Category Archives: Infosec

Professional social engineers wear white hats

In my line of work, I run across many RFPs (Request For Proposals) that involve complex, multi-step, security assessments. More often than not, the engagements call for a social engineering component. In short, social engineering is the art of manipulating people so they willingly give up confidential information. Companies are often hired to run social engineering campaigns to test the weakest link in the security chain.. humans.

A common misconception is that these companies are being malicious by default. Professional social engineers will not attempt to hack your Facebook account to find out your deep dark secrets and disclose them to your employer… they are simply testing your security awareness. It’s often easier to trick someone into giving you a password for a system than to spend the effort to crack into the system.

Common social engineering techniques

An attacker walks into a building and posts an official looking announcement to the company bulletin board that says the number for the help desk has changed. When employees call for help the individual asks them for their passwords and IDs, thereby gaining the ability to access both the company’s and employee’s private information.

An attacker calls random numbers at a company, claiming to be technical support. Eventually this person will find someone with a legitimate problem. The attacker will help solve the problem and, in the process, have the user type commands that give the attacker access to their computer systems.

An attacker contacts a target on a social networking site and starts a conversation. Gradually, they gain the trust of the target and then use it to gain access to potentially sensitive information.

Depending on the size of the company, an attacker, seeking entry to a restricted area secured by unattended, electronic access control systems, simply walks in behind a person who has legitimate access. The employee will usually hold the door open for the attacker or the attackers themselves may ask the employee to hold it open for them. The employee will, more often than not, fail to ask for identification.

An attacker leaves a malware infected removable device like a USB flash drive in a obvious location (bathroom, elevator, sidewalk, or parking lot), and simply waits for the victim to use the device. An employee might find it and insert the device into a computer out of curiosity. Doing so would allow the device to install malware on the employee’s PC, giving an attacker access to the victim’s PC and, perhaps, the company’s internal network.

These techniques are malicious in nature. The difference is that professional social engineers will never exploit any information they find as a result of these attacks. The results will be documented and presented to management so measures can be taken to mitigate similar attacks in the future.

Should you be worried?

Don’t worry if your employer decides to conduct a social engineering assessment. In the long run, the results will actually help improve both the company’s and employee’s security awareness.

Consider it training for the next time you get a call from “support”.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

InfoSec Professional Development Close To Home

Last month thousands of information security professionals and enthusiasts alike flocked to the Black Hat and Defcon conferences, also affectionately known as security summer camp, in Las Vegas. Unfortunately many of us in the industry (myself included) are unable to attend those events due to work commitments, family vacations, or financial reasons. That doesn’t mean there are no options for low cost (or even free) professional development close to or from your home.

Cybrary launched on January 13, 2015. Their goal is “to provide an opportunity to learn IT and Cyber Security, to anyone, anywhere, who wants that opportunity.” They offer a wide range of free online training in various information security specializations, for example:

Irongeek.com is an excellent online resource that is run by Adrian Crenshaw of TrustedSec and Derbycon. He travels to conferences all over North America and records the talks, which he then posts for free on his website as a service to the infosec community.

Security B-Sides “is a community-driven framework for building events for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.” B-Sides is a template conference design powered by grassroots organizers, that has spread to dozens of cities in several countries. It was born out of number of rejections to the CFP (Call For Papers) for Black Hat USA 2009.  A number of quality speakers were rejected, not due to lack of quality but lack of space and time.  Any constrained system must operate within the bounds to which it has defined itself.  Conferences constrain themselves to the eight hours a day for however many days they run.  B-Sides goal is to provide people with options by removing those barriers and providing more options for speakers, topics, and events. B-Sides events are usually free or low cost and almost always sell out quickly. *For the record, I’m also a B-Sides organizer.

SANS Cyber Aces Online makes available selected courses from the professional development curriculum offered by The SANS Institute. SANS goal in making these courses available as open courseware is to help grow the talent pool and accelerate the rate at which skilled cyber professionals can enter the information security industry – filling mission critical jobs currently going unfilled. The open courses are the same as those offered to information security professionals around the world and are focused on the fundamentals of cyber security.

Dell SecureWorks also offers security awareness training solutions, which include:

This list barely touches the surface. With resources like these, information security professionals really have no valid excuse for not staying current with industry trends.

Now I just have to find the time.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership sitePowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

 

OWASP – What is it?

I conduct security assessments for a living. More often than not, web application security is part of the engagement. You would be surprised at how many organizations don’t consider information security beyond the bare minimum when it comes to web application development.

For the record, I’m not a web application developer and I tell that to my clients up front.

That being said, when I (or my clients) need guidance I often refer to OWASP as a best practices baseline.

What is OWASP?

OWASP stands for Open Web Application Security Project. It is a not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

What is the OWASP Top Ten?

