 |
| Recent Articles |
Protecting Systems From "Malware As A Service"
Interesting new research was released today on Malware as a Service, with credentials stolen, and researchers cracking malware. Security Company Finjan reports the first indication that the theft of FTP credentials was caused by hackers installing code at the...
Surviving The Death Of Corporate IT Departments
If you have never heard of Nicholas Carr, make it a point today to go visit his blog, and go to Amazon to purchase his books. His thoughts on the death of the IT department have serious ramifications for...
If JBoss Developer Studio Support Is Extra, What's...
By now you may have read my views on OSS 1 & 2. Here's something you may find interesting. Red Hat released JBoss Developer Studio in early December 2007. InfoWorld reported: "While JBoss Developer...
Problems That Lend Themselves To EDM
I was talking with Neil Raden and Tom Davenport today on the subject of decisions - what are the various kinds of decisions and how do companies make them and think about making them. Afterwards I was reminded on something Rob Meredith posted - IT Archaeology...
From The SOA Consortium - IT Needs SOA Skills
I am attending the SOA Consortium meeting that is co-located with the OMG in Burlingame this week. The SOA Consortium was founded in 2007 and has grown from 11 to 81 members already. They do podcasts...
Virtualizing Data To Close The Gap Between IT And...
The Issue: Business units are making decisions outside of IT in regards to Information Access applications and tools - and then expecting IT to quickly provision and support those applications. Information Access...
Open Source TCO: Looking At The COSPA Frameworks
The EC funded COSPA project recently mentioned, defined frameworks to identify possible returns or losses of a transition to Open Data Standards or Open Source software. The Workpackage 3 derived two frameworks.
|
 |
| 03.05.08
Security Engineers Giving Tricks Away
 By Dan Morrill
Should security engineers and people working in security be giving our tricks away so that anyone can find them on line and use them? This is a good ethical debate for security professionals to be having. There are a number of reasons why I think that security engineers should be openly talking about hackers, hacking, protecting your company.
The ISC Code of ethics (and even though I am not a CISSP, it is a good general ethical standard that people can live with) states:
Identifying, mentoring, and sponsoring candidates for the profession (ISC2)
The idea that by blogging we can find and mentor people who will make excellent security engineers is a given. I have hired 2 people who have reached out through this blog, developed a personal relationship with, and went through an extended interview basically by tossing issues back and forth. If I did not discuss things openly on this blog, I would have missed those two hires. These have been the best hires I have ever made, by the time they got to the job, I already knew them, knew what they could do, and have just the right personality and desire to learn as I could ever want.
I also want to hire two other people who are regular's to the blog, but they don't want to work in information security. I cannot convince them that a job in information security can be rewarding, fun, and cool. They have already run into security engineers who have given them the proverbial "bad attitude" when it comes to infosec. They are lost to the industry, which is a loss over all, good talent should not be turned off by the people in the industry.
Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. (ISC2)
This one is trickier; there are people with the CISSP who are a discredit to their profession. There are people without the CISSP who are equally disreputable. I know this will cause a knee jerk reaction that I am wrong, all CISSP's are great, but there have been far too many conversations about paper CISSP's, and too many interviews with people who had the CISSP who would make great auditors, but bad security engineers.
The idea of best qualified is subjective, the best qualified is usually the kid or adult with a burning desire to learn, to grow, and to understand everything. The best qualified candidate is usually the person with the lifelong desire to learn. The best candidate is one who is continually hanging out with bugtrac, full disclosure, and can tell me the internet threat level today. The worst candidate is the anti-social can't think outside the box wants to have a faraday cage to test wireless functionality, whose primary vocabulary consists of "no".
This usually means that I am not hiring the "grizzled veteran" of the information security war. It means that I tend to hire young or young thinking, brash, intelligent, puzzle solving people who are willing to and can successfully think outside not just the box, but the playing field as well. The bad guys are trying to hire the same people, and succeeding. This is one of the reasons that we are seeing a sharp break in information security into two roles.
These two roles are the "Crime Fighting Role" and the "Corporate Audit and Compliance" role, with a touch of "application hacking/network hacking" in both roles. This is what makes it all the more interesting, because everyone needs someone who can function in both roles, but the verticals, knowledge and needs are distinctly separate from each other.
Should we spill the beans? Yes, yes we should because if we professionals do not do it, openly, and willingly discuss methods that are already out there, the next generation of hackers will get it somewhere else. The more we ivory tower our industry, the harder we make it for people to get in and do something wonderful. The more we cloister ourselves, the more we come off as arrogant and unapproachable.
The bad guys are talking, the bad guys are running hacking boards, and doing the same thing that I am doing, with better results. The bad guys carefully screen the potential candidates, give them things to do to prove their worth, and eventually move them up higher in the organization, more money, more exciting things to do, some travel, low odds of getting caught.
We cannot even come close to matching the excitement of the hacking underground, but we can educate, inform, and discuss openly issues that influence the industry. We should be talking about hacks that are common even though they have been out there for years. The same issues we were dealing with unauthorized access to databases in the 1980's we are still talking about 30 years later. The method has changed, but the results remain the same.
If we can't get this right, we will have a hard time recruiting, maintaining, and creating the next generation of security engineers.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community. | |
!
0 comments:
Post a Comment