote security policies for companies of all sizes and industry verticals.

  • Assessed vendors: Encryption, IDS/IPS, Anti-malware, Perimeter Protection, Email Control, Web Filtering, WAF.

  • Consulted for compliance with PCI-DSS, HIPAA/HITECH, FDIC, SOX and the FTC Red Flag Rules.

  • Provided outsourced Chief Information Security Officer (CISO) duties for medium businesses and enterprises.

  • Developed security awareness and pre-sales presentations for numerous audiences.

  • Drafted strategy to guide the development of a new security division.

  • Developed standards for PHP, Ruby, Drupal, Joomla, Moodle and WordPress hosting.

  • Created emergency disaster recovery servers for failing but critical clients’ legacy servers.

 

 

Security Tactics:

 

  • Conducted network and web-focused vulnerability scans for companies of all sizes and industry verticals.

  • Reviewed permission levels to reduce privilege creep and identify orphans.

  • Pro-actively monitored and security events and analyzed to determine appropriate response.

  • Ran patch management program, focused on Windows, Linux, Solaris and third party applications.

  • Ran incident management program, focused on isolation, determination and correction of security incidents.

  • Performed forensic analysis on corrupted and deliberated deleted data for lawsuits up to $20,000,000.

  • Consolidated legacy email, web, database and network support systems for increased security and 90% cost reduction.

  • Implemented network-wide monitoring system of all operational servers and network equipment.

  • Developed asset and change management system to reduce deployment time and increase licensing compliance.

  • Performed highly complex data and contract analysis of multi-party code escrow dispute.

  • Designed system to securely transfer large files between businesses in a user-friendly manner.

  • Designed and developed highly hardened Linux systems for Web, FTP and Java hosting, saving $80,000 yearly.

  • Managed on-call schedule for all network technicians.

  • Managed shared data for entire company: data analysis, expiration, archiving and centralization.

  • Maintained complex set of Solaris servers and zones for stability and security.

  • Performed complete reimplementation of genetics processing system, focus on security and stability.

 

 

Business:

 

  • Developed sales presentations for state-wide tours raising awareness of security issues and solutions.

  • Developed marketing material for prospects and clients on each solution sold.

  • Developed rapid assessment and reporting system for sales staff to use to uncover hidden opportunities.

  • Engaged in Internet-based marketing: blogging, forums, mailing lists, twitter, image creation

  • Managed partnerships with security vendors: Sophos, Astaro, Solutionary, Thawte, Google, TestudoData

  • Managed partnerships with technical vendors: Microsoft, Novell, Syncsort

  • Assisted with planned acquisitions by performing technical and business reviews.

  • Analyzed under-performing business unit, identified buyer and facilitated sale.

  • Served as technical and security lead on RFP response teams for large companies and governments.

  • Devised strategy for providing managed service for synchronizing mobile devices.

  • Overhauled web hosting system to focus on service-provided rather than guesswork.

  • Created new anti-malware service, with additional service levels and increased profit.

 

May 1999 – November 2004

Product Manager / Security Analyst

Mail Services Inc / Clement Claibourne

 

Security Strategy:

 

  • Dramatically improved security via strong authentication and seamless logins.

  • Implement system standards for Linux, Windows and SCO Unix-based systems.

  • Ensured products’ technical compliance with the Graham-Leach-Bliley Privacy Act and HIPAA.

  • Devised password, role, and data management policies for improved security and privacy.

  • Designed and oversaw development of multi-platform and multi-algorithm encryption system.

  • Drafted policies for the secure handling of sensitive customer data.

  • Created customized Linux distributions based on Red Hat Linux technology to maximize security and ease of maintenance.

 

 

Security Tactics:

 

  • Migrated workstations to open standards, then to Linux systems, reducing licensing liability.

  • Implemented very early online payment system for settling accounts

  • Designed web interfaces for the on-line viewing, editing, and printing of statements and letters.

  • Determined firewall, VPN and routing rule sets for various clients’ needs.

  • Implemented automatic synchronization to backup systems for redundancy and disaster recovery.

  • Automated security maintenance on nation-wide cluster of Linux systems.

  • Developed automated file processing system via HTTP, FTP and SMTP parsing, conversion, and processing.

  • Automated lossless data compression, resulting in a 90% gain in system resources.

