Security Hygene – Hosting my First CryptoParty

Turns out I am not alone in wanting to evaluate my online presence and update my security priorities. Partly to update my own security checkup, I wanted to update security knowhow here.

I got involved with an awesome Chicago-based group, the Lucy Parsons Labs this year. One thing that attracted me to the group was their outreach – they not only do work on behalf of others, but they also offer security training for journalists and activists. This week I got a chance to get involved and I led my first digital security training.

Ain’t No Party Like a CryptoParty

Monday was the November CryptoParty, hosted by moi. Like past Chicago CryptoParties, the point is to get all types of people together to talk about digital privacy and what’s important to each person. Some folks wanted to create stronger passwords, others wanted to divest from Google’s tracking tentacles.

I started by doing lots of research. There are great guides to hosting a CryptoParties, trainings, and resources for speakers  and the general public. Once I got a grasp of what range of topics we might cover, I knew I wanted to start with a short presentation on “threat modeling” and then open it up to questions and discussions for everyone.

The EFF has a new and awesome Surveillance Self Defense guides and printouts, plus  “playlists” for different threat models. I built my slides from there, with a quick intro to threat modeling (aka risk assessment since it sounds less militant and terrifying). I like the analogy of cold and flu season – the best thing to do is prevent getting sick and the easiest way to avoid colds is just washing your hands!

So what is security “hand washing” ? My favorite part of the threat model concept is that it depends. It depends on what information you have (assets), who you’re protecting it from (adversaries), and how comfortable you are with losing data (threat). If something happens (risk), how terrible is it?  It depends on who you are and what you’re doing.

Here are my slides.

Part 2 was more tips & tricks, mostly based on Martin Shelton’s post “Securing your Digital Life Like a Normal Person.” Applying the “it depends” model to the tips and tricks was a nice segue into discussions. We covered encryption, VPNs, and 2FA.

Here’s a partial list of topics, tips and tools:

Next Up

I was excited, humbled, and energized to get to participate in this CryptoParty. I was impressed how many folks knew about the “advanced” stuff I mentioned, like VPNs and Tor Browsers. I think next time we should jump into deep-dive topics like encryption, how VPNs work, and more. I’m ready, are you in?

Sound cool? Want to get involved with another CryptoParty or digital training? Have more in depth questions for any of us at Lucy Parsons Labs? Email us


September AWS user group Chicago

It’s been a few weeks, but I wanted to write down some thoughts on the latest AWS Chicago user group. An ever popular topic is certification, mainly for AWS’ own professional exams, but also things form CISCO to Microsoft certifications.

This time we opted for an open-ended format of the “unpanel” an idea I borrowed from CloudCamp (RIP Chicago CloudCamp). The goal is to get more people involved than a standard Q&A of “experts” on a panel. By sourcing panel participants from the crowd, people can both ask and answer questions and swap in and out.

In the space, wonderfully sponsored by Discover, the layout was great. Pizza and drinks (sadly no beer allowed) were off to the side, and the audience and panel were squished into the narrow part of the room so everyone was forced to be right in the action.

Running an unpanel in Chicago is always a challenge to me. Compared to the London CloudCamp, us Midwesterners are too nice to jump in and take over someone’s spot on the panel. As the moderator, I tried to be aggressive in both bringing more people up to the panel chairs, rotating questions from the group, and swapping out speakers as needed.

From an AWS side, I was surprised to hear not many Chicago folks are headed to re:Invent this year. It is a strange time, just after Thanksgiving, to go to Vegas as the big projects of the year wrap up. It’s also becoming such a huge event. Last year over 40,000 people jammed into the Venetian/Sands/MGM and this year it’s taking over most of the Strip. Just walking down the hallway is overwhelming, much less the “normal” of Vegas overload.

Another note, was that more and more people are looking to certify. AWS certifications are affordable compared to most others.

Check out the awesome notes, taken by local Chicago tech hero Alison Stanton (@alison985 )


alison stanton's tweet

Featured in Digital Guardian: Cloud Computing Security Benefits – Infosec Pros Reveal the Top Benefits of Cloud


“Cloud computing has obvious cost benefits…”

Especially for startups and businesses looking to move away from owning and running data centers. Cloud providers have more capacity, speed, and locations. Shifting your information security practice to fit cloud is a process, but there are upsides. Cloud providers offer Service Level Agreements (SLAs) for their services, including: specifics on security, privacy, access to data, and data portability. Offloading IaaS-layer requirements onto a provider will ease the burden on your teams as long as the SLAs meet internal security standards.

