Great Women In Fraud

Episode 49 Tracy Z. Maleeff, (She/Her) InfoSecSherpa: Your Guide Up a Mountain of Information

September 14, 2021 Kelly Paxton, CFE Episode 49
Great Women In Fraud
Episode 49 Tracy Z. Maleeff, (She/Her) InfoSecSherpa: Your Guide Up a Mountain of Information
Show Notes Transcript Future proof article

Diana Initiative 2020 - Tracy Z. Maleeff - Empathy as a Service to Create a Culture of Security - YouTube

Who loves social media?  Who specifically loves Twitter.  As you know I love Twitter for lots of reasons but Tracy Maleef, aka Infosec Sherpa is a big reason. We connected on Twitter a while back.  We then connected on LinkedIn.  I made a big ask to have her as a guest and she said yes.  You are going to want to listen.  Tracy’s story is really fascinating on many levels.  Her start as a librarian and then changing to the InfoSec world.  The story about the Twitter list and helping a client is amazing.  We will both be at OSMOSIS this year.  Maybe virtually but it’s her first time to OSMOSIS and she is going to love it.  Let’s get started. 

00:02:37.830 --> 00:02:59.070

Tracy Z. Maleeff: Oh So yes, mouth, so my tail is that I was a librarian for 15 years I have a master's degree in library and information science from the University of Pittsburgh, and I decided in 2014 that I needed to do something else with my career, but I didn't know what that was.

And I was just getting very sad and depressed that I felt like my library career wasn't really going anywhere. I've kind of done a lot of stuff.

In library world and I just thought I can't coast on this I just didn't feel like I could I could stay where I was and do the same thing, for you know until retirement, so I used to cry on the train.

00:03:26.340 --> 00:03:40.140

Tracy Z. Maleeff: And I was just so sad and I started trying to read to take my mind off of my sadness and I was reading this article, that was an entrepreneur magazine, and the title of the article was how to future proof your career in.

00:04:29.310 --> 00:04:38.220

Tracy Z. Maleeff: And I was serious January 1 I sat down I redid my resume redid my Linkedin but the first step, I took was I went on.

Three interviews for library jobs now, you might be thinking, but you just declared it, the year of your career what you're doing.

I wanted to be absolutely sure that I was ready to step away from that industry from that career because I'd spend so much time in it.

I didn't want to make I didn't want to pull my push forward and then constantly be thinking about regrets or questioning my decision so that's why.

00:05:08.640 --> 00:05:15.210

Tracy Z. Maleeff: I applied for some library jobs, I went on three interviews after each interview I just thought this is more the same.

And then I got out of my system, and then I was able to forge ahead so I spent January 2015 just looking at other library jobs and then realized okay I'm good to move on.

00:06:33.810 --> 00:06:42.300

Tracy Z. Maleeff: And everything really just clicked and resonated with me and I, I have this joke that I say is you know I had the realization that my natural paranoia and distrust of things, was a career path so I just kind of went you know went for it and took cyber security fundamentals classes. And even approached the CIO of the law firm, where I worked, I was a law firm librarian and I asked what the firm is doing for cybersecurity awareness month.

And you know, he was unfamiliar with that, so I had this whole proposal that I sent him and he approved it, he said okay we're doing this you're running it.

00:07:21.540 --> 00:07:32.250

Tracy Z. Maleeff: You know, was great, but on the other hand, I was like no like I can't go back to library life now like, I want to be in information security so that's when I started my exit strategy.

00:07:32.850 --> 00:07:39.870

Tracy Z. Maleeff: And figured out, you know how like how I could make you know, make a career pivot. And then I was in my 40s. I'm still in my 40s but I was you know, I was to give people context, I mean, yes, I was making a major life-changing career change in my 40s which some people think is unheard of, especially in being a woman in tech.

But it's possible you know, a tech field it's possible I did it.

00:08:35.520 --> 00:08:42.330

Tracy Z. Maleeff: And in my mind, though, creating my own business was just a catalyst to get me into a full-time infosec job which I know a lot of people have said to me, well then your business is going to fail because you're not thinking long term but to me it made sense I'm like I just need to make money now, because what I really want to do is in information security.

So I used my skills, and this is where the elevator the actual elevator pitch comes in, is, I was trying to get a job in infoSEC and not a lot of people, but a few people would be very perplexed when I would say that I was a librarian getting into infoSEC, because they couldn't.

00:16:56.100 --> 00:17:15.690

Tracy Z. Maleeff: Thank you yeah I well I joined Twitter I believe okay so funny story, I believe that I joined Twitter in 2006 when they started, but my so my original account is library Sherpa that's how that's That was my first brand was Library Sherpa  And my husband and I use Twitter like it was like a texting platform, I would ask him ask him what he wanted to do for dinner, he would you know at back at me.

You know I don't know. What do you want to do because back in the day it was like the wild Wild West like Twitter was just if you think it was it's bonkers now.

It was bonkers then because people didn't really know what to do with it, so it was just a lot more chaos, what I recall and I'm pretty certain.

00:18:11.460 --> 00:18:24.900

Tracy Z. Maleeff: So Okay, so I do have a funny story about that so for the longest time with Twitter as Library Sherpa I hid my identity, because at the time I work for someone who had very weird ideas about me saying my real name online because oh they'll connect you to the law firm and in hindsight it just really was unfounded, it was just.

I won't go there, but it was just really misguided and misunderstood information.

So I kept myself a secret for a long time, and finally, I decided I'm tired of this. I'm just going to say you know I'm going to come out on Twitter and so to speak, so I was at a conference.

I remembered exactly it was the Canadian association of law libraries I don't remember what year it was, but it was in Windsor Ontario.