The OWASP Top Ten is an awareness (not a standard) document for web application security. It represents a broad consensus about what the most critical web application security flaws are.

Adopting the OWASP Top Ten is perhaps the most effective first step towards changing your software development method to one that produces secure code. The list is as follows:

1. Injection: “Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”

2. Broken Authentication and Session Management: “Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.”

3. Cross-Site Scripting (XSS): “XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”

4. Insecure Direct Object References: “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”

5. Security Misconfiguration: “Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.”

6. Sensitive Data Exposure: “Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.”

7. Missing Function Level Access Control: “Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.”

8. Cross-Site Request Forgery (CSRF): “A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.”

9. Using Components With Known Vulnerabilities: “Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.”

10. Unvalidated Redirects and Forwards: “Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.”

If you’re an web application developer, you should become very familiar with this list, especially if you’re in the area of ecommerce, because some well-known security standards (eg. PCI-DSS) require validated proof that you are developing secure code.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

 

 

 

Just When You Thought You Had A Handle On PCI-DSS 3.0

As I mentioned in a previous post, PCI-DSS 3.0 (Payment Card Industry Data Security Standard) came into effect on January 1.

PCI-DSS 3.1 is on now its way, thanks to vulnerabilities like P.O.O.D.L.E.Shellshock, and Heartbleed.

The PCI SSC (Payment Card Industry Security Standards Council) continuously monitors threats and vulnerabilities in order to keep the security standard up to date.

The National Institute of Standards and Technology has identified SSL (Secure Sockets Layer) – a protocol meant to establish encrypted communication between a server and a client – as no longer acceptable for data protection.

Due to the inherent weaknesses of this security protocol, there are currently no versions of SSL with the ability to provide strong cryptography. This is why an updated version of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) is necessary.

According to NIST, “The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration.”

The problem lies in the way the information is encrypted when being transmitted from a client to a server.

The solution is the dropping of SSL in favor of the TLS 1.2 protocol. SSL and the Transport Layer Security (TLS) are both mechanisms to protect sensitive data during electronic dissemination across networks. TLS 1.3 is currently being developed; the goal is to add extra measures to avoid exploitation and mitigate encryption-related issues.

To ensure the continuity across the payment card industry, the PCI Council expects that the PCI DSS 3.1, once published, will be effective immediately. That being said, the new requirements will need some time to be implemented and the PCI SSC will give some time to allow organizations to look into the new requirement and implement the changes.

Considering that there is no known way to address the weaknesses discovered in the SSL protocol, it is strongly recommended that all organizations that handle cardholder data look into the possibility of switching to a strong cryptographic protocol, such as TLS, as soon as possible. There are a number of ways to do this for WindowsLinux, and FreeBSD servers and clients.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Threat modeling at a moment’s notice

If information security professionals want to stay current, they need to be on top of the latest trends and technology in their field. They also need to be open to acquiring new skills and methodologies at a moment’s notice.

To make a long story short, today I was assigned a security architecture review project by my boss. It calls for application threat modelling using a risk assessment model.

I have no experience with application threat modeling.

Research Powers Engage!

What is threat modelling?

Threat modeling is an approach for analyzing the security of an application. It’s a structured approach that enables you to identify, quantify, and address the security risks associated with an application. Threat modelling is not an approach to reviewing code, but it does complement the security code review process. The inclusion of threat modelling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning. This, combined with the documentation produced as part of the threat modelling process, can give the reviewer a greater understanding of the system. This allows the reviewer to see where the entry points to the application are and the associated threats with each entry point.

I’m also looking at two risk assessment models. STRIDE and DREAD.

STRIDE is a system developed by Microsoft for thinking about computer security threats. It provides a mnemonic for security threats in six categories.

The threat categories are:

DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft. It provides a mnemonic for risk rating security threats using five categories.

The categories are:

  • Damage – how bad would an attack be?
  • Reproducibility – how easy is it to reproduce the attack?
  • Exploitability – how much work is it to launch the attack?
  • Affected users – how many people will be impacted?
  • Discoverability – how easy is it to discover the threat?

In the end it doesn’t matter what model I choose… as long as the engagement comes to a satisfying end for both the client and myself.

The client will be happy and I will have gained a new skill set for future engagements.

What have you learned today?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

PCI-DSS 3.0: Translating new credit card data security rules

Merchants that process, store, or transmit credit card data are now required to be compliant with version 3.0 of the PCI Data Security Standard (PCI-DSS).

There are a small number of requirements that are considered best practice until July 1, 2015. After which, they become mandatory.

Now you could search through the rather substantial standard to find the requirements in question, but I’ve saved you the trouble.

The PCI-DSS says:

“8.5.1 Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

To prevent the compromise of multiple customers through the use of a single set of credentials, vendors with remote access accounts to customer environments should use a different authentication credential for each customer.”

