Security's Everyman

Security's Everyman

Tuesday, November 27, 2007

More from the "Great Thinkers" series

OK, so I don't have a great thinkers series but I think I'm gonna start one. One of my soap boxes is the need for IT and especially Information Security Professionals to quit thinking alike and start thinking about your specific needs and the best way to protect your company. That is key to really being successful. If you just follow best practices and the crowd you probably will be secure but you will never move beyond average. If that is what floats your boat then that's fine, but if you want to really make a difference and have the best chance to advance your career then you have to change the way you think. You have to keep on top of your game.

Rebecca Herold has a good post on her blog where she give advice on "elevator speeches". In essence she is telling us that we need to be prepared to sell our program, ideas, plans and such at a moments notice. We need to be prepared for the unexpected opportunities that sometimes come our way. It may be a ride in the elevator w/ the CEO when they ask you about your program. It may be that you get a call from your boss or your bosses boss. They want you to brief them on the status of your security program and they want it now or very shortly. What will you do? Have you thought about that possibility? Are you going to give them stats, charts and figures? Are you going to tell them about all the technology, policies, and such that you have in place? What about using this opportunity to give them a quick overview and at the same time sell them on the importance of the program and keeping it fresh and moving forward. If we tell them that we haven't had a breach and all is well then they may say "Great, Your doing a wonderful job. Keep up the good work!" Then they go on about their business and forget all about you. You don't get the funding you need for future projects and upgrades. You don't get the support you need to keep things going well. Then you get hit and it's your fault for letting it slip off their radar.

I'm not saying that you need to use FUD (Fear, Uncertainty, and Doubt) to keep them "afraid", but you need to know not only the status of your program but also what you need to keep it in good order. You need to think about how to best sell your program or at least keep it on the radar of management.

Monday, November 26, 2007

BREAKING NEWS: MAJOR DATA BREACH!!!!

I was just informed by one of our IT guys that there has been a massive data breach at TJX, the parent company of several "discount" department stores. It seems that someone was able to penetrate their wireless network............................... wait, what was that? This happened last year?

That was the gist of a conversation that I had this morning. One of the guys I work with came to me and asked if I had heard of the TJX breach. He just found out about it last night while watching 60 Minutes. I was stunned.

A couple of things clicked in my head after this. One, this explains why they have continued to have good sales numbers. Either people don't care or don't know.Two, this shows how easy it is to get caught up in your own little world and not realize just how uninformed the public can be. Three, we really need to do a better job in getting the word out about such things. Of course I'm not sure what we as IT and Security Professionals could do about this. It's been all over the news and multiple media outlets. Yet there are still some who are unaware of it. I don't understand how someone could not know. I guess in this case there is an exception to the saying "no man is an island unto himself".

Wednesday, November 21, 2007

Happy Thanksgiving!

To all my USA readers I hope that you have a great Thanksgiving Day and that you get to spend time with those you really care about.

For those of you outside of the USA I hope that you have a great day at work or whatever Thursday finds you doing.

Thinking Again

The SANS Storm Center has a really good piece today on thinking about what we do and why we do it. I'm a big proponent of not just doing but thinking about what and why and if there is a better way than the "best practice". It's good to see others doing the same.

Say What?

She didn't realize that I knew who she was. I had seen her picture and as soon as I over heard her conversation I was able to determine who she was. I was on a bus riding from the city back home to the burbs. She sat across the isle from me and was talking to someone about a legal matter. She got off the phone and proceeded to call a friend to say Happy Thanksgiving. She should have stopped there.

As she talked w/ her friend she brought up the legal issue with her. She started the conversation with "I'm not supposed to tell anyone this". Then she proceeded to tell not only her friend but at least 5 or 6 other people sitting nearby. Since I am friends with the person that she is having legal issues with I know that her side of the story is riddled with flaws, inconsistencies, lies and all sorts of other things. Once I talk with my friend I think his case will be much stronger.

