Security Resume

This page is also available as a PDF.

Josh More – Security Roles in Small Business

Certifications: CISSP, GIAC-GSLC Gold, GIAC-GCIH, RHCE, NCLP, ACE

Profile

  • Fifteen years technical experience consisting of twelve years in security and ten years in operations.
  • Expertise in assessing technology, business requirements and security threats.
  • Experience presenting to people at all levels of technical skill and business responsibility.
  • Detailed knowledge and experience with system analysis, architecture and operations.
  • Dedication to continual self-driven improvement of professional skills.

Experience

November 2004 – present: Alliance Technologies
Senior Security Consultant: Focus on Business Process and System/Network Security

  • Performed technical assessments for companies of all sizes and industry verticals.
    • Conducted network, local and web-focused vulnerability scans.
    • Developed and implemented network segmentation to reduce scope of attacks.
    • Researched public data to detect data leaks and prepare for penetration tests.
    • Reviewed user permission levels to reduce privilege creep and identify orphans.
    • Wrote custom reporting system to save $25,000 yearly in licensing costs.
  • Devised plans for both short-term emergency issue mitigation and long-term business strategy.
  • Proactively monitored security events and responded or notified affected parties.
    • Reviewed patches and updates: Windows, Linux, Solaris and third party applications.
    • Reviewed threat and attack trends, developed mitigation and awareness strategies.
    • Drafted reports to a wide variety of audiences – technicians, sales people, customers, help desk
  • Incident Response Lead – managed isolation, determination and correction of security incidents.
    • Average thefts from malware and identify theft commonly exceeded $500,000.
    • Developed response plans to the termination of internal employees.
    • Devised technical responses and communication strategies to data loss and defacement incidents.
    • Performed forensic analysis on corrupted and deliberated deleted data for lawsuits up to $20,000,000.
  • Reviewed, analyzed and wrote security policies for companies of all sizes and industry verticals.
    • Analyzed technologies, recommended vendors and built products to address specific threat vectors:
    • Disk and Data Encryption – protecting against physical theft and improper access
    • Intrusion Detection – protecting against bad network traffic, unusual traffic and access patterns
    • Anti-Malware – protecting against malicious software and providing deep network control
    • Perimeter Protection – controlling in- and out-bound traffic by port, protocol and destination
    • Email Control – preventing spam, allowing legitimate email and providing encryption
    • Web Filtering – limiting access to and monitoring of employee Internet usage
    • Web Application Firewall – providing protection to unmaintainable legacy web applications
    • Collaborative Documentation – enabling documentation of various systems and processes
    • Patch Management – maintaining OS and third party patch levels for workstations and servers
    • Training – identifying and addressing internal knowledge gaps that impact organization’s security
  • Consulted for compliance with PCI-DSS, HIPAA/HITECH, FDIC, SOX and the FTC Red Flag Rules.
  • Consolidated legacy systems to modern and hardened systems using development/production mirroring.
    • Email, Web, Database, DNS, and DHCP servers – affecting most of the pre-existing infrastructure
    • Migrated to modern Linux systems, for improved reliability, flexibility and supportability
  • Implemented network-wide monitoring system of all operational servers and network equipment.
  • Streamlined secure internal operations: change requests, source control, license management.
  • Performed highly complex data and contract analysis of multi-party code escrow dispute.
  • Designed system to securely transfer large files between businesses in a user-friendly manner.
  • Provided outsourced Information Security Officer duties for medium businesses and enterprises.
    • Determined long term strategies and managed projects to achieve security goals within budgets.
    • Handled incident exploration, containment and mitigation.
  • Developed multi-layer protection for Linux-based Web and FTP hosting and Java application servers.
  • Developed security awareness and pre-sales presentations for numerous audiences.
  • Drafted strategy to guide the development of a new security division.