  • Merged diverse networks together following acquisition by Mail Services LC.

  • Managed 20 Linux-based Internet-connected servers and 40+ SCO Unix-based LAN-connected servers.

 

 

Business:

 

  • Designed websites for Clement Claibourne, Mail Services and several clients.

  • Designed web banner system for context-aware advertising

  • Developed branding systems for complete graphical flexibility prior to CSS2 browser support.

  • Transitioned from SCO Unix to joint Linux and Windows systems for considerable cost savings.

  • Designed and oversaw development of Windows-based print archival system.

  • Developed traveling demonstration systems for Sales to use at trade shows.

  • Used rapid prototyping to develop proof-of-concept systems for pre-sales efforts.

 

 

 

November 1996 – May 1999

User Consultant / Help Desk Technician

Grinnell College

 

Security Tactics:

 

  • Analyzed applications for network inclusion, with a focus on stability and security.

  • Audited existing applications for adherence to security requirements.

  • Secured Windows and Macintosh systems against unauthorized users and malicious applications.

 

 

 

May 1998 – August 1998

High Energy Physics Research Intern

University of Notre Dame

 

  • Programmed system to aid high-energy particle analysis.

  • Trained other interns in the use of the Unix operating systems.

 

 

Experience – Contract and Volunteer

 

January 2012 – Present

Author

 

  • Vendor Assessment Handbook, author, book to be released in 2013

  • Job Reconnaissance: Using technology to win the job hunt game, author, book to be released in 2013

  • Using Metaphors for Critical Communication”, author, paper to be released in 2013

  • Breaking In To Information Security, co-author, book to be released in 2013

  • Lean Security 101, author, comic book released 2012

  • UTM Security with Fortinet: Mastering FortiOS, co-author, book released 2012

  • Measuring Psychological Variables of Control in Information Security”, author, paper released in 2011

 

 

January 2008 – Present

Exam Author

SANS / GIAC

 

  • GWEB – GIAC Certified Web Application Defender

  • GWAPT – GIAC Web Application Penetration Tester

  • GSLC – GIAC Security Leadership

  • GCFA – GIAC Certified Forensic Analyst

 

 

December 2005 – Present

Author Support

Pearson Education / Novell Press / O’Reilly Press / Syngress / Elsivier

 

  • Reviewed numerous book proposals and recommended for or against publication

  • Reviewed and created diagrams for Liars and Outliers, Wiley

  • Edited UTM Security with Fortinet, Syngress

  • Proofed Security+ Review Guide , Wiley

  • Edited Novell Cluster Services for Linux and NetWare, Pearson

  • Edited FreeBSD 6 Unleashed , Pearson

  • Edited X Power Tools , O’Reilly

  • Edited Linux in a Nutshell, O’Reilly

 

 

January 2006 – Present

Community Leadership and Assistance

 

  • Head of Cyber division of Iowa Infragard: an FBI-vetted business/government collaboration.

  • Ran annual Infragard conference focused on security communication and education.

  • Founded local Virtualization Users’ Group and Des Moines Security Group.

  • Hosted and ran meetings as President of local Linux Users’ Group.

  • Member of Iowa community groups: Agile Users Group, Iowa Bloggers, ISSA, Cyber Defense Competition at ISU

  • Member of Minnesota community groups: OWASP, ISSA, DC612, ISC(2) , Practical Agility

  • Member of International community groups: SANS Advisory Board, PaulDotCom, Freenode groups

  • Consulted to the State of Iowa Department of Homeland Security Information Technology Group.

  • Designed and maintained a server which provided web, database and email functions for nonprofits.

  • Created training system for Unix administrators: trouble-maker.sf.net (2004-2010).

  • Created online convention-planning system: www.demicon.org (website 2000-2003, codebase 2000-2008)

  • Designed and implemented a kiosk system with speech synthesis for the visually-impaired.