The above is not exactly true. I don't know any of the parties involved in this dispute, but I did hear way too much information about the case. Especially since she wasn't supposed to talk about it. As far as she knows there may have been someone on the bus who was familiar with this case. Her need to talk put her at risk of losing a court case. If she would do this with something this personal and of a private nature what is to keep her from doing the same thing with sensitive company information? This is just another example of the old saying "loose lips sink ships". You need to think about where you are when you are having private conversations.

Monday, November 19, 2007

Ethics Quiz

Update to my quiz answers.

Matthew posted a comment to this original post asking for some clarification on the conditions on my answer to question #3. In his comment he mentioned something about "breaking government law" and my willingness to do so. It kind of caught me off guard so I went back and re-read the question and realized that it said "You are aware state law prohibits". I had made the incorrect assumption (due to not carefully reading the question) that the question was the same as #2 except it dealt with uninstalling software instead of installing software. Shame on me for not being more careful. So, that being said my answer is still D. Document the request and refuse to remove the software. I retract my conditional statement that follows. In this case there is no reason that I would uninstall the software and break State Law.
____________________________________________________________________

Matthew Rosenquist, the blogger who wrote the article that I referenced in my post "Are You Ethical?" wrote me a comment today and asked if I'd be willing to answer his questions and post them to the blog. So here it goes (my answers are in red).

  • 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"
You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: I can't/won't comment on any investigation that may or may not be going
on.
  • 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.
You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software
(This is my answer based ONLY on these 4 choices)
My real answer would be dependent on exactly what the situation was, what the purpose of the server is, what the requested software is and what the implications of installing verse not installing it is.
  • 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.
You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software
(This is my answer based ONLY on these 4 choices)
My real answer would be dependent on exactly what the situation was, what the purpose of the server is, what the requested software is and what the implications of installing verse not installing it is.

  • 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?
You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management
(This is my answer based ONLY on these 4 choices)
I chose to follow the request because this time it goes against SOP no policy. SOP has room to wiggle policy usually doesn't.
My real answer would be dependent on exactly what the situation was, what the purpose of the server is, what the requested software is and what the implications of installing verse not installing it is.


So, similar to Martin's comment most of these are very situational and not exactly black or white. I do believe that many situations are black and white but when dealing with technology and keeping a business safe and running situations play a big part in lots of issues. Ethics are still VERY important, but sometimes policy is wrong or hasn't taken into account every situation.

Sunday, November 18, 2007

Compliance and Audits

I just finished reading a post by Rebecca Herold on something that most of us don't think about or even realize can be an issue. It's a compliance related issue that I wasn't aware of and I spent 3 1/2 years working for a company where 95% of the employees had to fill out I-9's. Not only that but 99% or our customers were also not citizens of the USA. Still this was something that I never thought about and the company never brought up as something that I needed to be aware of. That makes me wonder what else am I not aware of? What other regulations are there out there that I, as the Information Security Officer, need to be aware of? I thought I was doing a pretty good job of keeping up with the various regulations but this one slipped under the radar. I hope that there aren't others, at least not too many others.

Keeping up with these things can be a full time job and if you don't have a legal department or an HR department that is on the ball then you had better be. I remember back in 2002 or 2003 when I first really became interested in compliance related issues. It was when HIPAA was approaching a big deadline for providers. I was tasked with becoming the HIPAA expert for the consulting firm that I worked for. At that time I decided that I would try to keep up with all appropriate regulations that affected the company that I worked for and any that may prove helpful (the knowledge of not the regulations themselves since we know that most are not helpful in the least bit) in the future.

I recommend reading Rebecca's post (and her blog). It is full of good and useful information.