Sales Engineer: Focus on Needs Assessment, Report Writing and Presentation

  • Developed sales presentations for state-wide tours raising awareness of security issues and solutions.
  • Developed sales strategy and tools to identify solutions by business size and industry vertical.
  • Developed marketing material for prospects and clients on each solution sold.
  • Developed rapid assessment system for sales staff to use to uncover hidden opportunities.
  • Analyzed public data breaches to create common stories for use in presentations and sales calls.
  • Traveled with sales person to prospects to conduct pre-sales opportunity analysis.
  • Developed rapid reporting template to be used when conducting pre-sales opportunity analysis.
  • Engaged in Internet-based marketing: blogging, forums, mailing lists, twitter, image creation
  • Devised multi-year improvement plans and match solutions to client budget cycles
  • Managed partnerships with security vendors: Sophos, Astaro, Solutionary, Thawte, Google, TestudoData
  • Managed partnerships with technical vendors: Microsoft, Novell, Syncsort
  • Served as account- and project-manager to clients requiring ongoing security/infrastructure improvement.
  • Attended business networking events, representing the company and seeking leads.
  • Performed technical and business reviews preceding acquisitions.
  • Identified buyer and assisted sale of unprofitable portion of our business.
  • Served as technical lead in group of consultative business leaders, tying together numerous industries.
  • Served as technical and security lead on RFP response teams for large companies and governments.
  • Devised strategy for providing managed service for synchronizing mobile devices.

January 2008 – present: SANS and GIAC

Question Author and Reviewer: GIAC certification exams based on SANS course material

  • Wrote and reviewed for the GWEB certification, focusing on web-based security issues.

SANS Instructor (Mentor Level): Management 414 – CISSP Mentor Session

  • Taught students the ten domains of Information Security to prepare them for the CISSP exam.
  • Emphasized practical security concerns within their respective professional environments.
  • Added additional teaching of test taking, studying and memorization techniques.

December 2005 – Present: Pearson Educational, O’Reilly Press, Syngress
Technical Reviewer: Focus on Security and Applicability to the Market

  • Reviewed numerous book proposals and recommended for or against publication

Technical Editor and Proofer: Focus on Security and Technical Accuracy

  • Proofed Security+ Review Guide
  • Edited Novell Cluster Services for Linux and NetWare
  • Edited FreeBSD 6 Unleashed
  • Edited X Power Tools
  • Edited Linux in a Nutshell

May 1999 – November 2004: Clement Claibourne LC / Mail Services LC

Security Analyst

  • Dramatically improved security through strong authentication and system standards.
  • Ensured products’ technical compliance with the Graham-Leach-Bliley Privacy Act and HIPAA.
  • Devised password, role, and data management policies for improved security and privacy.
  • Determined firewall, VPN and routing rule sets for various clients’ needs.
  • Designed, implemented and administered Linux-based products and solutions, providing:
    • Secure authentication for varied user levels with seamless connection to third party systems.
    • Automatic synchronization to backup systems for redundancy and disaster recovery.
    • “Self Aware” systems to help automate security maintenance.
  • Designed and oversaw development of multi-platform and multi-algorithm encryption system.
  • Drafted policies for the secure handling of sensitive customer data.

Pre-sales Support

  • Developed proof-of-concept systems for sales endeavors. Production systems build after close of sale.
  • Developed traveling demonstration systems for sales people to use at trade shows.
  • Accompanied Sales to demonstrate systems and answer technical questions.

Community Involvement

Security and Open Source Community Leadership:

  • Head of Cyber division of Iowa Infragard: an FBI-vetted business/government collaboration.
  • Ran annual conference focused on security communication and education.
  • Founded local Virtualization Users’ Group and Des Moines Security Group.
  • Hosted and ran meetings as President of the local Linux Users’ Group.
  • Attend local meetings as a security and technical community representative:
  • Agile Users Group, Iowa Bloggers, ISSA, Cyber Defense Competition at Iowa State University
  • Consulted to the State of Iowa Department of Homeland Security Information Technology Group.
  • Active on numerous international security-focused mailing lists and IRC channels.

