Tuesday, December 15, 2009

Getting Management to Understand the Principels of Information Security

I teach information security classes at the college level and one of the things that always comes up is the need to get management to understand the necessity and value of information security. At a root level, it is vitally important for management to understand the core principle - that information is an asset and needs to be protected as such.

I am convinced that many leaders have not really understood this principle. They often do more to protect the office furniture in their organization than the do the social security numbers of employees! While some may do this intentionally, I think most do it out of ignorance, since they don't really realize how valuable some information is.

While the cost of protecting that can get high, many simple things are completely "free." That would include not using SSNs (or the last 4 digits of an SSN) as a default password or reset code for an internal system, especially if it will be stored somewhere in plaintext.

I am on a quest to educate management in this, though I have to figure out how to get through to them. That is the $64,000 question, as they used to say (based on the old game show). How can you get an audience with them and then make them see the importance of the basics of securing information using terms and phrasing they can relate to and that is compelling.

Hopefully I can work more of that in my future efforts.


Tuesday, October 13, 2009

Which is Easier?

I am way behind on my security podcast listening and I just listened to an OWASP podcast that discussed Gunnar Peterson's post recommending the book Enterprise Application Architecture by Martin Fowler. A former manager who is now an enterprise architect thought it was a good book, but it was interesting to see it recommended by a security professional.

This raised the thought in my mind about whether it was easier for a developer to learn security or a security professional to learn development. I am definitely biased (since I come from a strong development background), but I think training a developer is easier. I have taught so many programming classes where people struggled with simple loops and conditional structures that I am convinced it takes a mindset to understand development.

I do have a hard time understanding how people can't understand it, since I took right too it, but I know not everyone finds it as straightforward as I did. It is like the struggles I had with chemistry lab in college. I did well, but I never could get the results within the "A" range (though I could ace the tests) no matter how much effort I put into it. Physical chemistry is not my strength. In the same way, some people struggle with understanding key programming concepts.

I did have some experience with system administration; including work on Mac, Windows and Unix, though I never worked as a sysadmin. Putting in your own ISDN line did take some technical chops, since it required so much manual configuration at the time, so perhaps I am not the "pure developer" I think.

Interesting question, though we probably need to focus on training developers on security regardless, since a lot more developers are out there. We don't have enough security people to go around to get really strong application security, if we can ever reach that goal as a society.


Friday, September 25, 2009

Independent Security Researcher

At the end of August I took a generous buyout package from my employer and I am now an independent security researcher, whatever that means. I am planning on focusing on development security, since that fits really well with my background, but I am also quite interested in compliance issues and I believe my PCI experience is worth using in the marketplace today.

I am not looking for anything specific now, enjoying a slightly longer break than I have had in some time, but I am now starting to dig into things. I plan on doing some work with OWASP in some manner, but let me know if you have an ideal opportunity.

I would love to get my PhD now, so also let me know if you know of a good place I could craft a unique program, learn some more, contribute and have fun. I am hoping to not relocate from the Dallas area anytime soon, but I am open to travel as needed.


CISM Passed

I took this test in June and I was not at all sure I passed. The questions are much less clear cut than I prefer, carrying a lot of thought underneath what is written. At least that is my opinion.

My CISM test reminded me of a Probability and Statistics test I took in college. I had gotten A grades in math through Differential Equations prior to that, so math was not the problem (for me). I was just having a harder time wrapping my mind around the concepts in the class, which went beyond basic "rolls of the die" probability. I came out of a 4 question test knowing I missed 2 questions and feeling I had only partially passed 1. I figured I failed my first math test. I ended up getting a B on the test, likely because everyone else struggled.

That is what my CISM felt like. I passed, even though it didn't feel like I would at the time. Lots of people knew I would do well, since passing tests is fairly easy for me, but I suspect it is my hatred of not doing excellently that threw me off. :)

Now I just need to get all the paperwork into them. I was waiting for confirmation of my degree, which I just got in a letter from my college. I will get that out soon and just have to wait for everything to process.


I Passed My GCIA Exam!

It took me much longer than it should have, but the wait was worthwhile! I still want to master the material more, but I scored a 94% on the test!

I am now studying for the G7799 and GSNA, which I got the books for almost 2 years ago. I think they should be up to date enough to pass the test and I want to get that wrapped up. Hopefully I can challenge the GSE-C next year, but that depends on whether it is offered or not. :)


Saturday, June 13, 2009

Took the CISM Today!

I took the CISM today. I almost had a "stupid tax" and would remind everyone to sign up for the CISA/CISM/CGEIT with your name exactly as it is on your government ID. I go by my middle name and that almost bit more for the test. Fortunately, I passed the id check fine.

The test itself is a real pain. I primarily used the computer-based questions they sell. I was doing really well on those prior to the test, but the test has too many that are fairly different that it is dangerous to rely just on those.

In fact, I found many of the questions to be very vague and hard to nail down. My experience with the computer-based questions was that they sometimes leave clarifying words out, making for a fuzzy meaning at times. I learned which questions did this, but several on the real test seemed to repeat this pattern, making this a very frustrating experience.

This makes me uncertain whether I passed or not. I finished it in less than 2 hours, but I was uncertain about enough of them that I am not sure how well I did. I could see just going on either side of the pass and fail line or failing spectacularly based on my trouble with reading their intent with many of the questions.