Another good post I ran across today was from the Security Monkey (he looks really familiar). In it he gives some really good information on how to handle yourself during an audit. If you have never been through an audit, or been an active participant in on, then you may not realize how important an audit is. Not only that but how important it is that you conduct yourself in a proper manner. I have been lucky (OK, so I'm not being totally honest) to have been through several audits. At first they scared me to death. I was afraid of saying the wrong thing and so was my boss. I was lucky in that I received some good advice on how to handle myself early on and it paid off. That doesn't mean that I lied or hid the truth, I just learned to answer the questions that were asked and not the ones that I thought were asked. I recommend reading this post if you are required to participate in audits. It may well safe your tushie. :)

New Poll on Incident Response Plan

I've just posted a new poll about company Incident Response Plans. This is an area that is often over looked and under planned. Many companies don't even realize that there is a need for an IR plan and have no real idea what they would do if an incident occurred. In this day of legal and compliance issues having a plan is no longer just a good idea. The lack of one could cost your company lots more than the cost of clean up. You need to have a plan of attack for a variety of different incidents. The way you would handle a virus outbreak is different than how you would have a server compromise that exposed financial or customer data.

If you don't know where your company stands in regards to an IR Plan don't just take it for granted that they have one. Ask your boss and if there isn't one inform them of the necessity and importance of one. Be prepared to either volunteer to help or be volunteered. :) Do your homework and you may come out smelling like a rose.

Here is the question and the possible answers to choose from. You can find the poll itself here.

When it comes to Incident Response does Your Company


A. Have a formal and tested plan
B. Have a plan that hasn't been tested
C. Has a general idea what they will do
D. Not have a plan

Friday, November 16, 2007

Ethics Poll Results

The polls have closed on the Are You Ethical Poll. Pretty good turn out for the first poll in a few weeks. Here's how it breaks down.

When it comes to company policy do you:


A. Follow all the rules
5 (11%)
B. Have work arounds that are necessary and approved
26 (61%)
C. Break the rules how ever I can
2 (4%)
D. We have Security Policies?
9 (21%)

It turned out about like I thought it would. What surprised me the most (although I'm not sure why) was the number of you who answered D. We have Security Policies? This shows that lots of companies do a poor job of communicating the policies that they do have. Maybe it's because they were created and haven't been seen since. I don't think giving a new hire a book full of documents or a link to an intranet site is a good way to inform them of security policies. But I guess it allows companies to say that they have done their part.

To those of you who answered A. Follow all the rules, I say LIAR!!!! Just kidding. I know that there are those who do and I wish that there were more. It's not an easy thing to do. There are too many things that are easy to get around and really don't cause any harm. They just happen to be against policy. For those who do get around things w/o approval, or even those who do get approval, be careful. Not so much because it can allow bad things to happen (you're a security professional you know better) but because if end users know about it then it can harbor bad attitudes towards IT and we don't need any more of those.

It's good to know that education and hard work have finally paid off

All of us have received many different phishing, scam, and junk emails. I get them ranging from the real SPAM ones to the Nigerian bankers widow and all sorts of them asking for an "updated" version of my resume along with my bank account number so they can deposit my pay check. Today I think I got the one that may well top the list as my all time favorite. I'm including the body of the email so you can read it.

My favorite part is the highlighted sentence. It's good to know that all my IT and security training has paid off and that they think so highly of my resume.