Security and Open Source Community Presentations:

  • 2011: Virtual Desktop Security – technologies and issues involved with the security of virtual desktops
  • 2011: Senior Scams – issues impacting senior citizens and those that care for them
  • 2011: Malware and Identify Theft – short-form presentation on big issues effecting businesses
  • 2011: Sales – internal presentation educating sales staff on security strategy and prospecting
  • 2010-2011: General – common security issues impacting businesses
  • 2010-2011: Finance – financial malware impacting banks and credit unions
  • 2010-2011: PCI – compliance issues for small businesses accepting credit cards
  • 2010-2011: HIPAA – compliance issues for medical clinics, insurance agents and hospitals
  • 2010-2011: Malware – financial malware impacting general business and non-profit groups
  • 2010: Communication – network-level issues impacting telephone companies and data centers
  • 2009: Disaster Recovery – technical issue overview for the Iowa Contingency Planners
  • 2009: GroupWise 8 – features of the new email and calendaring system for an internal audience
  • 2009: Web Application Security – general security issues for the Des Moines Web Geeks
  • 2009: Virtualization Security – security issues surrounding virtualization for ISSA
  • 2009: Linux Security – security issues specific to Linux for Infragard and CIALUG
  • 2006-2009: MediaWiki – features and use cases for wikis as collaboration systems
  • 2008: Security Policies – overview of security policy issues for ISACA
  • 2008: OSX Security – overview of security on Apple computers for Des Moines Mac Users Group
  • 2008: SQLi and XSS – overview of web-based attacks for the Iowa Ruby Users Group
  • 2008: Information Warfare – review of public data attacks and defense for Iowa Infragard
  • 2005-2008: Certification – recommendations for certification paths and testing tips
  • 2007-2008: Web 2.0 – business uses of emerging web technologies
  • 2007: Barcamp – ran sessions on Linux, monitoring, job searches and self-promotion
  • 2006: Guest Lecture – lecture on Linux in business for the DMACC Linux Administration Class
  • 2006: Technology for Entrepreneurs – using technology to grow startup businesses
  • 2005: Linux in schools – how open source technology can improve education

Media Interviews:

  • 2011: RFID security and credit cards
  • 2010: Buena Vista University data loss incident
  • 2008: Workplace Productivity

Nov. 1996 – May 1999: Grinnell College

  • Technical Support: User Consultant / Help Desk Technician
  • Analyzed applications for network inclusion, with a focus on stability and security.
  • Audited existing applications for adherence to security requirements.
  • Secured Windows and Macintosh systems against unauthorized users and malicious applications.

May 1998 – Aug. 1998: University of Notre Dame

  • Academic Research: Intern in High Energy Physics
  • Programmed system to aid high-energy particle analysis.
  • Trained other interns in the use of the Unix operating systems.

Education and Certifications

  • CISSP – Certified Information Systems Security Professional
  • GIAC-GCIH – GIAC Certified Incident Handler
  • GIAC-GSLC Gold – GIAC Security Leadership Certification, Gold Level, Paper available online
  • RHCE – Red Hat Certified Engineer (expired)
  • NCLP10 – Novell Certified Linux Professional 10
  • ACE – Astaro Certified Expert

 

  • February 2011 – Attended Sophos online training sessions to attain internal certification level
  • January 2009 – Attended SANS 504 Hacker Techniques, Exploits and Incident Handling Class
  • September 2008 – Attended Astaro Engineer Training, achieved Astaro Certified Engineer certification
  • May – 2008 – Attended Microsoft Licensing training
  • January 2008 – Taught SANS 414 CISSP Prep Class
  • December 2007 – Attended Compellent SAN Administration Class
  • February 2007 – Attended SANS 512 Management class
  • December 2005 – Attended N-Able Advanced Administration Class

 

  • Bachelors degree in Physics, conferred by Grinnell College
  • High Energy Physics Internship, University of Notre Dame
Be Sociable, Share!

Leave a Reply

Your email address will not be published. Required fields are marked *

*


× 1 = two

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>