 

 

 

Teaching

 

2005-Present

Presentations

 

  • Lean Security 201 – Lean/Agile Security practice, at numerous venues throughout 2012 and 2013

  • Lean Security 101 – Lean/Agile Security theory and techniques, at numerous venues throughout 2012 and 2013

  • Pen Testing Security Vendors – for DerbyCon 2012

  • Natural Compliance: PCI and HIPAA – at numerous venues throughout 2012 and 2013

  • Virtual Desktop Security – technologies and issues involved with the security of virtual desktops

  • Senior Scams – issues impacting senior citizens and those that care for them

  • Malware and Identify Theft – short-form presentation on big issues effecting businesses

  • Finance-focused Security – financial malware impacting banks and credit unions

  • Credit Card Security – PCI compliance issues for small businesses accepting credit cards

  • Health Data Security – HIPAA compliance issues for medical clinics, insurance agents and hospitals

  • Communications Security – network-level issues impacting telephone companies and data centers

  • Disaster Recovery – technical issue overview for the Iowa Contingency Planners

  • Web Application Security – general security issues for the Des Moines Web Geeks and Iowa Ruby Users Group

  • Virtualization Security – security issues surrounding virtualization for ISSA

  • Linux Security – security issues specific to Linux for Infragard and CIALUG

  • Security Policies – overview of security policy issues for ISACA

  • OSX Security – overview of security on Apple computers for Des Moines Mac Users Group

  • Information Warfare – review of public data attacks and defense for Iowa Infragard

  • Certification – recommendations for certification paths and testing tips

  • Web 2.0 – business uses of emerging web technologies

  • Barcamp – ran sessions on Linux, monitoring, job searches and self-promotion

  • Guest Lecture – lecture on Linux in business for the DMACC Linux Administration Class

  • Technology for Entrepreneurs – using technology to grow startup businesses

  • Linux in schools – how open source technology can improve education

 

 

2008

SANS MGMT 414 – CISSP Mentor Session

 

  • Taught students the ten domains of Information Security to prepare them for the CISSP exam.

  • Emphasized practical security concerns within their respective professional environments.

  • Added additional teaching of test taking, studying and memorization techniques.

 

 

Education

 

  • CISSP – Certified Information Systems Security Professional

  • GIAC-GCIH – GIAC Certified Incident Handler

  • GIAC-GSLC Gold – GIAC Security Leadership Certification, Gold Level, Paper available online

  • RHCE – Red Hat Certified Engineer (expired)

  • NCLP10 – Novell Certified Linux Professional 10

  • ACE – Astaro Certified Expert

  • February 2011 – Attended Sophos online training sessions to attain internal certification level

  • January 2009 – Attended SANS 504 Hacker Techniques, Exploits and Incident Handling Class

  • September 2008 – Attended Astaro Engineer Training, achieved Astaro Certified Engineer certification

  • May 2008 – Attended Microsoft Licensing training

  • January 2008 – Taught SANS 414 CISSP Prep Class

  • December 2007 – Attended Compellent SAN Administration Class

  • February 2007 – Attended SANS 512 Management class

  • December 2005 – Attended N-Able Advanced Administration Class

  • Bachelors degree in Physics, conferred by Grinnell College

  • High Energy Physics Internship, University of Notre Dame

 

 

 

Skills

 

 

Consulting

 

  • Analyze business processes, systems and networks to determine long term security strategies at minimal cost.

  • Implement replacements for legacy services, with emphasis on efficiency, security, and reliability.

  • Devise technical, social and political solutions for compliance with industry regulations.

  • Conduct feasibility studies and pilot programs for potential implementations.

  • Present findings to business owners, managers and technical leads.

 

 

Platforms

 

  • Linux: SLES, OpenSUSE, RedHat, RHEL, Fedora, Mandrake, CentOS, Ubuntu, Backtrack, Debian, Knoppix, Slackware

  • Microsoft: DOS 3.3 – 6.2, Windows 3.1, 95, 98, NT, ME, 2000, and XP, 2000, 2003, 2008

  • Unix: Solaris, SCO OpenServer, FreeBSD, OpenBSD, NetBSD, OSX, HP/UX, Irix, TRU64

  • Other: Mac Classic, Cisco IOS, PalmOS, OpenVMS

  • Web: Google Apps, Mediawiki, Joomla, WordPress, Drupal

 

 

Security Tools

 

  • Unified Threat Management: Fortinet, Astaro, Watchguard, CheckPoint, Barrier1, Cisco, IPCop

  • Web Protection: Imperva, CloudFlare, Sophos UTM, mod_security2, php-suhosin, Apache2, IIS

  • Managed Services: Alert Logic, Solutionary Activeguard, Google Message Security, ShadowServer Alerting