Dear applicant,
Having carefully investigated your resume we would like to employ you to work with our company as an administrative assistant. Monthly salary of $2000 is guaranteed for 10-15 hours of work per week. Our company was established in 2003 in Birmingham, Great Britain, and we have a number of branches in Eastern Europe and the United States. Our main trading specializations involve products sale and resale, as well as auction drop off.
Our task is to guarantee effective cooperation between sellers and managers, which ensures beneficial sales. Our operation involves maintenance of auction services, which allow anyone to sell unnecessary goods, using the services of professional sellers.
Why selling on an auction?
Using auctions is very convenient, because it allows people to sell their goods at the optimal price. We provide comprehensive support, examination of the item, and stressing attention on its positive features, as well as making professional pictures of the goods. After that, we fill in the listing form and post the information about the item in the necessary auction category. We also try to determine the best time for the start of the auction. We notify the clients about the start and end of the auction. In the course of the auction we advice buyers, receive payments and return change when necessary. Our other duty is to pack the item and deliver it to the buyer, along with some other things that are necessary for a perfect sale.
Who sells the items?
Our clients can reside anywhere. In anyplace of our world. These people are professionals with a great experience of 98% of successful deals. The majority of them are qualified to work on Ebay, Qxl, and Amazon online auctions.
Where are the items dropped off?
The items are sold on the different online auctions as Ebay US, Amazon Auctions, Big Deals, Ebay, QXL(UK Auctions), etc.
What items are usually sold?
The most popular selling categories are watches, silver and golden wares, collectibles, electronic appliances.
What are my duties as an administrative assistant?
Administrative assistants are mediators between sellers and buyers. This job is vital, in case if a person, living in {Moscow, Saint-Petersburg, Kiev}, want to sell his/her goods to Australia. Our assistant can make this operation possible. Administrative assistants are responsible for collecting and keeping all sales records in his/her region, and should also receive payments from clients. The assistant's duty is to draw up daily, weekly and monthly statements and keep record of incoming and outgoing mail to representatives of the management and sales department.
Will I be directly involved in sales? How will I find out that a deal has been made?
You do not need to sell or buy anything. Your task is to accept payments in your sales area and send all the relevant mail to the administration. If a buyer is not satisfied with the item, there is no refund. The only way is to exchange the item. In this case the seller and the buyer will settle this matter on their own. After the transaction is complete, you will be sent an e-mail with the purchase data, including the price of the item sold and its buyer's name.
What bonuses will I have as an employee of your company?
All the workers have a right for two-week paid vacations twice a year. After first three months an employee may take up his/her first vacation. We also offer {great,huge} discounts for our employees. They are listed in a catalog, which will be sent to you. Moreover, after receiving an invoice (at the end of each month) - we will pay all your taxes, reported in your tax returns.
How much should I invest to start working with you? How will I receive my pay?
No expenses initial payments are needed. All money, that may be invested by you will be returned by the company. Your monthly salary can reach up to $1,800-2,300. You will receive a 5-percent commission from each deal managed by you. A minimum salary is $2,200. If your salary does not amount in this sum - you will receive the amount of the shortfall by check or bank transfer.
For details, e-mail us at: xxxx@xxxx.com

Best Regards,
Leslie Nolan.

So I guess once I accept this I'll stop blogging. Hey! Wipe that grin off your face. I'm not gonna stop. :)

Dilbert's CIA Triad

Here is a great Dilbert comic about the conflict between security and usability. Hopefully not too many companies go quiet this far.

Thursday, November 15, 2007

ISC2 Board of Directors Election

For all of you who are voting eligible members of ISC2 tomorrow morning at 8:00 am the Polls open. See the included email for information. I encourage All of you to check out the candidates, find out who they are, what they stand for and vote for the ones that you feel are most qualified and will add the most value to the group.


Dear Members,

It's election time again. Let your voice be heard!

Voting for the (ISC)2 2007 board of directors election starts at 8:00 a.m. EST on Friday, 16 November 2007. Only members in good
standing as of 19 July 2007 are eligible to cast their vote. Don't miss your chance to impact the direction of (ISC)2! On 16
November, you will be able to log on to the member Website at http://members.isc2.org and register your vote. We'll provide voting
instructions next week. Voting will close promptly at 5:00 p.m. EST on Friday, 30 November 2007.

Because we are undergoing some changes to the Website, please log on to the member Website, well in advance of the election, to
ensure your logon works. Should you encounter any issues or have any questions, please contact us at registrar@isc2.org.

For general information about the election ballot, please visit https://www.isc2.org/cgi-bin/content.cgi?page=1325.

As always, we strive to ensure a fair and convenient voting process. Should you have any questions about the election or any of the
candidates, please feel free to send an email to boardelections@isc2.org.

