“Paid to be paranoid”

Read the first four paragraphs of this:


Forget the rest, forget that its about ‘creative writing’, just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you ‘paranoid’ enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about “The CISSP Experience“.
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a “Bah Humbug!” feeling when the class is really a company stuffing its IT department through the course and exam “for the numbers”. Rob has some cynical comments to add but don’t forget for him it’s a days work and a days pay.

I’m also hit on for a variety of reasons by kids (even postgraduates) who “want to break into” — yes that’s the words they use, ironic isn’t it? — the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that’s a subject for another time.

And hence the opening lines to Holly’s blog.
No, Holly, you’re not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the ‘attack surface‘?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the ‘recovery mode’ (aka: line of retreat)?

If you can’t do this, then you shouldn’t be in “Security”. Continue reading “Paid to be paranoid”

Learning to Counter Threats – Skills or Ethics?

Fellow CISSP  Cragin Shelton made this very pertinent observation and gave me permission to quote him.

The long thread about the appropriateness of learning how to lie (con, `social engineer,’ etc.) by practising lying (conning, `social engineering’, etc.) is logically identical to innumerable arguments about whether “good guys” (e.g. cops and security folk) should teach, learn, and practice

  •  writing viruses,
  •  picking locks,
  •   penetrating firewall-protected networks,
  •  cracking safes,
  •  initiating and exploiting buffer overflows, or
  •  engaging in any other practice that is useful to and used by the bad guys.

We can’t build defenses unless we fully understand the offenses. University professors teaching how to write viruses have had to explain this problem over and over.

Declaring that learning such techniques is a priori a breach of ethics is short-sighted. This discussion should not be about whether white hats should learn by doing. It should be about how to design and carry out responsible learning experiences and exercises. It should be about developing and promoting the culture of responsible, ethical practice. We need to know why, when, how, and who should learn these skills.

We must not pretend that preventing our white hatted, good guy, ethical, patriotic, well-intentioned protégés from learning these skills will somehow ensure that the unethical, immoral, low breed, teen-vandal, criminal, terrorist crowds will eschew such knowledge.

I have grave reservations about teaching such subjects. Continue reading Learning to Counter Threats – Skills or Ethics?

Throwing in the towel

I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work:

After two years of dealing with such nonsense, I was forced to resign
within two months of discovering a serious security issue which possibly
jeopardized overseas operations. I have since found out that they are
selling the company and didn’t want any who knew the problems around.

Thank you.
Speaking as an auditor who occasionally does “due diligence” with respect to take-overs, you’ve just shown another use for LinkedIn – contacting ex-employees to find out about such problems.

Certainly a lot of employees leaving or being fired in the couple of years before the pending acquisition is a red flags, eh?
Continue reading Throwing in the towel

Does the Certified Ethical Hacker add value to a CISSP

A young colleague asked about the value of the CEH certification. Would it “Add Value” to his existing CISSP? The syllabus looked interesting to him and he wondered how prospective employers would view this.

This was my reply:

There are TEN domains to the CISSP’s CBK. People come to security from
many walks of life and fields of endeavour and information security has
many facets beyond protecting networks and hosts from malicious attack.

There have been times in my career when the work covered by the CEH
would have been relevant, but back then neither the CEH not the CISSP
existed. But even back then I realized that the real problem was not
the networks or the hosts or the system administrators.

Each decision you make, each certification and specialization you focus
on leads you down a career path. I’ve often criticised “reactive mode”
security. The same I’d apply to your career. Is this a proactive move?
Is there a career plan here? Where do you see yourself in five or ten
years? How long do you expect to be doing Pen Testing?

Many of us took the CISSP not as a learning exercise but to validate our
already existing skills and experience. You can read in the archives
tales of people at the seminars that pre-dated “boot camps” who wrote
the books that the exam questions were based on. I mention this
because of the way you have worded your question. Are you interested in
the CEH as a validation of your experience or do you expect the course
to teach you Pen Testing? If the latter, then I’d think again.

