This is part 2 of a series posts reflecting on a Fred Pryor class titled Managing Your Emotions Under Pressure.
There is more pressure than ever in the workplace. There is just a lot of information to absorb and a lot of tasks to perform. Most of my readers will understand that. They use RSS feeds to sip from the firehose of information that is the Internet. Many of my readers will like me be in Information Security. We’ve got to stay one step ahead of a motivated attacker and protect the business even when the users don’t want to be protected.
Pressure can lead to overreacting emotionally. Overreacting emotionally can have great negative effect on the career.
We’re supposed to be always learning and building our skills. Skills aren’t just picking up another certification, or studying up on the benefits/drawbacks of bitlocker when compared to GuardianEdge. Skills include managing your emotions.
Doing so isn’t easy. Stephen Covey says it takes 6 times to learn and 21 times for it to become a habit. Making changes could be a lifelong effort.
Posts tagged ‘Certification’
Managing Emotions Under Pressure – part 2
Auditors and Company Policy
It’s always nice when your own auditors follow company policy. We have an external auditor in for the next 6 week in order to obtain FISMA certification. At the kickoff meeting, we told the auditors that they were not allowed to put their computers on our internal network, but they were more than welcome to use our guest wireless. This information was also on the account request form that they signed.
I had a feeling that they weren’t going to follow our policy. We don’t currently have a technical mechanism in place to enforce such a policy. I opened our DHCP management console and sure enough 5 computers had a DHCP lease with a computername and domain giving away that their owner was this auditing firm.
So I was able to bust them on that, and prove to them that we do review the logs and record anomalies in servicedesk.
Strange services on the firewall
The UNIX administrator asked me to scan his systems that are withing the scope of our Certification and Accreditation package. We have an auditor coming in next week to check our progress toward obtaining “authority to operate” and he wanted to make sure his systems were clean.
I found that our recently upgraded firewall now had several ports in the 37,xxx range that would act as a proxy. So basically, I could point my browser’s proxy settings to the firewall on those ports and it would let me out without the usual security filtering. A bit more scanning revealed that these services were enabled on other Solaris 10 servers, not just the firewall.
I hadn’t uncovered this before because my vulnerability scanner doesn’t scan all 65k TCP ports. I only uncovered it because one one server, these services operated on different ports that were scanned.
So once again, I’m not happy with how my vulnerability scanner has operated. But more importantly we’re left with the lesson that we need to run scans before systems move into production.
lsof isn’t a default part of Solaris so the Unix guys are still investigating what is providing those services. I left it to them to track it down since I had a few other things to do.
How to be an InfoSec Guru
Occasionally people ask how I got where I am. I’ve been meaning to add an ‘about me’ but haven’t gotten around to it. A question earlier this week reminded me that this post was sitting in my draft folder.
A lot of people are sniffing after information security because they think they smell the green. They see CISSP average salary $93k and they think they deserve some of that cash. It was the same thing with Windows Systems Administrators. People who should be driving a beer truck are instead studying for their MCSE because the ad said they’d make $70 doing that. The flood of paper MCSEs just about destroyed the market for being a Windows Sysadmin, and I would guess led directly to some of the security desasters that have occurred in the past 6 years.
So if you’re in it for the money, move on. Go train to be an Oracle DBA or something. If you dont truely love the Information Security than dont waste your time. Its a lot of hard work, and just speaking for me the salary quotes you see are really high.
There is a common debate on which is best. Experience, education or certifications. I read an article about 5 years ago that would answer “all of the above”. The article argued that these things are the foundation of a solid career. So pick one and work at it. That’s the best way to get ahead.
Another article I read recently on this subject is by Roberta Bragg in Redmond Magazine “How to be a security babe” You may need to digg it out of the Google cache.
Indentured Servant
Did I mention that my company updated their education assistance policy? After 5 years of allowing people to leave freely the second their company paid for degree was obtained, after I’ve been taking classes for two years, now in the final year of my degree they have changed the program so that if I leave within one year of them giving me money for a class, they will demand reimbursement.
Now most people think two things about this. The first is that I’m trying to shock by using the phrase indentured servant. I think they have confused the phrase ‘indentured servant’ with ‘wage slave.’ I’m not making a comparison to slavery. That would be incredibly insensitive. No I am using the phrase indentured servant correctly. Websters defines an indentured servant as a person who is bonded or contracted to work for another for a specified time, in exchange for learning a trade. This is exactly the contract I have been forced to accept. I would like to not accept the company money, but I know the odds are I’ll stay where I am forever anyway so I might as well take the money.