Margaret Valtierra featured in Digital Guardian

Cloud providers can also help InfoSec teams meet compliance requirements, since most IaaS offerings meet ISO, PCI, and other well-known standards. Before cloud, we had to maintain and secure our own servers and physical security. Now, Amazon, Azure, and Google run word-class data centers for us. 70% of organizations use at least one application in the cloud. Those applications – everything from CRM to mobile apps – put critical business data beyond the reach of traditional security. Security teams can now use cloud technologies to prevent data breaches and vulnerabilities by enforcing strong virtual networks and flexible data policies for each application.

Another big benefit of the cloud is the ability to build security on top of standard offerings. A virtual private network (VPN) allows security teams to create a secure network on top of a cloud provider’s physical network. As teams install and launch applications, security teams can directly control network traffic with point-to-point connectivity. Network security settings like firewall rules, users access, and internet port filters can be sized, scaled, and tailored to each cloud application.

Margaret Valtierra featured in Digital Guardian

Read the full article here.

Margaret Valtierra is the Technical Marketing Specialist at Cohesive Networks, where she creates technical documentation, guides, and video demos. Margaret has a BSM from Tulane University and is an AWS Certified Solutions Architect and Cloud Security Alliance (CSA) CCSK.


Social media guidelines that make sense

Core rules for creating a solid but practical guideline for your team’s social media.

Social media and online branding is best when multiple users pitch in but use a consistent brand voice. So how can you encourage everyone on your team – from a giant marketing firm to a few distributed folks in a brand new startup – while maintaining a professional brand identity online.

Code & Core Values

Keep in mind that what you do online can be tied back to you and to your affiliation with the company.  Use social media to build the own brand – share your thoughts, experiences, etc. with projects and continue to grow in your area of expertise.

social media

Personal Responsibility

Be responsible with your interactions online and never violate the trust of those you are engaging with. If you are communicating about the company or the brand, be sure to clearly identify yourself as an employee.

Provide Full Disclosure At All Times:

  • Use social media to speak for yourself individually, and always be sure to make it clear that what you post is your own opinion, and that it does not necessarily reflect the views of the entire company.
  • Personal blogs that discuss or mention the business, products, employees, customers, partners, or competitors should include a disclaimer. For example, “The views expressed on this [blog; Web site] are my own and do not necessarily reflect the views of [company].”

The Life Span of a Social Media Post 

Whether you are posting about personal topics or topics relevant to the compay, it is important to remember that all social media posts are public and forever. They will be visible to a broad audience indefinitely and may be read out of context.

Proper Use

Understand what is required, expected and recommended when operating on each social media platform. Each is different and each has proper and improper uses and codes of conduct.

Pseudonyms & Anonymous Postings

The use of pseudonyms, aliases and anonymous postings are strongly discouraged. Do not represent yourself to be anyone other than who you really are, and be sure to comply with all laws and regulations regarding disclosure of your identity.

Personal Gain

Do not use your relationship with the brand for personal gain.

Keep Your Social Profiles Accurate

Conflicting information within the profile pages of your social media accounts damages your credibility and could also adversely impact the brand’s reputation. Please update your profile pages to reflect these guidelines and your role at the company.

Avoid Technical Language

Limit the use of ambiguous or technical language that can be easily misunderstood by others online. Do your best to make it easy for the average person to understand your opinion or your position in a concise, clear manner.

Monitor Responses

If you engage in social media about Cohesive in any way, please monitor feedback and to use your best judgment to respond in a timely and appropriate manner. Failure to reply to comments or postings that come up in response to an employee’s post can have a negative impression.

IP and Copyrights

Obtain the owner’s permission when using third-party materials. Do not use more than a short excerpt from someone else’s work, and credit and link to the original source. Respect intellectual property and copyrights, including images and quotes.

Spam & Bulk Postings

Do not bulk-post on social media. Each social media site has a different audience, requirements, and purpose. When sharing content widely, tailor the content.

Be Considerate & Respect Others’ Rights

  • Be respectful of every individual’s legal right to express opinions, whether you agree with them or not. Be tolerant and considerate of others’ positions and opinions. Do not engage in name calling or behavior that may reflect negatively on you or your company’s reputation. Be knowledgeable, accurate and professional in your on and offline communications.
  • HateSpeech: anything misleading, obscene, false, defamatory, profane, discriminatory, harassing, abusive, threatening, hateful or embarrassing is unacceptable and may be cited as cause for termination.
  • Commenting on competitors should only be accurate and verifiable observations. Do not deride, attack, or badmouth competitors.

