Congratulations to my buddy Ken for making Information Security Manager (ISM) yesterday. It’s a major career milestone for an infosec professional and I’m very happy to see it happen for him.

Nice job, man.

Well, after three years as a consultant I am re-entering the corporate world. I’ll be working with a great company (Fortune 200) that has been voted by Fortune nine years in a row as one of the best 100 companies to work for. It was an excellent opportunity that I simply couldn’t pass up.

Some things I’m looking forward to with the move:

1. Being with my fiancé
2. Not living in two places anymore
3. Enhancing my core technical knowledge
4. Going back to school
5. Re-energizing my home network

Anyway, it’s an interesting time to start a new chapter — January 2008, while the economy seems to be on the verge of tanking. Here’s to hoping for the best.

Oh, and expect a lot more technical content. :)

Cheers,

-Daniel

This is an excellent article along the lines of the 4-Hour-Work-Week. The source site (Lifereboot) looks pretty nice as well.

[ The Working Dead ]

I say yes.

Martin McKeay from Network Security Blog disagrees. He writes:

I kind of like Daniel Miessler’s writing and think he has some good posts, but he totally misses the point of the CISSP when he complains about CISSPs who can’t program a home network. The CISSP isn’t aimed at testing someone’s ability to program their Linksys router, it’s aimed at testing someone’s ability to think about the philosophy of security.

Ok, here’s the thing: part of the CISSP is technical. They cover everything from trojans to encryption algorithms to covert channels. It’s just an overview, but it’s part of the CBK for a reason.

If the fundamental networking knowledge required to configure a Linksys router isn’t within a candidate’s grasp, then they shouldn’t be discussing security philosophy with anyone. As Martin points out, this is a management certification. Don’t we already have enough managers who learn big buzzwords like risk management and don’t know even the fundamentals of that which they are trying to protect?

Why do you think they teach generals how to fight and require them to move up the ranks before letting them command large armies? It’s because that knowledge of the lower-level capabilities is what offers the foundation for making sound decisions at the higher levels.

Think about the decisions that security managers are supposed to be making — how to implement a DMZ, host IPS vs. network IPS, DLP?, NAC?, how to publish information in a secure fashion within an extranet. Can one effectively make these decisions without basic networking knowledge? One can say, “secure that”, but if you don’t have any knowledge of what it entails then you’re not adding any value to the organization.

Quite simply, managers who don’t know the basics are dangerous. They have all the power and none of the knowledge. This combination leads to frustrated employees, poor policy making and negative outcomes for their organization.:

aotmp.com

I’ve had some discussions about how the GIAC GSEC credential compares to the CISSP in terms of difficulty and respectability. Here is one such discussion from a forum I frequent.:

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.

That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.

I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.

Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge - not for testing whether or not you’d be qualified to actually do anything.

Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.:

Don’t ever put yourself in this position again (NY Client Report). It’s completely sad and inexcusable. You should be ashamed of yourself, and you need to spend a whole lot of time ensure that this never, ever happens again.

Work on the report every day; do NOT wait until the end. And don’t let anyone else come between you and your deadline ever again.

Bad, bad form.

I’m getting ready to help screen some candidates for an information security consultant position, and I decided to jot down a few questions to ask. These won’t be the only questions being asked, of course, but just a few that came to mind. Anyway, I thought they were worth sharing.

The key here for me is not so much getting the perfect technical answer, but more so not getting a lame one. In other words, we’re looking to filter out those who don’t have the right skills and/or mindset rather than guarantee a good fit. I’ll highlight the things I’m looking for with each question.

1. Where do you get your security news from?Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include RSS feeds for solid sites like rootsecure, secguru, astalavista, whitedust, internet storm center, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.” (and nothing else). It’s these types of answers that will tell you he’s likely not on top of things.
2. If you had to both encrypt and compress data during transmission, which would you do first, and why? If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.”
3. What kind of computers do you run at home? Good answers here are anything that shows you he’s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he’s got multiple systems running multiple operating systems you’re probably in good shape. What you don’t want to hear is, “I like to leave my computers at work.” I’ve yet to meet a serious security guy who doesn’t have a considerable home network.
4. What port does ping work over? A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP.
5. How exactly does traceroute/tracert work? This is a fairly technical question but it’s an important concept to understand. It’s not natively a “security” question really, but it shows you whether or not they like to understand how things work, which is crucial for an infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.The key point people usually miss is that each packet that’s sent out doesn’t go to a different place.Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.
6. Describe the last program or script that you wrote. What problem did it solve? This is a trick as well. All we want to see is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.
7. What are Linux’s strengths and weaknesses vs. Windows? Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world.
8. What’s the difference between a risk and a vulnerability?As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional.
9. What’s the goal of information security within an organization? This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for.A much better answer in my view is something along the lines of, “To help the organization succeed.”This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding — a realization that security is there for the company and not the other way around.
10. Are open-source projects more or less secure than proprietary ones? The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what they’re talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions).My main goal here is to get them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I’ll know he’s read Slashdot and not much else. And if I just get the “people in China can put anything in the kernel” routine then I’ll know he’s not so good at looking at the complete picture.