But ultimately it boils down to the issue of your career. Many of the
older members of this forum, and older CISSPs in general, have very
diverse backgrounds. There is an old joke about a Phd being a ‘delta
function’, you know more an more about less and less. Many career moves
are like that. I mention this because I, and others, feel there is a
point in a career where it is the width of experience, the 20-20
peripheral vision, the understanding of context, the ability to avoid
Errors of the Third Kind, that employers value.

Yes, it depends on your age – which you didn’t mention – and other
factors. Context is, as I keep saying, everything.

Maybe one day I’ll go back an finish my degree in Social Anthropology.
All in all I feel understanding people and the social dynamics of
organizations is more relevant to communicating and effecting the
changes needed to bring about good security practices. But that’s me,
my context an my career objectives.

You need to make it clear what are yours before you can say whether a
CEH – or any other certification for that matter, is relevant to you.

As Robert Heinlein said:

A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders, give
orders, cooperate, act alone, solve equations, analyze a new problem,
pitch manure, program a computer, cook a tasty meal, fight efficiently,
die gallantly. Specialization is for insects.

Reblog this post [with Zemanta]

A sign of the times

It seems that many people in HR don’t realise that the interview is a two-way street. Not only are they trying to find out if the candidate is suitable, but the candidate wants to know about the position, the firm, the job and the people he will be working with. The most sucessful intervvvews are when both parties realise this and work accordingly.

Thirty plus years ago the company I worked for out of university assumed that the hires were there for their career. As such they invested in them. Training for middle management and beyond began quite early.

One of the first thing we got was interviewing skills, that is DOING the interviewing. You might wonder why this was so early on. I was told that part of interviewing was determining if the candidate would fit in with the team. (How different from the attitude where hiring ‘gurus’ and
‘whiz-kids’ for their individual excellence is the only criteria.) Hence the candidate needed to meet the team and so the team had to understand how to interview.

But today? How many companies invest in training in that strategic manner?
The last couple of decades have been ones where job-hopping is the norm, so why should a company invest in training someone who will shortly be gone? Most people look to their own training, hence the rise of the training companies.

Hence also the rise of evaluating applications by their training record, and in some cultures the attitude that training is a ticket and certification is a ticket to a job. Many of have seen on other forums people posting

“I want to get into security – which should I take first,

Its really hard, I’ve found, to convince people with this cultural background and set of assumptions that its experience that counts.

I wonder if the same applies to HH/HR/screeners?

I ask because I’m one of those people who isn’t good at classroom learning. I’m better off taking things apart and experimenting. In the classroom I’m a pest, I ask questions as my mind races ahead and “off on irrelevant tangents” – which amounts to next weeks lesson! You’re never going to see a long list of courses taken and certifications earned on any of my resumes.

I’m off doing the “I wonder what if ..”.   I think in terms of ‘ability’ rather than skills with specific pieces of equipment and software.    I’m more like the guy in Asimov’s short story “Profession“.

Well, it takes all sorts.

Reblog this post [with Zemanta]



Its one of those bootstrap problems – the new CISSPs who need to read the information can’t get at the FAQ on how to sign up for the CISSPForum because they need to be members of the forum in order to read the instructions.

Yes, I know the information is at the (ISC)2 web site, but that’s an incredibly difficult site to navigate.

Because of this, Gary Hinson and myself, each quite independently, took the CISSP Forum FAQ and converted it to a web page, adding hyperlinks etc. The two pages are at:

Both sites are very rich, but very different in nature. Gary makes use of custom mind-maps to assisit in navigation, whereas the Wiki allows for registered members – CISSPs – to contribute.

The CISSP Forum at YahooGroups is very active. It is not a purely technical group, but an active support group for CISSPs. It handles well over 1,000 messages a month and is the kind of “social network” that some vendors would pay millions of dollars to own – if it wasn’t a closed group that spurns advertising.

The astounding thing is that so few CISSPs know about it. (ISC)2 seems to make no effort to publicise it to people as they gain their certification.
If you are a CISSP, visit either of those two pages, or better still go directly to the (ISC)2 web page for registration – https://www.isc2.org/cgi/cissp_forum.cgi – and sign up.

Technorati Tags: , , , ,

Enhanced by Zemanta