Personal Privacy


All employees have a right to personal privacy. Honor it. Do not post personal information or internal Cohesive content without permission to do so.


Protect Confidential Information 

  • You are required to protect trade secrets, IP, and information related to the company’s business with our customers and partners at all times.
  • Never disclose confidential information on or offline. This includes forecasts, earnings, trademarks, upcoming product releases, products, strategy, policy, management, operations, potential and pending acquisitions, and nonpublic financial information such as future revenue. When in doubt, leave it out!

A note on Personal Social Media

Your blog, Twitter, Facebook, and LinkedIn accounts are YOUR voice. Use your social media to build your own brand. Share your thoughts, experiences, etc. Use your social media accounts to show how you continue to grow in your area of expertise.

Your social media is a powerful way to give your honest and authentic thoughts on trends, news and companies. Any recommendations or opinions should come with a a disclaimer that you work for the company or have an existing relationship.

Use common sense. The Internet is FOREVER. Be polite, respect IP, be authentic and consider your public audience when you write. I recommend not to reference your employer in your username or identity. Feel free to reference your employment in the about section of your accounts but be sure to add something along the lines of “views are my own”.

Good luck, and share on!

AWS Summits recap

Republished from the Cohesive Networks blog on August 17th, 2017

This week was the final AWS Summit for the Cohesive Networks team. We’ve been to this year’s London, Chicago, and New York Summits in 2017 and had a few thoughts from the events.

AWS Summits recap
London, at the end of June, was the first summit for the Cohesive team. The biggest trend I noticed was the marked difference in conversations for the AWS Summit in London last year. Last year, I noticed most attendees were just starting to consider cloud and AWS and had not actively started using any IaaS technology. This year, by contrast, so many conversations jumped right into cloud use cases, from network connectivity concerns to encryption in transit. Not only are people using cloud but they are seeing the need for VNS3’s enhanced network and security.

I had a long talk with a pair of website and app developers who wanted to segment their AWS subnets for added network security. Another wanted to add more VPN endpoints to his VPC regions. Several conversations about VNS3 also involved Azure, which was a big surprise. Not only are Londoners actively using AWS but they are already embracing a multi-cloud hybrid approach.

One thing that was unique and helpful in London was their Marketplace seller “passport” promotion. Attendees visit 10 booths of AWS Partners that sell products on the AWS Marketplace. Each booth signs the passport and has a chance to chat with attendees who are looking to earn some AWS credits. Once attendees earn 10 signatures, they can turn it in to the AWS Marketplace staff to get $100 of AWS credits. Granted, most just stopped by for a quick hello and signature but it was a great way to meet active AWS users in the crowd in addition to the brave souls who stopped to have a longer conversation.


Next stop, Chicago at the end of July. Most of the Chicago Cohesive team was on hand which was a very good thing since the expected crowd of 5,000 was well over 7,000 from our estimates. After hearing rumors of AWS Summit not coming back to Chicago, it was good to see such a big crowd and a 2 day event.

Personally, the best part of the Chicago Summit was getting to see so many local AWS users and partners. I organize the AWS Chicago user group, so many group members stopped by the Cohesive booth just to say hi. AWS account reps and technical leads based in Chicago are becoming more active with the local AWS users. After a long time of not being able to meet with AWS employees in person in Illinois, it’s great to shake hands with real people from Amazon.


Final stop, New York Summit. This summit was probably a victim of poor timing. A Monday conference in August in NYC is an odd choice. I suspect attendance was lighter than hoped for since everyone I know was taking a last-ditch vacation before school starts up again. Nonetheless, most attendees had connections to banking and financial services and knew they have serious security challenges to solve.

It is always nice to have happy customers walk up and introduce themselves. We had a few in New York immediately say “I use VNS3 and it’s great!”


I assume AWS Summit attendees are interested in cloud, IaaS, and AWS in particular so it’s not a full view of the cloud user market. Just from comparing last year to this year in London and Chicago, AWS users are advancing into more technical user cases with cloud, far beyond dev/test and new projects. Attendees at each event had complex use cases for connecting existing data centers, extending cross-region networks, and encrypting data as it travels in shared environments.