Thank you for your support!

Sincerely,

Dorsey Morrow, CISSP
Corporate Secretary
(ISC)2

My Lunch with Farnum


As Michael said in his post last night he and I met up for lunch yesterday as he was passing through town. Rothman was supposed to be there but apparently he didn't have his head on straight and was unable to make it in person but showed up in spirit. Thus the picture of He and Farnum. What Farnum didn't know was that I had a "secret picture" taken that got all 3 of us. Now Farnum had just drive from the Atlanta Airport to my Office in Buckhead so he was a little steamed as we know driving can make him. My "special" camera caught a different view of him. I sure hope the rest of his drive to SC was better so he didn't scare the people he was going to see.

100% of People Read My Blog

I did a little research the other day and asked 10 people that I know if they read my blog. All of them said that they did so therefore I can assume that 100% of the people read my blog. At least that's true if I follow the premise of the Times Online. They took a study by Sophos that said that half of the respondents of a survey said that they had piggybacked off of some one's open WiFi connection. They then translated that to say that 1/2 of computer users steal WiFi. Makes sense doesn't it?

Along those same lines there is the guy who did port scans of 1,000,000 IP addresses and discovered that 210 of them had unprotected databases exposed to the web. He then decided that that means that there are 500,000 unprotected databases on the Internet. Now I understand statistics and such but I think these are a little far fetched. Your sample has to have rhyme and reason to it and I don't see that in either of these cases.

What statistic I do see that isn't pretty is Montana State University having 3 data breach disclosures in ONE day. That has to hurt. At least the number of exposed records is small (272) unless you are one of the 272 then it becomes a much larger number. What got me about this is this comment

According to university spokeswoman Cathy Conover, the data on the USB storage device was not encrypted. Following the incident, the university has initiated steps to remove all personal information from portable storage devices to mitigate the risk of something similar happening again, she said.
Once again we see organizations reacting instead of being proactive. In today's world this needs to be something that is already in place or at least being actively pursued. It should not be an after thought.

Wednesday, November 14, 2007

CIS 2007 Update

You may remember that a few weeks back the folks that run the CSI 2007 conference were kind enough to offer me and 2 readers free admission to the conference. Unfortunately I was not able to attend but was able to give the 2 free passes away to readers. I asked them to send me a short synopsis of the event so I could post it for those who are interested in reading it.

The 2 winners were Sajeev Nair and Patrick Harrison. Sajeev attended and has included his report below. Patrick's registration apparently got messed up and when he got there they said "I know thee not, depart" So he went to work. Luckily he lives and works in Arlington, VA where the conference was held.

Here is Sajeev's report.

The conference was really good with great sessions and exhibitions. There was lot of opportunities for networking with peers and that is one of the primary reason I choose to attend such events. It is always good to know how others are doing and compare them with you practice and I think that is the best education you can get. The sessions covered pretty much all areas of Information Security but the ones I liked the most was on developing security metrics, it is one of the hot areas in Information Security and it was really informative. I also liked the session on "choosing Information Security as a career" where the speaker talked about different areas in Information Security and how to grow within this field. Information Security is becoming more and more of a business issue and one need to have the business skills to survive in this industry and this was one of the main difference I noticed in the CSI conference (from other security events), they not only had sessions on the technical areas of Information Security but also on the business areas like risk management, metrics, compliance etc. On the product front, I really liked the product from Gigamon.

Again, thanks for letting me attend the event and hope to meet at some other events.

Sajeev

I've Been Profiled

My blogging buddy Kai Roer, who has profiled lots of security bloggers, has now chosen me as his target. You can find the profile on his blog here.

PLEASE excuse the really bad picture of me. I didn't have anything so I took it myself w/ my camera phone sent it to him. I didn't realize just how bad it was until I saw it this morning on his blog.