In addition to the fuzziness, I found that I disagreed with some of the questions in the computer practice. I hope I had their mindset when I was taking the test today, but I am not sure.



Saturday, June 6, 2009

I Helped Someone Earn Their GSEC Certification!

I was very excited to find out recently that one of the students in my SANS SEC 401 class passed the GSEC certification that is tied to the course! While I loved our interaction throughout the course, it is great to know that not only did we all learn something over the course of our time together, someone learned enough to earn a very challenging certification!

I won't announce their name here, but I would say an open congratulations and encourage everyone else to consider that same path. The course material is great by itself, but studying for the certification is a great way to solidify the material and also earn something to prove your knowledge at the same time!


SANS 401 - Security Essentials - Mentored Course in December 2009

While it is not completely official yet, I believe I will be doing another SANS Mentored class covering their Security Essentials material late this 2009 and early 2010. It is great material that covers things anyone working in the information security field should know.

Contact me if you live in the Dallas-Fort Worth area and would be interested in attending this course. Also let me know if you have a group that would be interested in a more custom approach. I would be open to doing a more targeted class once I am back on my own in the fall!

This stuff is fun and I love working with others to master it.


I WIll Be Striking Out On My Own

I probably haven't written enough here for anyone to really care, but I have decided to take a buyout/departure offer from my current employer and it looks like I will be back to working for myself/RBA Communications as of this September. I will be figuring out my exact path along the way, but I expect it will include a lot of work on Secure development and especially secure code review. In fact, I think this is an area I am gong to start really pursuing in depth.

I know I am not the only one in that area, but it fits well with my background in both development and now information security/secure development. It is an areas that really needs solid evangelization, instruction and understanding. Since I really do well at communicating, this should be a good fit!

I will be writing more about this in the coming weeks. I am not sure how much posting I will be doing before September, but I am going to try and build up toward very regular advancement of the subject by that point.

I certainly don't claim to be the only voice in the field, but it looks like one that I can be really good at, so it is my aimpoint for now. :)


Sunday, May 10, 2009

CSSLP for Me!

I don't think I have mentioned it here yet: I qualified for the CSSLP, the new secure development cert from ISC2, the "makers" of the CISSP. (I still need to get going on that. Too many SANS certs have gotten in the way....)

Whether it is worthwhile may be questionable, but I figure it fits a significant part of what I am working on now (secure development) and is worth adding to my list.

Now I finally have to keep track of all the CPEs for ISSA and other such meetings!


Sunday, May 3, 2009

OWASP Source Code Flaws Top 10 Project

I have made my first contribution to OWASP! I tweaked the language for the OWASP Source Code Flaws Top 10 Project last week. I came across this while following the general OWASP Code Review email list and figured I could help make it read better. It feels a bit arrogant to say, "I know how to say it better," but I believe that is the way things work.

I haven't heard anything either way, but I am assuming it is OK. :)

Hopefully this is the start of a good trend!


A Security Career

I have been thinking more about the future career options I have. I don't want to move now, but I want to make sure I am ready for whatever I do want to go in the future. It is a common problem in any field: Once you get near the top you have a harder time advancing further.

Some career paths are obvious. If you want to go into a specific operation security area, like network security or related things, you should probably focus on enhancing the skills that help you be better at whatever you are doing.

Unfortunately, I didn't come to security from the sysadmin route. I had over 20 years of software development (and general analysis) before I started full time in information security. This may be placing me really well for working in the growing area of application security, but even that has a lot of possible different focus areas.

I am also very interested in risk, compliance, policy and security awareness. While these all could relate to development security, they are not necessarily tied to that. Figuring out the route is my challenge now. I want to know everything, but I can only learn so many things.

This is not as refined as I would like, but I wanted to put out some thoughts to build on later. I plan on writing about this more and I have thought of working in this area with either the local ISSA chapter or OWASP.


Saturday, April 11, 2009

The Value of Certifications

If you want some entertaining, look at the arguments against certifications in the information security field. I can completely understand someone not wanting to pursue a certification, but the open hostility they generate, including the classic information security certification, the CISSP. People belligerent in many cases against those who achieve them as well.

The arguments usually boil down to whether you would hire someone who has experience or someone with a certification. While this might be a valid question, it is a very incomplete one. It leaves out those with both, as well as avoiding any serious discussion of those with different strengths in each.

I am an interesting example of this. I have been in software development for over 20 years, though I only came into information security full time 3 years ago. I knew many of the core principles and topics, but I did not have a comprehensive foundation. Studying for the SANS/GIAC certifications I have achieved so far (GSEC, GCFW, GCIH, GPCI) has helped me not only get good training, but reinforce the principles in the training.

Do the certifications prove anything by themselves? Of course not, but they were quite useful and showed that I did master the material to at least some extent. They don't prove I would be an expert on everything, but they show that I do know at least a few things.

While I am usually quite confident in my own skills and abilities, I am not dumb enough to think I know everything. I try to let my actions prove my knowledge and abilities, rather than relying on something "on paper" to do that.

I am quite proud of having gotten a Computer Science degree from Illinois and I have used that in interviews, but even that is just an outward item that must be backed up by my own performance.

I will write more later, but I thought this was worth noting.