AWS Summit Promo just for you!
Now through the end of the year, we’re running a special on VNS3 Lite editions in the AWS Marketplace. Try VNS3 today for free.

Try one instance of VNS3 Lite for 29 days without any cost. There will be no hourly software charges for that instance, but AWS infrastructure charges still apply. Free Trials will automatically convert to a paid hourly subscription upon expiration. See all the details in the AWS Marketplace.

By: Margaret Valtierra

Stop vulnerabilities in your network: why 229 days is an unacceptably long time

Stop vulnerabilities in your network: why 229 days is an unacceptably long time

First published in Cloud28+ 

By Margaret Valtierra

8 Aug 2017 Stop vulnerabilities in your network: why 229 days is an unacceptably long time

Cloud28+ members can rethink network security to make attacks less possible and less profitable for hackers.

Minimizing an overlooked attack vector: interior networks

The most frightening part of big-story data breaches has been how long it takes to detect malicious traffic or a network breach. In Sony’s case it was never detected; the hackers posted threatening messages and leaked the data publicly. The Experian/T-Mobile breach lasted over 2 years.

Mandiant’s Threat Report found the average time for a company to detect breaches is 229 days; 4% slower than reported the year before. 69% learned of the breach from an outside entity, such as law enforcement. Ponemon reports that it takes IT security teams in financial services an average of 98 days to detect intrusion, and an average of 197 days in retail.

These trends beg tw0 questions:

How can organizations minimize the their attack vectors while benefitting from cloud?
Can network security measures make network intrusion significantly less fruitful for hackers?
With greater network sprawl, we should assume internal networks are as dangerous as public internet.

So how can we protect applications, servers, systems inside a network? Segmentation.

Most applications (ie, the set of servers that perform a business function) in a network can be made “invisible” to each other (from a network perspective). Even with only basic interior firewall rules, an organization can protect themselves from a Sony-style data exploit.

Segmenting by application or function, some call it micro-segmentation, can achieve greater security and granular control by making cloud or data center resources invisible and undetectable to each other.

Cloud28+ users can build security into every aspect of application architecture. By assuming all networks are dangerous, teams can better secure critical data as it travels across networks or resides in shared environments. By using segmentation at the application level, critical application can limit their network interactions to only essential traffic. Most app servers should be invisible to each other as well, allowing app teams to focus app needs, not blanket policies.

Featured in Stackify article “25 App Developers and Cloud Pros Reveal the Biggest Advantages to Hosting Your App in the Cloud”

25 App Developers and Cloud Pros Reveal the Biggest Advantages to Hosting Your App in the Cloud

Written by Angela Stringfellow  – published MAY 8, 2017 on Stackify 

More businesses are moving legacy applications to the cloud than ever before, but app developers face a unique set of circumstances. Sudden shifts in usage, for instance, can be catastrophic unless you’ve planned well in advance for such an increase — which is one reason load testing tools are so valuable, allowing you to test your app’s performance under a variety of simulated load conditions.

But if you’re hosting your app locally, your problems don’t end with an app that may not be able to handle the load. Can your server take care of it? Can you afford to pay for massive amounts of capacity that you may or may not need? These and other issues are one primary driver behind more developers turning to cloud hosting for their apps.

To learn more about the advantages app developers and organizations are reaping with cloud hosting, we asked a panel of app developers and cloud experts to answer this question:

“What are the biggest advantages to hosting your app in the cloud?”

Margaret Valtierra


Cost – Cloud shifts the costs of owning and maintaining data centers to on-demand pricing – it’s the difference between capital expenditures (or CAPEX) and operational expenditures (OPEX). According to the CSC Cloud Usage Index, 82% of respondents saved money on their most recent cloud project.

Speed – Cheap, fast, and available compute resources let businesses quickly move past the old steps of developing, test, migrate, deploy and re-architect.

Scale – Amazon (or AWS) has 16 geographic regions around the world. Microsoft Azure is available in 30 regions and 8 in the works. These are pre-built points of presence for business looking to grow internationally.

Productivity – At the very basic level, cloud masks the technologically complex work of providing features, functions, and access to data (think email, Dropbox, Salesforce).

Performance – On-demand scalability, or elasticity lets organizations save on costs by paying for usage, not the maximum capacity needed.

Reliability – Cloud providers all offer Service Level Agreements (SLAs) of services, usually including Availability, Performance, Security / Privacy, Access to data, Portability of data and any Dispute mediation process.

See the full article on Stackify.