Saturday, November 10, 2007

Knowing What You Are Protecting

Our job is to protect stuff. What exactly is that stuff? Networks, data, systems, web sites, physical equipment and locations, etc.... As information security professionals what we protect often depends on what our jobs are. Some of us are responsible for protecting everything and some are responsible for specific areas. So what we protect can and does vary and therefore so does how we protect them.

What I'm wondering is even within your specific area do you really know what you are protecting? I guess this question really is directed more towards those who are tasked with protecting data. What I'm talking about is the data stored on your systems. Do you protect everything? Do you protect everything equally? Do you even know where all the data is that needs protecting? Is it all stored nicely on network drives and in databases? Oh if that were the case. If it only that simple and easy.

Unfortunately even though the data may very well be in those places the question is "Where else is it?" Is it on desktop and laptop hard drives? What about USB sticks, IPods, CD's, employees home computers? Did it get emailed, printed and removed from the building, ftp'd off site?

OK, lets not go there for this post. Let's keep it simple. Let's assume that you have DLP or some other solution in place that has eliminated all of the above. Do you still know where your data is? Do you still know what really needs to be protected? All data does not have the same value to the company and therefore unless you have a very simplistic network protecting everything equally is not easy or necessary. Obviously you want to protect you entire network, but you want to protect financial data, PII, and information of a sensitive nature more than you want to protect Andy's ITunes library backup.

So again I ask do you know where all of he data is? You do? Great! One more question. Do you know what it is that needs to be protected? Has management determined what really is important and what really needs an extra measure of protection. Rebecca reminds us that if we (the organization and management) haven't identified what is considered to be PII then there can't be an expectation of protection.

If you, as the company security professional, don't know the answers to these questions then you need to get answers quickly. You need to meet with your manager, department managers, the CIO, or who ever it takes because you can't adequately do your job if you don't have all the information. Being tasked with "just protect everything" isn't good enough. You have limited resources and time so you need to be able to make wise decisions on where to invest them.

Friday, November 09, 2007

The Polls are Open!!!

I've decided to start my information security polls again. This one relates back to my last post on ethics and the information security professional.

When it comes to company security policies do you:
A. Follow all the rules
B. Have work arounds that are necessary and approved
C. Break the rules how ever I can
D. We have Security Policies?

I have no way of tracking who you are so you can answer honestly and truthfully (of course if you don't then are you really ethical?) :) Something to think about.

Are you ethical?

I ran across an interesting post this morning regarding ethics and information security. Most of us can remember the surveys that have come out in the last year or so that talk about how many IT and IS professionals actually act in an unethical way. I've blogged about it as well as many others. It's sad and both surprising and unsurprising at the same time. It's surprising because you expect people in positions of trust to do the right thing and unsurprising because everyone has their own idea of trust and what is right.

The Intel blog post linked above has 4 questions that pose hypothetical questions about ethics and what you would do in areas that are often considered gray. Take a look at them and be honest with your answers.

I'd also challenge you to think about other things that you do that many don't think about as possibly being unethical. What do you do on the internet that is against company policy? Do you allow yourself access to internet based resources that the rest of the company is blocked from? What does company policy say about that? If it allows it because of the nature of your job then it's one thing. It's another if you have punched a hole for yourself that isn't "approved" by policy and management.

Things such as this are what either gives us credibility or takes it away. In my last job the company DBA bought me a tee shirt that said "I read your email". (That's read as in present and future tense not past tense) It's a funny tee shirt that got me lots or laughs but it wouldn't be funny if I actually did read everyone else's email. Yet, lots of email admins and security guys do that very thing. They want to keep up on what management is talking about and the latest gossip or love affair in the office. Even though things such as that are blatant and obvious unethical acts they aren't the only ways. Ethics has to be at the core of who we are and what we do if we really want to succeed in life and in our careers.

