The last time I posted on this blog was March 13th, 2013 immediately following my last public speaking engagement at an information security conference. Who was to know that a year later I would be done with enterprise security and working in a totally new vertical? Certainly not me.

In May of 2015 I started working as a product security consultant for a major medical device manufacturer assisting a variety of medical device engineering teams. My scope and focus moved from the abstract 50,000 foot view of enterprise security architecture to deeply technical, in the weeds work with  those engineering teams developing design inputs to move medical devices security forward.

To say that it has been a massive learning experience is an understatement. However, it has also been extremely rewarding. I work in a space where we are making changes that have real positive impact on the safety of human beings and the protection of the information they share with their healthcare providers.

I perhaps have a blind spot, but the mass of communication I see online seems focused rather stridently on how bad things are and how medical devices are the next blah blah blah we're all gonna die blargle blargle blargle.

Are there bad things happening?

Of course.

Are medical devices a bit (lot) behind the times when it comes to their security posture?


However, there are some of us out there making changes and trying to move the needle. To that end, I'll be offering some thoughts here and there about what I see happening and what kind of changes are occurring.

I hope you find it interesting.

To that end, I am always happy to focus my attention in places where people have questions, so leave a comment mentioning things you are curious about related to medical device security and I'll do my best to speak to them.

Until next time, hopefully not three years from now, later.

{ 1 comment }

Just a quick note to let you know that I will be speaking at RSA USA 2013 in February. I'm pretty excited about it.

The title of my talk is Winchester House Security: Why Enterprise Security Architecture Matters

It's a quick 20 minute exploration of how we manage to end up in a place where:

  • We don't have a good idea how everything fits together.
  • In some cases, we don't even know what we have.
  • Things don't talk to each other.
  • Things don't talk to anything.
  • We have unintentionally repetitive solutions..
  • Etc.

Just so I'm not a complete Debbie downer, I'll also share how you can get started on the path to building an Enterprise Security Architecture which helps us avoid the things listed above.

I'm speaking at 11:40 on Friday in Room 309.


{ 1 comment }

My apologies to my readers spread far and wide, but this particular post is targeted at those who are near Des Moines, IA.

Tomorrow night, Thursday, October 18th, at 7:00 PM, Merian Merrit, Norton's Internet Safety Advocate, will share  the latest information about what young
people are doing online, the real concerns parents should have, and actionable strategies and tips for getting technology under control. From social networking to sexting,
and from cyber bullying to cybercrime, you’ll walk away with a new plan for helping your kids learn to use technology wisely and safely.

The event is being held in the Learning Resource Center at 3550 Mills Civic Parkway, West Des Moines, IA.

More information can be found in this PDF: Internet Safety Event



Upgrading my Theme

by kriggins on October 12, 2012

in Announcement

This site uses the Thesis theme. I love Thesis and am going to continue to use it. However, the latest version, 2.0, is significantly different than the previous version.This has the potential to make the 🙂

I hope the change is somewhat seamless, but you just never know.

Please be patient.




OT: Walk the Talk – #DefConWalkers

by kriggins on July 9, 2012

in Announcement

I don't talk about it here much, but I've been on a journey over the last couple years to a healthier me. I blather on about my exercise and nutrition stuff on my personal twitter account, @kriggins, and thus the title of this blog post. If you are interested in reading more about that, this blog post gives the detail.

One of the changes I made is I try to get in a walk every day that I don't workout. That's at least three walks per week since I Crossfit three times per week and sprint once per week.

So what does that have to do with DefCon?

I'm glad you asked. I, and a number of others, are gonna keep the habit alive by walking in Las Vegas while there for DefCon 20.

We are going to have daily walks in the morning.

Here's the details as of this moment.

Time: 7:00am Wednesday the 25th - Monday the 30th

Location: Depart from the Rio. More details later.

Length: 3 miles (may add a shorter route and a longer route if there is interest)

Estimated Time: 60 minutes (that's about a 3 mph pace, again may add shorter route if people want a slower pace)

I will have route maps and further information available in the near future.

