RESUME/MEDIA
PROFESSIONAL INFORMATION:
In the 20+ years I have been involved in the InfoSec community, I have worked for some of the top companies in the industry. At this time, I feel that my unique combination of technical, speaking, writing, and interpersonal skills sets me aside from others as one of the premier security professionals in my field. First and foremost, I have the mind of an offensive penetration tester with a knack for hardware hacking and embedded device security. In 2011, my presentation at Black Hat displayed security weaknesses in insulin pumps, including a live demonstration in which I remotely suspended the delivery of insulin. I repeated that success in late 2016 with my research on the Animas Ping insulin pump that replaced the Medtronic that I had. I crave the “pursuit of intellectual happiness” that comes from diving deep into the technical details of penetration testing, whether it is looking at embedded devices, or the more traditional spaces of networks and servers. I bring this technical background and knowledge to all the client engagements.
Second, I have a passion for public speaking and sharing my knowledge with others through teaching and education. I have given multiple presentations on the ethical dilemmas that security researchers face when discovering zero-day vulnerabilities, based upon my work with medical devices. I have also spoken at dozens of conferences and seminars around the world. My masters work at the SANS Technical Institute has inspired me mentoring of those newer in their careers, Teaching, for me, is a wonderful way to keep my skills sharp and a way that I can give back to the community which has given me so much.
WORK EXPERIENCE
Thermo Fisher
Scientific Director, Product Security Testing & Research
2019 - Current
-
Direct a team of Security Researchers and Penetration Testers
-
Work with Product Teams on developing security controls
-
Work with outside research groups on product security
-
Manage testing and research budget(s)
-
Develop relationships with outside security firms
Thermo Fisher Scientific
Cyber Security Researcher
2018 - 2019
-
Conduct Security Assessments and Penetration Testing on Lab Devices and Equipment produced by Thermo Fisher Scientific
-
Train and Mentor Junior Security Analysts
-
Develop and Create Training for Developers and Engineers
-
Consult with Product Managers on FDA 510k Pre/Post Market Cyber Security Guidelines
-
Develop new security products and processes
Boston Scientific
Cyber Security Researcher
2018
-
Worked with R&D and Development Teams to embed security into product design(s)
-
Conducted Security Assessments on Medical Devices
-
Worked with Project Managers on FDA 510K Cyber Security Documentation
-
Consulted with Product Managers on FDA Post-Market Guidance
Rapid7
Principal Security Consultant
2014 - 2018
I joined Rapid7 as a Senior Penetration Tester and was moved to the Strategic Services Team as one of its first members. Was awarded the Security Hero of the Year in 2016.
-
Conducted Penetration Tests individually and as part of a team
-
Developed new offerings for Cyber Security Maturity Assessments, HIPAA, NY DFS Cyber Security Regulation(s), CIS Critical Controls
-
Conducted Independent research on IoT and Medical Devices
-
Provided Technical Expert Witness services to Law Firms
InGuardians
Senior Security Consultant
2012 - 2014
-
Conducted Penetration Testing services on traditional IT networks
-
Researched Embedded Hardware (IoT, Smart Grid, IIOT, Medical Devices)
IBM / Internet Security Systems
Cyber Threat Analyst / Security Engineer/ Senior System Administrator
2000 - 2012
-
Authored Weekly Cyber Security Assessment and News articles
-
Provided research assistance to our Managed Security Services staff
-
Built a custom device management platform based on open source software to support the ISS/IBM MSSP Service for 25,000+ security devices
-
Designed and supported back-end infrastructure for the MSSP service offerings
EDUCATION & CERTIFICATIONS
SANS Technology Institute
Masters of Science, Information Security Engineering
One of the first graduates of the Masters program. Focused on Offensive Security, Legal Issues, and Defensive Techniques.
Wayne State University
Bachelors of Arts, Criminal Justice/Pre-Law
Heavily focused on the intersection of law and technology.
ISC2
CISSP (2001 - Present)
GIAC/SANS
GSEC (2006 - 2014)
GCIH (2007 - 2019)
GCIA (2008 - 2016)
GCFA (2009 - 2014)
GPEN (2009 - 2014)
GWAPT (2010 - 2014)
GLEG (2007 - 2014)
GCPM (2008 - 2014)
GLIT (2007)
GLDR (2007)
GSPA (2007)
SS-GHD (2007)
MEDIA COVERAGE
-
Medical-device-hackers-find-government-ally-to-pressure-industry
-
j-j-warns-diabetic-patients-about-hacking-risks-of-insulin-pumps
-
Multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump
-
Health-care-cybersecurity-vulnerability-disclosure-bsides-las-vegas
SPEAKING EVENTS
2019
FDA Workshop, Washington, DC
2018
CyberMedSec Conference, University of Arizona Medical School
Boston Scientific Product Security Conference, Minneapolis, MN
BSidesLV, Las Vegas, NV
BlackHat, Las Vegas, NV
2017
MEDSEC Medical conference, Orlando, FL
BSIDES Detroit, Detroit, MI
NASDAQ Marketing Event, New York, NY
Northeastern Panel on CyberLaw, Boston, MA
DEF CON BioHacking, Las Vegas, NV
CIO Presentation for Medical Industry,
FTC Regulatory Conference
Diabetes Technology Conference, Paris, France
2016
Keynote Security of Things conference, San Diego, CA
Week of Media With Insulin Pump, Boston, MA
Media event for Pump Disclosure, Boston, MA
DerbyCon, Louisville, KY
DEF CON Biohacking, Las Vegas, NV
BSidesLV, Las Vegas, NV
BSidesSLC, Salt Lake City, UT
Helmstar Investment Group Lunch, Boise, ID
Bsides Seattle Conference, Seattle, WA
2015
Keynote Security Conference
Northeastern Law School Guest Speaker
DerbyCon, Louisville, KY
CFAA Workshop Talk, Berkley, CA
SXSW Talk, Austin, TX
Security Conference
2014
SANS Conference, San Francisco, CA
FDA Workshop, Washington, DC
DerbyCon, Louisville, KY
BSidesLV, Las Vegas, NV
BlackHat, Las Vegas, NV
FTC Talk, Washington, DC
2013
BlackHat Europe, Amsterdam, NL
BsidesLV, Las Vegas, NV
BlackHat, Las Vegas, NV
2012
Shmoocon, Washington, DC
2011
Intel Product Security Conference, Portland, OR
BlackHat, Las Vegas, NV
Videos:
-
BH 2011 Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System
-
Schmoocon 2012 Encryption, Passwords and Data Security:
-
BSidesLV 2013 Mom! I Broke My Insulin Pump... Again!
-
BH 2013 Fact and Fiction: Defending Medical Device
-
BH EU 2013 Building a Defensive Framework for Medical Device Security
-
Interview Implanted Medical Device Security
-
Interview Getting ahead on medical device security
-
BsidesSLC 2016 The Hacker will see you nowDerbycon 2016 What I have learned in 25+years of Ham Radio
-
BSides Detroit 2017 Hacking with Ham Radios What I have learned in 25 years of being a ham
-
NYDFS Intro (2017)
Podcasts:
Olympic hacks & #drones + #MedicalDevice security w/ @jradcliffe02