Danny Fullerton
Information Security
Profile
More then 8 years of IT security experience covering governance, risk management, compliance, program development & management, system & software architecture, auditing, ethical hacking, system administration and software development.
Despite my deep technical background, my current interest is mostly around security management from a business perspective: an important area far too overlooked by the security community. However, I'm still working on technical subjects such as Trusted Computing, Qubes OS and DANE RFC (i.e. DNSSEC as a Root of Trust for certificates exchange).
Professional Experience
Canadian National Railway | Transportation
Security Enterprise Architect
2010-present
- Strategy development; Translate the security governance model (based on ISO 27000) into a security architecture vision.
- Architecture; Define an enterprise security framework that align people across all departments structure (top-down approach), avoid redundancy and controls discordance, integrate cost-effective solutions, provide a common foundation for all business initiatives, and be enough flexible to accommodate current and future requirements. Develop the framework architecture models, tools, principles and artifacts. Identify the gaps and establish the road-map to convert existing IT environments to the targeted posture. Communicate and promote the vision with the executives and within the different departments.
- Consultancy; Provide guidance and assistance in the deployment of new technology and practices (e.g. mobile device consumerization, cloud computing integration (identity federation, third party evaluation), network segregation, secure SDLC, SOA integration, etc). Ensure comprehension and adherence to the security architecture framework.
- Management; In charge of coordinating the communication and life cycle in regards with the framework artifacts among the governance and IT operations groups.
Mantor Organization | Security Research
Founder
2004-present
- Management; Members and clients relationship management.
- Infrastructure design; Installation, configuration, maintenance and review of organization IT assets: name, mail, web, cvs, file, backup services.
- Development; Security applications and solutions.
- Consultancy; Lead security officer of projects release under organization name.
IBM | Microprocessor manufacturing
Security Specialist & Ethical Hacker
2005-2010
- Management; Created and coordinated various control point and security process referring to IT internal compliance control.
- Consultancy; Security advisor for software development and infrastructure design.
- Security training; Created security course explaining exploitation and remediation of various security threats.
- Security policy; Created development security guidelines and modified development framework to avoid common vulnerability such as sql/command injection, xss, client-side manipulation and others.
- Threat and Risk analysis; Evaluation of threats to produce qualitative or quantitative risk analysis with main focus on manufacturing process impacts.
- Software architecture; Design security application for centralized identification and documentation of overall security issue and compliance.
- Security audit; Penetration testing of critical software with open and close source analysis (white and black box analysis). Conduct annual security audit of every systems groups, mainly: aix, z/os main frame, linux, windows. Also involved in different ethical hacking events for internal and external clients such as banks and manufacturing plants.
- Security software implementation; Installation, configuration, review and audit of various security technologies (Identity manager, NIDS, Honeypots, Authentication firewalls, etc).
Edison Communication | IT Solutions
Software Developer & System Administrator
2004-2005
- Development; Flexible and centralised authentication/authorization system and Intranet interface for image processing.
- Administration; Production servers Cobalt/Xserver/FreeBSD.
- Consultancy; Advisor for servers/services architecture and security policy integration.
Wissar Technologie | IT Solutions & Security
Chief Technology Officier
2003-2004
- Development; Creation of web site development framework and custom backup systems.
- System administration; Name, mail, web and file servers.
- Security audit; Ethical hacking and vulnerability assessment leading to system hardening and implementation of firewall/QoS/NIDS/HIDS systems.
- Management; Directing technical aspects of projects architecture such as conception, normalization and documentation.
- Consultancy; Evaluation of technology proposal to clients.
Expertise
Business
Training / Coaching, Project Management (long term or short term commando projects), Virtual Team Leadership, Problem Resolution, Lean Methodology, Business Development, Public Relations.
Standards
IBM's Security Standards, ISO/IEC 2700x, NIST SP 800-53, OWASP, OSSTMM.
Technical skills
Operating systems
- Unix; freebsd, openbsd, aix, darwin;
- Linux; ubuntu, debian, knoppix and variant, others;
- Mac; os x/server;
- Windows; all;
- Xen; qubes os.
Softwares
- Web; Nginx, Apache, MS IIS;
- DNS; NSD, Unbound, Bind, DNSSEC, TSIG, MS DNS;
- Email; Postfix, Qmail, Sendmail, Spamd, Spamassassin;
- File Server; Samba, NFS, DCE/DFS;
- Database; Mysql, Postgresql, Sqlite, DB2;
- Firewall, NAT et QoS; OpenBSD's Packet Filter, FreeBSD ipfilter, Cisco PIX;
- Crypto; OpenSSL, OpenSSH, Kerberos (GSSAPI, SPNEGO), OpenVPN, OpenPGP, GnuPG;
- Intrusion Detection; Snort, Ossec, Tripware, Samhain, AIDE;
- Vulnerability Testing; Burp Suite, Webscarab, Metasploit, BeEF, hping3, Ollydbg, IDA pro, GDB, Nessus, ISS internet scanner, Winspector, Java/.net reverser, Wireshark;
- Debugging; Tcpdump, Wireshark, IDA pro, OllyDBG, GBD;
- Honeypot; Nepenthes;
- Forensic; Pyflag, Autopsy;
- Others; Trusted Computing (e.g. intel's TXT), hypervisors, J2EE and much more.
Languages
ruby (rails), PHP5, perl, c, nasl, c++, shell script, SQL, XHTML, css, ASM PowerPC, ASM IA32, java, etc.
Certifications
Realisations
Speaker at Hackfest
Trusted Computing - Security from ground up
November 2011
This talk was about one of the most controversial technologies we seen lately (i.e. Trusted Computing). I explained why I used to hate it and how I came to change my stance by explaining how it works and how it can be used.
It was a succession to the first portion of my previous talk (i.e. Broken by Design) and was also complemented by an interactive workshop about Qubes OS.
Speaker at Hackfest
Broken by Design
November 2010
The presentation was relating the problems we face with today's operating systems, the way we manage security and the need for some change. A description of interesting avenue was exposed: trusted computing, security by isolation (e.g. Qubes OS), and new ways of managing security processes.
Open-Source Contributor
Contributed to muliple open-source projects (e.g. ossec, pam_yubikey, munin).
Development Framework
Nicht
2005
Nicht is nonintrusive PHP5 lightweight framework for the development of small to average size web application. The framework mainly interface a normalized authentication, authorization and navigation scheme in a way enabling us to use mostly any type of backend we want (e.g. Mysql, flat file, Kerberos, LDAP, Active Directory, PAM or others) without internal change to our application logic.
Seminar on Network Security
CDI college
2003
Production of a seminar on network security solutions offered by the BSD operating systems family. Mention received underlining my competency in the field of computer security.