  • Endpoint Protection: Sophos, Bit9, Safeguard, Symantec, ClamAV, iptables, tcpwrappers, AppArmor

  • Network Assessment: Nessus, OpenVAS, Core Impact, nmap, kismet, metasploit, Zenmap, ExploitDB

  • Monitoring: mon, n-able, monit, nagios, collectd, tcpdump, ethereal, wireshark

  • Public Analysis: Paterva Maltego, SearchDiggity, pipl.com, snoopstation, many custom scripts

  • Private Analysis: John the Ripper, Ophcrack, CheckRootKit, RKhunter, Exiftool

  • Web Assessment: Burpsuite, NetSparker, nikto, Rat Proxy, Skipfish, Accunetix

 

 

Software

 

  • Web: Apache 1.3.x-2.x, mod_perl, PHP, ruby, mongrel_cluster, squid, Tomcat/J2EE

  • Web Systems:, Gallery, eWiki, Twiki, SugarCRM, dotProject, dokuwiki

  • Email Systems: Qmail, GroupWise, Vpopmail, Squirrelmail, Courier IMAP, ezmlm, Sendmail, Postfix

  • Database Services: PostgreSQL, MySQL, Berkley DB, SQL Relay

  • File Services: ProFTPd, Vsftpd, NFS, samba, Novell file services

  • System Administration: OpenSSH, NFS, cron, subversion, VNC, CUPS, OpenLDAP, yum, eDirectory

  • Web Clients: Firefox, Mozilla / Netscape, Firefox, Opera, Internet Explorer, elinks, w3m, telnet

  • Graphic: Gimp, Inkscape, Bibble, ImageMagick, PaintshopPro, Photoshop, POVray, Ghostscript/PCL

  • Backup Tools: SyncSort Backup Express, amanda, LoneTar, bacula, tar, zip, bzip, gzip

  • Virtualization: VMWare, VirtualBox, Xen, Solaris Containers/Zones

 

 

Languages

 

  • Scripting: Perl, Unix Shell, Javascript, PHP, Ruby, Python, SQL, Expect, DCL, Windows Batch

  • Compiled: C, C++, Java, Scheme, Pascal, Fortran, Basic, POVray, Logo

  • Descriptive: HTML, DHTML, XHTML, XML, CSS, YAML, TEX

 

 

Networking Protocols

 

  • Standard: HTTP, FTP, SMTP, Telnet, TCP/IP, POP3, IMAP, NTP, DNS, IRC, SMB

  • Secured: HTTPS, FTPS, IPsec, SSH, IMAPS, POP3S

 

 

Data Sources

 

  • Industries: Municipalities, Banks, Credit Unions, Utilities, Medical, Development, Collections, Health Care, Trucking, Insurance, Nonprofits, Political Parties, Retail, Manufacturing, Retirement, Software, Publishing, Distributing, Utilities

  • Formats: Delimited, Mainframe extractions, IBM and AS400 spools, Word, Excel, Access, DBase, Foxpro, PDF, Postscript, PCL, XML, Raster graphics, Mailspools

 

Profile

I am a security advisor, author and presenter with over 15 years experience in information technology. I focus on Lean and Agile approaches to security challenges, including CISO services, technical assessments and remediation assistance. Through the use of continual improvement techniques, I help businesses increase their security posture over time while minimizing impact to production.

Experience – Full Time

September 2011 – Present

Director of Security Services

RJS Smart Security

Security Strategy:

  • Created Lean Security strategy for consultancy, from marketing to service delivery, including profitability studies.

  • Created flow-based project management methodology for internal use and guiding client projects.

  • Devised rapid assessment processes to reduce costs and speed delivery for traditional assessment types.

  • Revised traditional security assessments to focus directly on business needs: Data, Disaster Recovery, Compliance.

  • Defined Security consulting team’s core technology suite, balancing discovery needs against cost to clients.

  • Performed CISO services to companies in Development, Financial, Health and Entrepreneurial industries.

  • Provided strategic consulting for application tracking credit card data, linking to individuals and handling credit monitoring.

  • Designed new data assessment process for multi-national hospitality chain.

  • Created long-term PCI compliance strategy for state-wide training company.

  • Created data security management strategy for development firm’s primary product offering.

  • Redesigned network security for a multi-branch automotive dealer.