This page is also available as a PDF.
Josh More: Data Security
Certifications: CISSP, GIAC-GSLC Gold, GIAC-GCIH
I am a security advisor, author and presenter with over 15 years experience in information technology. I focus on Lean and Agile approaches to security challenges, including CISO services, technical assessments and remediation assistance. Through the use of continual improvement techniques, I help businesses increase their security posture over time while minimizing impact to production.
Experience – Full Time
|September 2011 – Present||
Director of Security Services
RJS Smart Security
- Created Lean Security strategy for consultancy, from marketing to service delivery, including profitability studies.
- Created flow-based project management methodology for internal use and guiding client projects.
- Devised rapid assessment processes to reduce costs and speed delivery for traditional assessment types.
- Revised traditional security assessments to focus directly on business needs: Data, Disaster Recovery, Compliance.
- Defined Security consulting team’s core technology suite, balancing discovery needs against cost to clients.
- Performed CISO services to companies in Development, Financial, Health and Entrepreneurial industries.
- Designed new data assessment process for multi-national hospitality chain.
- Created data security management strategy for development firm’s primary product offering.
- Assessed vendor technologies to vet solutions for internal and external use: Global Velocity, Bit9, Sourcefire, Barrier1.
- Analyzed legacy ASP.NET/SQL Server application for HIPAA/HITECH compliance with focus on data storage issues.
- Assessed outsourced billing services business to determine changes needed to meet HIPAA/HITECH requirements .
- Designed and managed strategic plan to develop new business units for expanding services to consumer market .
- Performed vulnerability and data assessment for national retirement community management servicer.
|November 2004 – September 2011||
Senior Security Consultant
- Researched public data to detect data leaks and prepare for penetration tests.
- Wrote custom reporting system to save $25,000 yearly in licensing costs.
- Guided intrusion recovery efforts for clients for malware incidents with thefts in excess of $500,000
- Assessed vendors: Encryption, IDS/IPS, Anti-malware, Perimeter Protection, Email Control, Web Filtering, WAF.
- Consulted for compliance with PCI-DSS, HIPAA/HITECH, FDIC, SOX and the FTC Red Flag Rules.
- Provided outsourced Chief Information Security Officer (CISO) duties for medium businesses and enterprises.
- Created emergency disaster recovery servers for failing but critical clients’ legacy servers.
- Conducted network and web-focused vulnerability scans for companies of all sizes and industry verticals.
- Ran incident management program, focused on isolation, determination and correction of security incidents.
- Performed forensic analysis on corrupted and deliberated deleted data for lawsuits up to $20,000,000.
- Consolidated legacy email, web, database and network support systems for increased security and 90% cost reduction.
- Performed highly complex data and contract analysis of multi-party code escrow dispute.
- Designed system to securely transfer large files between businesses in a user-friendly manner.
- Designed and developed highly hardened Linux systems for Web, FTP and Java hosting, saving $80,000 yearly.
- Managed shared data for entire company: data analysis, expiration, archiving and centralization.
- Maintained complex set of Solaris servers and zones for stability and security.
|May 1999 – November 2004||
Product Manager / Security Analyst
Mail Services Inc / Clement Claibourne
- Implement system standards for Linux, Windows and SCO Unix-based systems.
- Ensured products’ technical compliance with the Graham-Leach-Bliley Privacy Act and HIPAA.
- Devised password, role, and data management policies for improved security and privacy.
- Designed and oversaw development of multi-platform and multi-algorithm encryption system.
- Drafted policies for the secure handling of sensitive customer data.
- Implemented automatic synchronization to backup systems for redundancy and disaster recovery.
- Automated security maintenance on nation-wide cluster of Linux systems.
- Developed automated file processing system via HTTP, FTP and SMTP parsing, conversion, and processing.
- Automated lossless data compression, resulting in a 90% gain in system resources.
- Managed 20 Linux-based Internet-connected servers and 40+ SCO Unix-based LAN-connected servers.
|November 1996 – May 1999||
User Consultant / Help Desk Technician
- Analyzed applications for network inclusion, with a focus on stability and security.
- Audited existing applications for adherence to security requirements.
- Secured Windows and Macintosh systems against unauthorized users and malicious applications.
Experience – Contract and Volunteer
|January 2012 – Present||
- Vendor Assessment Handbook, author, book to be released in 2013
- Job Reconnaissance: Using technology to win the job hunt game, author, book to be released in 2013
- “Using Metaphors for Critical Communication”, author, paper to be released in 2013
- Breaking In To Information Security, co-author, book to be released in 2013
- Lean Security 101, author, comic book released 2012
- UTM Security with Fortinet: Mastering FortiOS, co-author, book released 2012
- “Measuring Psychological Variables of Control in Information Security”, author, paper released in 2011
|January 2008 – Present||
SANS / GIAC
- GIAC Certifications: GWEB, GWAPT, GSLC, GCFA
|December 2005 – Present||
Pearson Education / Novell Press / O’Reilly Press / Syngress / Elsivier
- Supported numerous book processes as editor and reviewer: Liars and Outliers, UTM Security with Fortinet, Security+ Review Guide , Novell Cluster Services for Linux and NetWare, FreeBSD 6 Unleashed , X Power Tools , Linux in a Nutshell.
|January 2006 – Present||
Community Leadership and Assistance
- Head of Cyber division of Iowa Infragard: an FBI-vetted business/government collaboration.