The second reaction people have is that the company is Just in requiring people to stick around for a year after accepting money for school. I think that these people are not looking at it from my point of view. To frame the argument in a way they can understand, I ask, what if the company’s matching funds for your retirement fund only fully vested after you stayed for an additional year after each deposit. Many companies have a vesting period. Perhaps we should have that also so we the employee don’t skip out the door after taking the retirement money.
The bottom line for me is that I have increased my worth to the company through self-study, obtaining certifications and working on this degree. Under corporate policy its not possible for them to increase my pay at the same rate at which I have increased my value. So now in the moment where I have the upper hand, the velvet handcuffs that were the company benefits have become steel.
This is why I have a countdown to my Freedom day on the front page of this blog.
Shmoocon: Keynote
Dan Greer was the Keynote speaker at Shmoocon.
For a statistician he made a rather broad brush statement that current security workers have no formal training. Yet now every college has a security course. The non-credentialed he says are the ones with skills while those with credentials are the charlatans.
Was the world really better when the astronomers where the ones hunting down the hackers? Is the best hacker one with no formal training? It certainly is popular to attack anyone who has bothered to get a certification or a degree as if that certifies them as having no skills at all.
I do agree with his statement that as demand for security professionals outstrips supply, the number of charlatans increases. Its very annoying to watch clueless people stampede after the money. At least in the pre-credential days, you knew people were doing it because they loved the challenge.
Greer also talked about a change in focus from prevention to detection and recovery. Ceeding that attacks will succeed but making sure what is important is recoverable. With strong recovery capability in place, you can apply patches at they are released without a formal q/a process.
Another interesting comment from Greer is that according to Symantec’s own data a new virus is released every 4 hours. How often do you update your antivirus definitions? It is a doomed model.
C & A Security
Certification and Accreditation. Is it the path to security? Does it even purport to be that? I find myself asking that question as I review the site security plan we are putting together where I work. I’m all for best practices. But one best practice is not applicable everywhere. As Jesper Johhanson has written, it is a myth that security check lists will protect you.
I liked what Richard Bejtlich said about this:
Millions of dollars and thousands of hours are spent on C&A, and C&A levels are used to assess security. In reality C&A is a 20-year-old paperwork exercise that does not yield improved security. The only real way to measure security is to track the numbers and types of compromise over time, and try to see that number decrease.
GIAC Changes Coming
SANS is modifying the requirements for the GIAC Certification so seekers will no longer be required to write a written practical. In the past there has been a requirement of a practical as well as multiple tests.
The written practical was a great thing for the GIAC. Some certifications are seen as a paper certification, or a sign of a individuals ability to quickly cram information into short term memory. That was never the case with the GIAC because there is a written paper designed to contribute to the general security knowledgebase. Anyone could go read that paper online and get an idea of the writing skills and the security skills of the certificate holder. By changing this to a test only certification, the great differentiator of the GIAC is gone.
The problem with the certification is that not enough people are getting it. Hiring managers are placing emphasis on the CISSP cert or even the Security+ cert from Comptia. By making the bar lower, more people will have the certificate and a “critical mass” of certificate holders will ensure the future value of the certificate. That’s the theory anyway. I like it now where even though its not as well known, the ones who do know, have respect for it. With it being a test only cert now, not requiring people to actually view the course material, I fear it will be like the MCSE. If I see a bunch of high schoolers with a GIAC, I’m taking the certificate off my wall.
A Master In SANS
I got an email last week from SANS stating that they are looking at interest in a MS in Information Security Management for a MS in Information Security Technology Leadership. They don’t state any specifics but it seems clear from the context that they are looking at creating a Masters programs based around (or completely based on) their SANS conferences and the accompanying certification.
Think about it. You spend one week in the conference. This is equal to the 40 hours of classroom time you might spend in degree program. You are evaluated in a Practical / Term Paper as well as an exam (in some cases two).
I thought Mary Washington College already offered this sort of degree program. Or at least, I can find a Google mention of it from a few years ago.
I would have probably jumped at this a few years ago. I’m not really a math and programming guy and I don’t always see how that relates to my quasi-role as computer security guru. So a degree based on SANS courses would have sounded too good to be true.
But now my opinion has changed some what. I see people getting degrees in networking that consist largely of a Cisco certification. Two to four years to learn to configure a router? To me its just colleges looking to cash in on the computer boom.
What about the quality of the degree. Sure its a fancy sounding degree title that will likely fool HR, but will it be respected by the guys actually doing the hiring? While I have chosen a tougher road in getting a Masters in Computer Science majoring in Information Security, I think it is one that will pay off more in the long run.
GIAC Certified Windows Security Administrator
I recertified my GIAC certification in Securing Windows this week. According the the certification description, GIAC Certified Windows System Administrators (GCWNs) have the knowledge, skills and abilities to secure and audit Windows systems, including add-on services such as Internet Information Server and Certificate Services.