I'm reading a great book on that very subject right now. It's called "High Performance Ethics" by Wes Cantrell. He was the CEO of Lanier Office Products for several years and he lead Lanier in modeling High Performance Ethics in how they conducted business. I highly recommend reading it. It's also kind of cool because Wes and his wife teach the Sunday School class that we go to at Church.

Thursday, November 08, 2007

Why become a Information Security Professional? (part 3)

So far in part 1 and part 2 I've talked a little about the whys and why nots of becoming an information security professional. Now I'm going to talk a little about what to do once you have decided to make the move into information security. This is the same basic advice that I give when I get an email from someone asking for advice. Obviously, if I know more specifics it's easier to give more specific advice, imagine that. :)

The first thing I would recommend is that you learn the basics of security in general. Why do we need it, have it and what is the purpose of it? How does it work? Learn the basics of TCP/IP since it is the heart of most networks. Learn the basics of networking and web services. When you get these things down you have a pretty good foundation to build on. No matter what area of security you choose to go into these will help you. They are the core of almost every business.

Next try to figure out where your talents are. Are you good at coding, routing, servers, windows, Unix/Linux, strategy, what? What are you passionate about when it comes to security? This is the area that you most likely will find the most success and satisfaction in. Do your research on various disciplines. Talk to others who are in security. Read blogs, books, etc that cover security and the various disciplines.

Lots of times people ask if their current job is a good learning ground. I say Yes! It doesn't matter what your job is. Learn about how security affects it and how it can be used to improve and protect it. Anything that you can learn can be applied to various disciplines. Don't get too narrow minded and focus only on the technology side. Learn about physical security also. It helps to train you mind to think outside of your little corner of security.

Once you have made a decision to focus on a specific area then practice all you can. Set up a home network using VMWare and free security tools. If you have access to spare systems and such then use them. Check out online resources that will allow you to practice your skill. There are sites (some free but most are pay) that will give you access to routers, firewalls, servers, etc. You can hammer away on them and also practice securing them. Then again read books specific to that field and talk to others who are in that field. Join online communities (my favorite it the Security Catalysts Community) where you can interact with and ask questions of others. Also take advantage of any training you can or local security focused organizations like InfraGard, ISSA, ISACA, etc...

That should get you on your way. Good Luck!

The list of lists

Update: Please forgive the really bad title. I was taking this in a different direction and then decided to change and forgot to rename before posting. Oh well....

Lots has been going on lately. Things at work are still busy but I've been able to take some time and attend several good vendor presentations and the Atlanta InfraGard meeting. In the past week alone I've attended a WhiteHat luncheon where I got to meet my fellow Security Catalyst Bill Pennington. I went to the local InfraGard meeting, attended a Cisco Security Presentation and later today I'm going to a physical security event put on by Stanley (yep the tool guys).

It's actually been a pretty good use of my time even though it's also been a lot of my time. Of course in addition to the information that you get from listening to the talks the networking is always good. I've met lots of people who are either implementing something that I'm considering or who have experiences in something that I am working on. For example I met a lady who has gone through a very similar experience to my current work position and turned her organizations security program into one that is looked at as a leader in that industry. Of course her industry and mine are miles apart, but her experiences and insight will be an asset to me as I continue to evolve our security program.

On a completely non-security note I did have a bit of good fortune at the Cisco event yesterday. They were giving away a door prize (as most always happens) but it wasn't the typical IPOD or USB key. They were giving away a Roboraptor remote control dinosaur. My name was drawn and I won! What a cool toy! I haven't played w/ it yet but I did do a little research on it and WOW! If this thing is a fun as it looks...... Of course I have decided that instead of keeping if for myself I'm going to give it to my nephew for Christmas. Although my daughters really like it. I think they may change their minds once it's out of the box and my nephew chases them around the room with it. :)

There is some pretty exciting things going on at work that also has me pumped. Management has decided to get behind security and I think that some of the ideas and plans that I have will have a very good chance to be implemented over the next year. That always brings a smile to my face. Also there were some pretty big changes made that has solidified the network infrastructure team. That will be key to many projects that we have on tap. All of which I get to get my hands on in one way or another.