If you want to be included in updates, let me know via the comments below or you can @ me at @kriggins or, if you prefer to not have to follow a private account for updates, @randommissives (also me.) You can also follow the #defconwalkers hashtag on Twitter.




{ 1 comment }

I have been involved with the Society of Information Risk Analysts from almost the very beginning. I think Jay, Chris, and Alex had the idea and I jumped on board a few days later. It is a fantastic organization that has a very active and lively mail list.

The home page for SIRA is here. "Membership" is free and mainly consists of signing up for the mail list and requesting an account on the website.

Anyhoo. We are having our very first conference. It will be the day before Secure360, i.e. May 7th, and it is going to be a day of awesomeness for those who live and breathe risk analysis and risk management or for those who want to know more.

Go here for more details: SIRACon

Feel free to contact me with questions or post them in the comments.


{ 1 comment }

Hey folks.

Two updates in one day. 🙂

The PDF of the how-to is now available. You can find it here.




Just a quick note to let everybody know that I have confirmed that the Backtrack 5 "Full Disk" Encryption How-to works just fine with the R2 release. However, I did update the how-to with a couple changes:

  • lvm2 is now part of the ISO in the R2 release. That means we no longer have to use apt-get to install it. However, we still need to install hashalot, so it doesn't save us a step.
  • Added a note at the end about using dd to backup your install per a very good suggestion by Richard in comment 241.

As I was updating the how-to, WordPress helpfully removed most of my formatting. Ugh. I think I have things at least readable and usable at this point. I will be going back and cleaning up more this weekend.

If you notice any problems, please let me know.



RSA, SecurityBsides San Fran and Me

by kriggins on February 22, 2012

in Announcement, Conferences

Hi folks. Just a quick note to let you all know that I am moderating a session at RSA next week. The title is Cloudy with a Chance of Risk.

From the catalog:

Cloud computing brings with it a need to modify our risk assessment and risk management efforts to incorporate the somewhat unique challenges that a distributed, scalable, location independent architecture brings. This session will explore real world instances of how individuals are addressing this complex issue, resulting in some pragmatic steps that can be used in the real world.

The session is on Wednesday, the 29th at 1:00 in room 111.

I will be spending my time wandering between RSA, SecurityBsides and the hallways. Look me up if you want to chat. The best way to reach me is via twitter using my @kriggins account. Yes, it's protected so you will have to follow me if you want to see any responses to meet-up queries 😉

I look forward to connecting with friends and making new ones.



SecurityTwits DefCon Meet-up

by kriggins on July 19, 2011

in Announcement

Update: The date is the 3rd, not the 4th. Repeat, the date is Wednesday August 3rd for the meetup. Also, it is a 21+ venue only. My apologies to the younger twits.

Yup folks, it's that time of year again. That time when hoards of hackers, crackers, geeks, nerds and the odd FBI agent descend on Las Vegas for DefCon.

Which means it is also time for the annual SecurityTwits Las Vegas Meet-up!


Before I get to the details, I want to send out a big thank you to Jack Daniel who put me in touch with Chris Nickerson who offered up the BSides LV venue as a place for us to gather. That just completely rocks.

I also want to thank everybody else who sent me notes offering to help. I may yet call on you 🙂

One final note, unless somebody wanders forward and wants to buy us all drinks, this is a cash bar situation. Because of that, there will not be a guest list/sign-up process. Just show up. If there is room, you'll get in, if there isn't, you won't 🙂 That shouldn't really be a problem, but be warned.

Here are the details:


Wednesday August 3rd, 2011


Starts at 8:00 pm and goes till whenever


The Artisan Hotel
1501 West Sahara Avenue, Las Vegas, NV 89102

In the bar/pool area.

Important: The venue is a 21+ location. My apologies to those under 21.

I look forward to seeing everybody there. If you have any questions, feel free to leave them in the comments below, reach me via twitter, or email me at