In short: Merchants need to hold their service providers accountable!

The PCI-DSS says:

“9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. Criminals will also try to add ‘skimming’ components to the outside of devices, which are designed to capture payment card details before they even enter the device.”

In short: Make sure your physical POS hardware is secure!

The PCI-DSS says:

“11.3 Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results

The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks.”

In short: Test and verify the effectiveness of your network segmentation!

The PCI-DSS says:

“12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

This requirement applies when the entity being assessed is a service provider. It is intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities. The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients. The method by which the service provider provides written acknowledgment should be agreed between the provider and their customers.”

In short: Update your contracts to include this acknowledgement!

If you need to implement any or all of these requirements, do it now. Do you really want to wait until June 30, 2015?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

RFID Skimming Hits Close To Home

January is typically the time of year when most of us are scared to look at our bank and credit card statements. It doesn’t help that when we do, we find fraudulent transactions or, even worse, our accounts are maxed out or drained completely of funds.

This happened to some 400 people in Nova Scotia, Canada this past December. It is believed they were victims of RFID Skimming.

RFID security breaches are nothing new, but it has typically happened in bigger cities. Atlantic Canadians were caught completely off-guard, including a close family member of yours truly.

That being said, I am not accusing any organization of failing to notify customers of RFID skimming.

What is RFID Skimming?

RFID Skimming is a form of digital theft, which enables information from RFID based smart cards, also known as “tap” cards, to be read and duplicated. It works by reading the RFID chip at a distance using an RFID scanner, which downloads the card information. It can then be written to a new blank card, which then operates in the same manner as the original legitimate card. Because the data is identical on both cards, and the information is only copied, it makes no difference if the original data is encrypted or not.

How can you protect yourself?

  • RFID blocking sleeves, pouches, or wallets which are lined to protect RFID-enabled cards. Unfortunately, like any other wallet, these will most likely wear out in time.
  • Aluminum foil is a simple, low-tech approach that creates a sleeve with a limited useful lifetime. On the other hand there may be limits as to how well this works. It may simply make transmission more difficult (but not impossible).
  • An Altoids tin or duct tape wallet (seriously).
  • Disable the RFID functionality on the card. This can be accomplished in a few ways. You could microwave or drill a hole through the chip, but your card issuer might frown upon that. You could also call your bank or card issuer to see if they can disable the functionality from their end.

These measures will increase the security of your RFID-enabled cards, but they are far from being foolproof. The best way to stay protected against rogue RFID scanners is to minimize your reliance on RFID-enabled tools; quitting cold turkey really is the only guaranteed protection. But if you can’t find a way around it, then you can safeguard your cards with the methods listed above.

For the record, I am now the proud owner of an RFID blocking wallet.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Threat Risk Assessment: A Quick Primer

‘Tis the season for data breaches!

From an information security perspective, the news has been downright depressing lately. In the wake of recent career-halting data breaches, it couldn’t hurt to start thinking about threat risk assessments for your organization.

While there are numerous types of threat risk assessment methods, they all try to answer the same questions in regards to organizational assets:

  •      What needs to be protected?
  •      Who and/or what are the threats and vulnerabilities?
  •      What are the implications if they were damaged or lost?
  •      What is the value to the organization?
  •      What can be done to minimize exposure to the loss or damage?

The objective of a threat risk assessment is to provide recommendations that can maximize the organizational protection of confidentiality, integrity, and availability while still allowing functionality and usability.

The primary phases of a threat risk assessment are:

  • Scope: This phase identifies what needs to be protected, the sensitivity of what is being protected, and what systems and applications are included in the assessment.
  • Data Collection and Analysis: This step involves collecting and analyzing all policies and procedures that are in place to determine any applicable gaps in documentation. Systems and applications identified in the scope are audited to determine their current state. Key personnel are normally interviewed during this stage as well.
  • Vulnerability Analysis: This step takes what was identified in the data collection/analysis and determines the current exposure, and whether current safe guards are sufficient in terms of confidentiality, integrity, or availability. It will also indicate whether the proposed safe guards will be sufficient. The vulnerabilities are graded according to the level of risk that they pose to the organization.
  • Threat Analysis: Threats are described as anything that would contribute to the tampering, destruction, or interruption of any service or item of value. This analysis will look at every element of risk that could conceivably happen. Threats must be looked at as they relate to the business environment and how they can affect that environment. These threats are graded in a similar manner as vulnerabilities.
  • Determination of Acceptable Risk: This step involves the analysis of the findings to help determine, with the help of key stakeholders, what level of risk is acceptable to the organization.

A threat risk assessment should be a continual process that is reviewed regularly to determine if current safe guards are still effective.