And I was yeah yeah I was in Windsor and I did so long ago that I had a BlackBerry actually had a BlackBerry and I had had the Blackberry on the podium.

And I started my speech, and I said, you know hi my name is Tracy mainly from you know global whatever, for you know, whatever for most of the time.

And I said, or you may know me online as library Sherpa well my Blackberry he was on buzz and it's just started like shaking the platform and.

The audible I will never forget this, the audible GASP that came from the audience like actually made me stop for a second because I did not expect that reaction.

But yeah there was an odd there was maybe like 300 people there, there was this audible GASP and then my phone started buzzing and it was people tweeting like oh library sherpas Tracy, and all this so.

That was kind of funny yeah I did not expect, I honestly did not expect that reaction and so yeah then just hence a brand was born and then fast forward to.

You know me, making this career change so yeah and I was like well I should have a separate account on Twitter, so that I could kind of follow these info SEC folks.

00:22:53.820 --> 00:23:08.190

Tracy Z. Maleeff: yeah it's interesting and actually the first talk I ever gave to an infoSEC audience I did a lot of deep dive research tips into Twitter and after I gave my talk 

I'm saying this tongue in cheek with air quotes that you can see, but scary hacker Dudes came up to me after my talk and said oh I didn't know Twitter was a website, I thought it was just you know, an API or a napper or something and yeah so I yeah there seems to be I'm not sure if so much anymore, but definitely a couple of years ago there were still a lot of people not sure what it was, but that's fine because I mean I give a lot of talks about social media.

00:23:40.200 --> 00:23:52.380

Tracy Z. Maleeff: I did when I was a library and I'm kind of do now is infoSEC, but I always say to people for every five social media platforms, you know there's likely 10 to 15 more that you've never heard of.

00:23:53.310 --> 00:24:04.590

Tracy Z. Maleeff: There are you know taronga is a Latin American sort of Facebook ish the UK is Russian Facebook, you know air quotes Russian Facebook.

00:24:06.030 --> 00:24:23.520

Tracy Z. Maleeff: You know there's so many it, especially because their home grown because they're non-English language sites so there's so much that you know we all we're all familiar kind of what the big ones, but there's so many more out there, that people don't even know exist.

00:27:15.120 --> 00:27:23.730

Tracy Z. Maleeff: For search to find lists like you know use like the in URL command and things like that to find Twitter lists and I think that's pretty much common knowledge, I don't know, but I can show speaking of Twitter list I can share the trick that I did when I was a freelancer that blew the clients mind, so this client approached me and it was a you know, a cyber security company who shall not be named wanted to know who their competitor, who also shall not be named and now, these are both two smaller companies they wanted to know who their competitor had as clients, but.

They didn't want me to spend any money to do the research, they were going to pay my time does this sound familiar to freelancers yeah so I mean they were going to pay me for my time, but I couldn't spend any money on any resources to get this information, because you know there's tons of marketing companies that have this information already. So I you know I'm not going to give away all my secret sauce but I did a couple things and found you know found some some clients to round up for them.

And so, finally, I was like well I feel like  I'm not giving them enough, and you know as a professional I wanted to make sure I gave everything and all of a sudden, I had the brainstorm I thought what if I go to the target’s Twitter and just social media, but specifically Twitter account and look at their lists what's the chance that this target has lists that have their clients them. They not only had one list they had three lists on the targets account and they now list can be public or private, and, obviously, because I could see them they made them public. There was literally a list that said clients on it.

So yeah they had, and they have two others I forget they were called like one of them was some sort of like party invitations or something so what a one was clients one was prospective clients and one was something about like party invitations or something which could also fall into like people they were looking at. So, not only did I screenshot the heck out of everything.

And I mean I had to laugh because part of me thought I was like yeah that really wasn't that difficult, but on the other hand, I'm good I was just.

00:30:20.520 --> 00:30:29.670

Tracy Z. Maleeff: I was just lucky. Sometimes it's better to be lucky than good right, because what were the chances that they had these public list so I love to tell the story because you know one social media can tell you where a lot of bodies are buried, you know, based on even interactions you know there's a command that if you wanted to see if two companies have ever talked to talk to each other, air quotes on Twitter, you can do to colon one Twitter handles space, you know from colon and another handle and that will show you tweets between two entities so whether it's two people or two companies.

00:33:38.700 --> 00:33:47.010

Tracy Z. Maleeff: This was when I was a law firm library and one of the higher level attorneys sat down with me and my manager, who was the library director.

And said we're opening an office in this city in the Middle East, and we need to build a library from scratch, you know that, which includes the legal materials for that region and that's wasn't an area of expertise for me.

So my quick thinking. I said Oh well, can you tell me if there are other law firms already in that city and he said oh yeah and he rattled off.

A couple of law firms and inside my head I'm going, I know, someone there, I know, someone, there is one there. So I reached out, and these were all people that had met through professional networking through my library association.

So I reached out to a bunch of them, you know all at once, and just said hey Can you help me with this, you know I'm sending it to all of you, so you can see, so reply all so that you're not all separately working on this. And the first person who got back to me said Oh, as a matter of fact, my manager set up our law firm's office in that Middle Eastern city, let me go talk to her. And maybe like 15 minutes later I'm getting a PDF emailed to me with her entire collection and said oh yeah she said, you can have it just build off of that.

And that was purely through networking, so of course the Attorney and my manager again thought I was this magician genius and it was all because of networking because he was rattling off law firms as like yep and so when there is someone there and his own.

00:35:20.790 --> 00:35:32.130

Tracy Z. Maleeff: But networking to it needs to be your networking needs to be diverse and I don't mean you know just race or heritage or anything like that.