Being intimidating isn’t a necessary skill for these security professionals.
In February of 2016 SecDSM – a group of information security professionals – was started to help security professionals and community members in the Des Moines community with internet security concerns. The group started informally but as interest and size grew, SecDSM became an official nonprofit in October.
A monthly meeting is held on the third Thursday of each month at The Forge by Pillar Technology in downtown Des Moines. Meetings consist of briefings on finances, presentations by members, occasional presentations from nonmembers and opportunities to network and broadcast potential job openings.
And The Forge pays for the drinks and the food.
Brandon Murphy, a threat intelligence analyst and information security engineer at Principal, was one of the first members to join in 2016.
He now serves on the SecDSM board as Vice President.
“We like the atmosphere and the idea of getting together, but one of the problems our industry has as information security is the knowledge gap and getting new people into our industry, Murphy says. “We want to share knowledge amongst the good guys to make it harder for the bad guys to succeed.”
How to stay ahead of the bad guys
The educational aspect is what drives SecDSM and with over 140 security professionals in a Slack channel, answers to problems are never hard to come by.
Ben Schmitt, Vice President of Information Security at Dwolla, is the SecDSM board treasurer and admits to being a really good defender of security, but not so much of a hacker.
So to learn more about the other side, he talks with others in SecDSM. It’s that educational aspect that brought him to SecDSM.
Because when he first heard about the group, he was afraid it was just another meeting.
“I did it to learn,” Schmitt says. “Security is never done. I want to understand what other companies do for phishing training. Do they randomly test? What techniques are the phishing people using? That’s called threat intelligence, and it’s not my expertise, but I want to learn from others. People in this group are really good at that.”
Schmitt says someone can ask a question in the group Slack channel and get an answer for free that would cost them a lot of money if they asked a consultant.
“Our group is highly active, mobilized and ready to help” Schmitt says. “We want to grow the community, share techniques, information and make sure the Des Moines security community thrives. There’s a lot of talent around here.”
Schmitt says the goal of SecDSM isn’t to be an academic institution, just help out.
“We can give some level of education for free,” Schmitt says. “It’s all free, there’s no cost. You show up to a meeting, there’s pizza, beer and people who just want to talk about security.”
Tom Pohl, Vice President of IT Systems at Businessolver, jokes that SecDSM is about leveling everybody up.
“Building those skills and knowing how to not misconfigure things and doing things more securely is huge,” Pohl said. “It’s trying to reach that bigger community and educate people to show them how to do things securely in a connected society.”
Information should be free
Murphy says that one of the ethos of the “Hacker mentality” is that information should be free.
“We want to share our knowledge and other people’s knowledge for free within our community,” Murphy says.
So to do that the group utilizes Shodan, a search engine for connected devices on the internet.
“One of the ways we want to contribute back is to bring attention to these devices and the people that are operating them, and letting them know that it probably shouldn’t be on the internet,” Murphy explains. “We’ve had some success in finding things on the internet and contacting the owners saying that these things don’t belong on the internet.”
One example Murphy uses is the group contacted somebody who had their HVAC system connected to the internet to turn the temperature on the air conditioner up and down.
“We want to do more of that, there’s no doubt,” Murphy says. “We’ve had some success in doing that, finding things on the internet and contacting the owners and saying this doesn’t belong on the internet.”
Scholarships for the next generation
Members of SecDSM attended CircleCityCon 4.0, a security conference in Indianapolis, Ind. earlier this month. Pohl says a lot of these conferences have competitions and the winners get a badge, that gets them free access to the conference for life.
SecDSM dominated the “Capture the flag” competition at CircleCityCon and wants to take a student to the conference next year to expose them to new content and networking opportunities.
When you win a competition at CircleCityCon, you are awarded a black badge that equals free admission to the conference for life.
“We’ve been winning some of these competitions and want to turn some of these black badges into something like scholarship program,” Pohl explains. “To take some of these up and coming security professionals and get them to these conferences.”
Pohl said with so much security content and educational opportunities around information security, being able to take younger people fits perfectly into the educational aspect of SecDSM.
“There’s a good mix of information about how attackers are getting in and how defenders are defending,” Pohl explained.
These conferences are held all across the country and SecDSM hopes to host a similar one later this year.