- Ran annual Infragard conference focused on security communication and education.
- Hosted and ran meetings as President of local Linux Users’ Group.
- Member of Iowa community groups: Agile Users Group, Iowa Bloggers, ISSA, Cyber Defense Competition at ISU
- Member of Minnesota community groups: OWASP, ISSA, DC612, ISC(2) , Practical Agility
- Lean Security 201 – Lean/Agile Security practice, at numerous venues throughout 2012 and 2013
- Lean Security 101 – Lean/Agile Security theory and techniques, at numerous venues throughout 2012 and 2013
- Pen Testing Security Vendors – for DerbyCon 2012
- Natural Compliance: PCI and HIPAA – at numerous venues throughout 2012 and 2013
- Credit Card Security – PCI compliance issues for small businesses accepting credit cards
- Health Data Security – HIPAA compliance issues for medical clinics, insurance agents and hospitals
- Information Warfare – review of public data attacks and defense for Iowa Infragard
SANS MGMT 414 – CISSP Mentor Session
- Taught students the ten domains of Information Security to prepare them for the CISSP exam.
- Emphasized practical security concerns within their respective professional environments.
- Analyze business processes, systems and networks to determine long term security strategies at minimal cost.
- Implement replacements for legacy services, with emphasis on efficiency, security, and reliability.
- Devise technical, social and political solutions for compliance with industry regulations.
- Conduct feasibility studies and pilot programs for potential implementations.
- Present findings to business owners, managers and technical leads.
- Linux: SLES, OpenSUSE, RedHat, RHEL, Fedora, Mandrake, CentOS, Ubuntu, Backtrack, Debian, Knoppix, Slackware
- Microsoft: DOS 3.3 – 6.2, Windows 3.1, 95, 98, NT, ME, 2000, and XP, 2000, 2003, 2008
- Unix: Solaris, SCO OpenServer, FreeBSD, OpenBSD, NetBSD, OSX, HP/UX, Irix, TRU64
- Other: Mac Classic, Cisco IOS, PalmOS, OpenVMS
- Web: Google Apps, Mediawiki, Joomla, WordPress, Drupal
- Unified Threat Management: Fortinet, Astaro, Watchguard, CheckPoint, Barrier1, Cisco, IPCop
- Web Protection: Imperva, CloudFlare, Sophos UTM, mod_security2, php-suhosin, Apache2, IIS
- Managed Services: Alert Logic, Solutionary Activeguard, Google Message Security, ShadowServer Alerting
- Endpoint Protection: Sophos, Bit9, Safeguard, Symantec, ClamAV, iptables, tcpwrappers, AppArmor
- Network Assessment: Nessus, OpenVAS, Core Impact, nmap, kismet, metasploit, Zenmap, ExploitDB
- Monitoring: mon, n-able, monit, nagios, collectd, tcpdump, ethereal, wireshark
- Public Analysis: Paterva Maltego, SearchDiggity, pipl.com, snoopstation, many custom scripts
- Private Analysis: John the Ripper, Ophcrack, CheckRootKit, RKhunter, Exiftool
- Web Assessment: Burpsuite, NetSparker, nikto, Rat Proxy, Skipfish, Accunetix
- Web: Apache 1.3.x-2.x, mod_perl, PHP, ruby, mongrel_cluster, squid, Tomcat/J2EE
- Web Systems:, Gallery, eWiki, Twiki, SugarCRM, dotProject, dokuwiki
- Email Systems: Qmail, GroupWise, Vpopmail, Squirrelmail, Courier IMAP, ezmlm, Sendmail, Postfix
- Database Services: PostgreSQL, MySQL, Berkley DB, SQL Relay
- File Services: ProFTPd, Vsftpd, NFS, samba, Novell file services
- System Administration: OpenSSH, NFS, cron, subversion, VNC, CUPS, OpenLDAP, yum, eDirectory
- Web Clients: Firefox, Mozilla / Netscape, Firefox, Opera, Internet Explorer, elinks, w3m, telnet
- Graphic: Gimp, Inkscape, Bibble, ImageMagick, PaintshopPro, Photoshop, POVray, Ghostscript/PCL
- Backup Tools: SyncSort Backup Express, amanda, LoneTar, bacula, tar, zip, bzip, gzip
- Virtualization: VMWare, VirtualBox, Xen, Solaris Containers/Zones
- Compiled: C, C++, Java, Scheme, Pascal, Fortran, Basic, POVray, Logo
- Descriptive: HTML, DHTML, XHTML, XML, CSS, YAML, TEX
- Standard: HTTP, FTP, SMTP, Telnet, TCP/IP, POP3, IMAP, NTP, DNS, IRC, SMB
- Secured: HTTPS, FTPS, IPsec, SSH, IMAPS, POP3S
- Industries: Municipalities, Banks, Credit Unions, Utilities, Medical, Development, Collections, Health Care, Trucking, Insurance, Nonprofits, Political Parties, Retail, Manufacturing, Retirement, Software, Publishing, Distributing, Utilities
- Formats: Delimited, Mainframe extractions, IBM and AS400 spools, Word, Excel, Access, DBase, Foxpro, PDF, Postscript, PCL, XML, Raster graphics, Mailspools