If you don’t perform some form of a threat/risk analysis, you leave your organization open to a world of hurt that could destroy your ability to conduct business.

For further information, please see Dell’s whitepaper on the current and future state of IT security.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Compliance: Hard core Dell users get it!

I arrived at Dell World in Austin Texas on November 4. For the record, I was not a Dell customer attending a Dell customer event—an outsider of sorts, not to say that I didn’t feel welcome. The famous Texas hospitality was more than evident!

Luckily I was able to select conference sessions ahead of time, as the selection was massive. Naturally, I gravitated towards any sessions that revolved around information security.

I attended a session which discussed compliance from a user’s perspective… how to effectively achieve it on your own, or as I like to call it “How to make the auditor happy.”

Data breaches are rampant… almost commonplace in this day and age. A week rarely goes by without at least one large corporation in the news for losing personally identifiable information due to inadequate security controls. Information security awareness is higher than it’s ever been, but understanding complex compliance requirements is an intimidating endeavour to say the least. Many users are starting to self-assess (even if not officially required to), but eventually get bogged down by the technical details and jargon. Hiring a security auditor is always an option, but many lack the financial resources to do so. Being able to attend sessions like these at Dell World is a great benefit to both its users and partners.

Here are some of the key takeaways from the discussion:

1. How to manage by automation

  • Administer and revoke access rights and permissions
  • Implement best-practice compliance reporting
  • Protect, retain and retrieve data for on-the-fly investigations
  • Enforce compliance with company policies across desktops, laptops, etc.

2. How to remediate by changing the way you operate

  • Implement preventative controls
  • Establish policy over accounts, privileges and resources
  • Establish perimeter boundaries through application control and visibility

 3. How to think like an auditor

  • Track security and performance indicators
  • Audit and report on user activity
  • Perform checks for segregation of duties
  • Enable real-time alerts
  • Establish Security and Compliance awareness training
  • Analyze access rights and permissions to critical data
  • Determine configuration settings and set baselines

There were numerous opportunities for me to reveal myself as a PCI Qualified Security Assessor during the session, but I decided to stay quiet in order to hear unbiased opinions from the attendees.

I wasn’t disappointed. The questions from the audience were thoughtful and challenging. They know too well that the real world often gets in the way when it comes to implementing adequate security controls, but at the same time they are taking compliance seriously.

It warms this auditor’s heart. Well done Dell.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Infosec Isn’t The Gated Community You Think It Is

Years ago I saw an online ad for the Security B-Sides Halifax conference in Halifax, Nova Scotia, Canada. I was working as an information security professional at the time, but I had never attended any “Infosec” conferences. The introvert in me didn’t like the idea.. “I wouldn’t fit in.”

Then I started thinking..

“If you want to get anywhere in this industry, you need to get yourself out there.”

So I did.

Upon further research, I discovered that Security B-Sides Halifax was happening the day after the first annual Atlantic Security Conference. I logged into LinkedIn, found the Atlantic Security Conference organizer, and connected with him via a mutual connection.

To make a very long story short, I now sit on the Board of Directors for the Atlantic Security Conference. I organize my own Security B-Sides event and other local technology user groups in my area. I’m working in a field that I only dreamed of a few short years ago.

Infosec professionals are actually a very sociable group once you take the time to reach out. The community is very welcoming, which is surprising because the majority of us are introverts.

Follow these simple steps to break into the community.

1. Twitter

If you don’t have a Twitter account, get one. Seriously, get one now! There’s a very large Infosec community on Twitter. Follow #infosec. Take part in the discussions. Follow the users who also take part in those discussions. Post relevant information, a link to a personal blog post, or just a link to an interesting Infosec story you found. If you have an Infosec question, ask it! You may be pleasantly surprised at the response time and quality of the answer(s).

The next thing you know, you will be sitting next to someone at an Infosec conference that you follow on Twitter. This still happens to me on a regular basis.

2. Network

We have all heard about networking over and over, but it actually does work!

Find local tech user groups in your area. If there are none, start one! The user groups don’t have to necessarily revolve around Infosec. Just get out and meet new people with an interest in tech.

If you can, volunteer at a conference. If you can’t volunteer, attend one, like DellWorld for example. Either way, you will meet industry professionals who may be willing to help you later on in your career. 

3. Present at conferences and user groups

If someone told me three years ago that I would be presenting at conferences, I would have said they were nuts.

I presented at a conference a few weeks ago.. my sixth in the last three years.

I actually hate presenting, but it gets easier each time. The more I push myself, the better I feel when the talk is done. I know plenty of speakers who feel the way I do, but they put on some awesome talks!

It doesn’t take much to get started. Start small with a lightning talk (5-15 minutes in length).

So get out there and push through that locked gate. You can thank me later when we meet in person at DellWorld.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.