    The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly — quality control. In short, there’s no way to tell the quality of a project simply by knowing that it’s either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.

The goal of these questions is to get a feel for how the person thinks and approaches problems — not so much how strong they are technically (that’s a different set of questions). Experience shows that it’s better to have open-minded and adaptive problem solvers who can find information as needed rather than know-it-alls who live in a small mental box.:

A recent poster in an information security forum asked what it takes to succeed in the information security field. Having met with moderate success in the field myself, I decided to offer a few of my own thoughts on the matter:

1. Be Passionate About It You can’t get to the top if you don’t truly love what you do. You can do decently well by grinding through, of course, but you won’t ever see the upper levels. This is especially true in infosec where it takes so much continual effort to stay current. I’ve seen dozens of “security professionals” in the field because they heard “there’s money in security”. That’s simply not good enough.
2. Be An Engineer, Not A Technician If you don’t understand how things work then you will stay at the bottom of the ladder in this field. Knowing how to operate things isn’t going to cut it. Problem-solving, which is ultimately what good consultants and other infosec professionals do, requires an understanding of the problem at hand, as well as how any proposed solution functions. You can’t be a button-pusher and get to the top.
3. Don’t Be Intimidated By Anything Many people in I.T. are pretty solid with a few technologies but have areas that they’ll never get into because they view them as scary. I often hear, “Oh, that’s programming, I’m not touching that.”, or “I don’t mess with that Unix stuff.”

   That kind of approach will keep you limited for life, and for a security professional it’s pretty much a sign you aren’t going anywhere. The top security pros approach the unknown very similarly, i.e. by saying, “That can’t be too hard…” That’s the attitude you need to have.

4. Combine Book Knowledge with Hands-On Many screw this up in one direction or the other, and it’s not something you can get away with easily in information security. In this field you need to not only study theory but also know how to implement that knowledge in real-world situations. If you study diligently but can’t apply it, you’re dead. Alternatively, if you can implement but don’t understand underlying concepts you’re dead there too (see above).

   I strongly recommend that beginners invest in a serious lab environment and implement what they find interesting during their studies. Nothing is more effective as a learning tool (for me, anyway) than studying something academic/theoretical and then seeing it come to life in your lab.

5. Sharpen Your Communication Skills Few things are as important as the ability to communicate well. This includes both verbal and written communication. It’s not enough to know lots of things; you have to be able to get that knowledge to your clients/users/management in a way that is useful to them.

   Imagine you have two ratings on a scale of 1-10 — message and interface — and that the overall impact of your communication is the product of the two. So if your message is a 10, but your interface to the client (how well you communicated it) was only a 2, your overall score is just a 20. But if your message is a 9 and your interface is an 8 then your score is a 72. You need both solid content and the ability to convey it to others.

6. Keep In Mind That There Are People Out There That Make You Look Silly Staying humble is another key attribute. If you think too much of yourself you’ll relax and stop growing. It’s important to realize that there are others that completely dwarf your skills in many areas. Check out some different newsgroups, browse different IRC channels for security related content, etc. Seek out those you can learn from.

So I’m off to New York again — this time for a full 10 weeks. This is both good and bad.

The good part about it is that I get to save a ton of money. Food is actually my biggest expense, and three months of someone else supporting that is going to net me a couple grand. That combined with a bonus arriving during that time will yield a hefty sum for the savings account.

I’m also enrolling in college again as of October, so I’ll be doing that and playing WoW at night during the whole engagement. Fun fun. Dragonmaw server, btw…email me if you want to game.

Hopefully I’ll be able to bring my girlfriend up to see me as one of my paid breaks. She’s never been to NYC so we’re going to go do the necessary stuff: WTC, Empire State Building, Central Park Ice Skating, 5th Avenue, etc. Should be cool.

W00t². I passed. The second test was quite serious; there was no playing around whatsoever:

Question 1: Using the space provided, write an improved implementation of a UDP checksum calculation in binary. (Note: the use of the 1 and 0 keys are not allowed)

Question 2: Stand up and run as fast as you can into the nearest wall. Get up and come back to resume your exam.

…and those were just the warmup questions… Nah, but seriously. Very hard test. This one I’m proud to have…