Friday, July 24, 2009

31337 Spotlight: Trey Ford

Happy Friday-Before-Black-Hat-and-DefCon folks!

As you're undoubtedly packing and getting ready to run off to this weekend's Black Hat and DefCon conferences out in Vegas - I have a real treat for you guys. Every once in a while I get to write about someone I can call a real-life friend... and someone that's both respected and admired both for the contributions to the Information Security field... and to humanity. Trey Ford is one of those people who are just as genuine in person as they are on Twitter (@treyford), his blog and standing in front of you extolling the virtues of PCI Compliance.

Speaking of PCI Compliance... if you've got PCI DSS questions, Compliance questions, or just need help - he's one of those people that I can safely say has a truck-load of knowledge and is almost always ready to jump on the soap box or lend an ear... His blog is over here... he's had some great material on there over time too!


So... let's learn something about Mr. Trey Ford (aka "Capt. PCI")!
  • Yo Trey- tell us something about yourself
I am just a business guy that loves technology. A Christian, athlete, motorcyclist, pilot, cook, and (per Mike Dahn) an OCD hobbyist. I am an energetic guy that lives out of a suitcase, loves people and seeing the world from their perspective. Track me down at trey.ford|at|whitehatsec|.|com, ISSA/OWASP meetings, various InfoSec / IT conferences and @TreyFord on Twitter.

  • What types of technologies do you focus your 'hacking' on (and why)?
I currently focus on the application security problem.

I was previously doing pen testing, social engineering, and compliance stuff with some really great clients. The one problem that kept coming up my assessments EVERYWHERE was website security. The solutions of yesterday just didn’t make business sense. My clients and peers needed something more flexible, and that search brought me to WhiteHat Security.
  • What your most famous/proud accomplishment over the course of your career?
LOL! Raf, I am a humble young man, not sure that I have anything famous to mention...

I guess something I have contributed *professionally* is making compliance a business enabler by focusing on risk management (based on the OCTAVE model.) Someone really wise once said that necessity is the mother of invention.

It started on a two hour car ride where I was told to read this (VISA CISP) --http://usa.visa.com/merchants/risk_management/cisp.html, we walked into a CISO briefing where I was asked to discuss how this Fortune 500 should start their payment card security program.

I started by asking obvious questions like ‘do you know where all your credit card data is?’ and ‘can you document the entire lifecycle of that data?’ and ‘do you have real business need that justifies 1)keeping and 2)paying to protect everywhere you use that data?’ I just didn’t know where to dig a moat or build castle walls without that information. The strategy was clear, the individual requirements were details to be sorted out later.

Seriously, it was a total accident (somebody please thank Paul Klahn for not warning me), but I guess it worked out. Now I can’t hide from that PCI stuff. (help?)

That work continued, affording opportunity to build a compliance practice, a PCI team that fought against compliance obsession, managing risk and ultimately saving loads of money and trouble for our clients. The lessons I learned were due to the patient individuals that worked with us to solve some really complicated problems, lessons I carry with me today.

I am not currently an ‘active’ QSA, I work for an organization wholly devoted to measuring and managing risk to website security. Their amazing client base, the conferences that graciously allow us to speak at, and our partners and prospects allow me to continue serving those still wrestling with PCI initiatives. Today I serve the OWASP PCI Project when my day job allows me time after hours...
  • What got you started in Information Security...
I was that kid that was building computers and riding his bicycle around town working for the dial-up ISP at 14, so my roots were in troubleshooting operating systems. Some years later I brought a consultant in to troubleshoot failed NetWare logins due to spanning tree protocol. Seeing this guy in action is what started me toward ‘the dark side’.

Seriously, it was just that simple. This gentleman Mark Levy (Micrologic Business Systems in Kansas City, MO) fired up this thing he called a ‘sniffer’ (whatever that is), captured some ‘packets’ (whatever that means), and then started showing me how the login was failing. This guy was phenomenal. I remember clearly Mark pointing to the screen saying, “This packet has is the login and password ... see it?” :)

I’m laughing at him. I’m like, “No, no, no- I know her password, that isn’t right.” He briefly explains the authentication mechanism, how it used hashing (and could be recovered with enough work), and I was HOOKED. Long story short is that Mark Levy, Mike O’Brien, and Mac McMillan took me under their wing and taught me networking. Those Gents set me on the straight and narrow (it was Arian Evans (and the FishNet guys) that corrupted me...)
  • Tell us something that people rarely know about you?
I’m a bit of a dropout. I dropped out in eighth grade and homeschooled (my dad signed my high school diploma.) I dropped out of college (I have like one hundred-fourty-something credit hours of college) (with no degree.)
Ironically I have a massive addiction to learning. Maybe I’ll get to finish college after we secure the Internet?
  • BONUS: What was your first computer system?
My first computer was an Amdek 286 with a HUGE 20 MB drive, 256k of memory and a math co-processor... anybody remember XTree Gold?

--- Whoa... I DO remember XTree Gold! ... a long, long time ago, in a computing universe far, far away ...

Thanks Trey!

No comments:

Google+