SANS: What made you choose to work in security?
I started out as a Linux systems administrator during the .com boom. The place where I was working had multiple racks of these 1U blue Cobalt RaQ appliances, (Cobalt the brand, not the programming language). These servers had a proprietary operating system based on Red Hat Linux that was always getting compromised. I was constantly cleaning these servers up without understanding how they were getting hacked. I started researching the vulnerabilities and got drawn into security at that point.
I think what really got me hooked was experimenting with dsniff and capturing plain text credentials on the wire after finding it on a compromised server. Everyone was using FTP and Telnet back then. I cringe thinking about it now.
SANS: What was your first SANS course and GIAC Certification (if applicable)?
My first SANS course was SEC504 in Mesa, Arizona with John Strand. I will never forget that first day. I had the police called on me shortly after arriving at the hotel.
What happened was I took a taxi from the airport to the hotel. The taxi driver and I had some idle conversation about why I was in town and he asked about the Defcon shirt I was wearing. I explained it was security conference, he didn’t understand, so I followed up with “hacker conference”, and then he understood.
He drops me off at the hotel and I paid for the cab with a credit card and requested a text receipt. I check in, head to my room, drop my luggage off, and then grab a quick lunch at the hotel restaurant. As I walk past the lobby the cab driver chases me down telling me that I paid with a stolen credit card. I notice there’s 4 police officers following him towards me as well.
As we talk through this and I produce my ID and my credit card, the cab driver explains some woman in Oklahoma called him, says she’s not in Arizona, and she didn’t authorize this charge on her card. That’s when I realize what must have happened. I typo’d my own phone number when I entered for the text receipt! I imagine the cab driver was thinking… hacker… hacker’s and identity theft! That guy stole that woman’s identity and is using her credit card!
The officer in charge of this situation called the woman and confirmed that was the case. This made for an awkward week because the same officers had breakfast in the hotel every morning that week. I went on to obtain the GCIH certification about a month after that class.
SANS: What courses do you teach / author?
I teach MGT514: Security Strategic Planning, Policy, and Leadership.
SANS: Why do you teach, research and practice information security?
The main reason is because it’s fun, it’s my passion, and it doesn’t feel like work. My wife asks me how I can work all the time and we get into this conversation about how it doesn’t feel like work. It’s intriguing, I’m always learning something new, and I get to be around the top people in the industry when I’m teaching.
SANS: What tips can you provide newcomers to cyber security and defense?
Defense isn’t about one thing that you can do to increase security. Defense is overlapping technical and administrative controls working together that increases security. As you are working towards that, make sure that you implement it in the context of what the business is trying to achieve. I see that lacking in a lot of approaches today.
SANS: Who has influenced your information security career?
This is a hard question to answer. Thinking back, I would say my former brother-in-law, David Weiss, now retired from the FBI, had an influence on the direction I went in security early in my career.
In the past 4 years I’ve had a lot more people influence my security career such as Frank Kim, John Strand, Tim Medin, Ed Skoudis, and Alissa Torres.
Each one of those have shared knowledge with me that has made me better technically and professionally. I approached a lot of them for advice on my first SANS murder board also.
SANS: What do you want people to know about you?
I want people to know that I enjoy what I do, and helping others find their way in information security. I don’t like the gatekeeping and harassment a lot of those new to the industry experience. I work hard to create a good environment for those that I work with and attend the classes I teach. I’m always available if you want advice, or guidance along the way.
SANS: Favorite quotes, songs, or books?
There are so many quotes to choose from and it depends on the circumstances. I guess the one quote that would be my favorite is:
“The individual has always had to struggle to keep from being overwhelmed by the tribe. To be your own man is hard business. If you try it, you will be lonely often, and sometimes frightened. But no price is too high to pay for the privilege of owning yourself.”
The quote is by Rudyard Kipling, but mistakenly attributed to Nietzsche.
I don’t really have a favorite song, but my favorite band is Nine Inch Nails.
There are two books I’ve had for most of my life: The art of War by Sun Tzu, and The Book of Five Rings by Miyamoto Musashi.
SANS: Tell us about things you enjoy that people may not expect.
I enjoy Cyber Punk artwork but prefer living in the Canyonlands area of Utah. At some point we’ll make that move from Oklahoma.
I enjoy working out, martial arts, kayaking, and hiking. I would say I’m not your typical “geek”, but I notice a lot of people in information security with similar interests.
Joe Sullivan has over 20 years of experience in information security. Joe is Principal Consultant at Rural Sourcing in Oklahoma City where he manages and develops the security consulting services and the teams that provide them. Over his career Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe teaches MGT514: Security Strategic Planning, Policy, and Leadership.
Read Joe's full profile here.