One last thing, I found a new blog today thanks to Andrew Hay. It looks pretty interesting and I wanted to pass it on to y'all. It's part of the MSDN blog lineup. What caught my eye was the series on Web App Security. Imagine being concerned about that. :)

Oh yeah, a couple more "one last things". I had an opportunity to talk with both Andrew Hay and Rebecca Herold recently about some things that are going on in the Security Catalysts Community and I wanted to say that talking to them really pumped me up. I love talking to people who are passionate about what they do, especially when Security is what they do. While I'm speaking of passion and security I can't help but think about my friend Michael Santarcangello. While he has been very busy with his company and quiet on the blog front lately he has put out some good stuff in the last few days. I'd encourage you to check out his latest podcast and blog post on email privacy. You can find both of them here.

Monday, November 05, 2007

Why become an IT Security Professional? Part 1

I get a fair number of request from people asking me to give them advice on how to either get into security or career guidance on how to best move into a specific area of security. Since often these questions come from readers I decided to do a couple of posts on this topic. I'm going to try and cover it from a few different perspectives. The "Why to", the "Why not to" and some of the "How to". I hope you find them informative and useful. And as always if you see something that I'm totally missing the boat on just let me know. :)

It seems that lots of people want to become information security professionals. I guess they consider it to be the "holy grail" of IT. The problem is that it isn't. It's a great field to be in if you have the skills and passion but it's not the ultimate place to be.

I think that lots of people think that if they break into security that they are on their way to financial nirvana. That too is a myth. Don't get me wrong there are those in security who do quiet well for themselves. Yet they are kinda like the people on the exercise infomercials. They start off 40 lbs over weight and after 8 weeks of this "miracle exercise" they have lost all the weight and their abs are well defined and all the world wants to be like them. What they don't show you is that this person worked 50 times harder than everyone else and they were committed to this. They also don't show you the other 100 people who only lost 5 pounds and went back to their old lazy ways right after the trial period was over.

That's the way IT security can be. There are the few rock stars. Those who are really good and who have a passion for what they do. They work hard, they learn all they can and they succeed. They make a name for themselves and make good money. A few make really good money. The rest, well they spend their days doing what they like doing. They protect networks and data. They look for vulnerabilities and shut them down. They scour code looking for a way to make it safer and they develop tools that makes the rest of us look good. They also make just enough to keep them going. They pay their bills and maybe have some to put away, but they are not getting rich by any means.

So, reason number one to NOT become an IT Security Professional, MONEY!! If you are doing it for the money you are doing it for the wrong reasons. Chances are you won't make nearly what you think you will make.

Why become an IT Security Professional? Part 2

Yesterday we talked a little about why you should NOT become an Information Security Professional. It was only one of the reasons why not to, but it's one reason that I hear people list as to why they do go into information security. Other reasons not to are things like, it's a glamorous job or it's the hot thing right now and you are likely to land a job quickly. Ask someone who spends their days monitoring IPS or firewall logs just how glamorous it is. :) Also you don't want to do it because it's something in technology and you like technology. If that's the case find out exactly what it is about technology that you like and do that.

So why should you consider becoming an IT Security Professional? Do it because you really can't see yourself doing anything else. Do it because you can't not do it. Do you have a passion to secure technology? Then, by all means, become an information security professional. Do it because you have a passion for it and because you are good at it. Passion is necessary (in my humble opinion) but by itself it won't do the job. It's like most any profession. You may have a passion for it but not be any good at it. So make sure you are good at what you do. Your niche may be network security, systems security, application security, database security, web security. It may be compliance and policy. Maybe it's white hat hacking. What ever it is that is what you need to focus on. If you are good at it and have a passion for it then chances are you will be successful at it and you probably will make good money doing it. While you're at it learn what you can about the other disciplines within IS so you will be well rounded.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.