Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has provided training at conferences such as Blackhat USA, Brucon, and Security Zone to excellent reviews. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). Georgia is a member of the spring 2015 cohort at the Mach37 cyber accelerator, founding Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. She is the author of Penetration Testing: A Hands-on Introduction to Hacking from No Starch Press.
With this resume, it’s impossible to not want learn more from her. 🙂
You don’t see/hear so often about women in IT security. How and when did you found your passion for security?
My mother got her PhD in Computer Science not long after I was born, so the idea that science and technology was not normal for girls and women was a foreign concept to me growing up. I competed in the collegiate cyber defense competition in school. At the competitions a red team (mainly penetration testers and researchers by day) simulate the attacks students have to defend against. After the competition I knew I wanted to be like the red teamers (all men of course). I suppose having such a good role model of a woman in technology as a child made it easier for me to shrug off the fact that barely anyone in my chosen field was like me than it is for many minorities.
What do you enjoy the most in your career?
Being able to explore new places intellectually as well as physically. I get to discover new vulnerabilities and mitigation methods that perhaps will make everyone safer. And I get to travel the world doing it.
What are the biggest challenges you face in your daily job?
I’ve recently gone from one single person consulting shop to a product company and expanding my consulting practice. As a technical person with little business experience hiring people, working with other developers, building financial models to raise venture capital, are all very new to me. Being constantly out of my comfort zone can be very challenging.
After reading the title of your presentation, could you please tell us what is the most important thing we need to take into account when securing our mobile devices?
We need to treat our mobile devices as next generation computers not next generation phones. Calling is the least of what they do. They are connected to multiple networks and have access to tons of potentially sensitive data. Ignoring them in our security programs is not going to cut it.
Do you have some recommendations for Small Business regarding this topic?
Small businesses in particular tend to de facto assign a lot of different roles to all employees. Rather than having a security team, security is everyone’s responsibility. Employees have administrative rights to things they don’t need, have the password to the Wifi, etc.
Personal cell phones, gaming consoles brought from home to the break room, etc. sharing the same network with sensitive corporate assets can be a recipe for disaster. Redesigning your entire network and building a more complete security policy takes time and money, so in the meantime you can get an idea of the risk mobile devices are opening you up to by penetration testing and simulating mobile attacks in a controlled environment.
There are a lot of tools out there that claim to mitigate all your mobile risk and not a lot of validation data to back it up. Without first knowing your risk level, you won’t be able to make an informed decision about what changes to your security policy and what mitigating controls you need to put in place to manage mobile risk.
Before going out and buying a fancy mobile management suite, get an idea of what gaps in security you are trying to fill, and make sure that the solution is actually providing those features in a way that is helpful to you.
DefCamp is organized by the Cyber Security Research Center from Romania – CCSIR in partnership with Orange Romania, Bitdefender and Checkmarx, and support of Ixia, Safetech, Beyond Security, Dell SecureWorks, Dell SonicWALL and Cert Sign by UTI.