I’ve been thinking a lot about career path and career planning lately. Because of that I’ve noticed a lot of reblogging about the Information Security Career Survey by infosecleaders.com. A number of conclusions have been drawn from that survey. What sticks with me is that most Infosec pros don’t have a career plan.
My issue is that I’ve reached the goals that I had set early in my career and now I’m just drifting. To reach that goal I followed an old article, I think it was in ComputerWorld titled pillars of an Information security career. I worked to gain experience, I got an advanced degree and I got certs. That along with waiting got me where I wanted to be.
So I sit and think, what is it I want to do next. Perhaps I already have my dream job. Good people. Better than average benefits. Telecommuting (note to boss, two days telecommuting would be nice).
That’s when I ran across a video from Louisville Infosec. Lee Kushner spoke on The Seven Habits of a Successful Information Security Career Manager. (Lee is one of the authors of the study). The video seems to be shot from the crowd and who knows what the audience was doing instead of listening. If you can tolerate the audio quality, I found the presentation well done.
Dont let your career just happen to you. Getting to a good place often requires more than luck and waiting for someone else to recognize your talents. Infosec continues to be a popular career choice. You must be able to differentiate yourself. While we still hear of Infosec worker shortages, there is still a lot of competition for the GOOD Infosec jobs. Talent, Networking, and planning are key.
Posts tagged ‘DarkReading’
Infosec Career Planning
Firewire Attack Against Pointsec
After reading about a firewire memory attack against windows (also effects other operating systems). I figured it wouldn’t take long before someone demonstrated the use of that against full disk encryption. After all, why bother booting to USB, or freezing the RAM if you can just hook up a firewire connection and access the memory.
Today, I saw a Dark Reading article where a group/vendor has penetrated a Pointsec encrypted computer through the use of the firewire technique.
This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.
It is important to note that pre-boot authentication was not enabled on this computer. If it had been the attack would not have succeeded. I can’t imagine deploying FDE without pre-boot authentication. This article could have described an attack against any FDE vendor not using pre-boot authentication.
I’ve disabled the firewire port on my laptop. I haven’t looked at what it would take to disable the firewire port in an enterprise. Perhaps its time for more spelunking in devcon. Or may google will have an easy answer. I wonder how many “port control” products include firewire.
A Third of Current Security Practices Useless
Dark Reading has an article reporting on a presentation Peter Tippett gave at the Computer Forensics Show in Washington DC.
He said that IT Security departments are wasting their time and a third of current security practices are useless.
Its not necessarily new thought.
It is really easy to get caught up in the patching hamster wheel.
Its easy to believe that products will solve your security problem.
A lot of security spending and effort is regulation based. Is your data more secure because users are required to have 12 character passwords that are changed every 60 days.
Is hard to get separation and look at security from new angles.
The High Cost of Handsfree
More and more wired peripherals are connected to the office computer, yet at the same time people want to be more wireless. They want a wireless keyboard, a wireless mouse and a wireless headset. Its a little bit ironic that people accept wires for their non-work related USB devices, but they “can’t stand the clutter” when it comes to using standard keyboards and mice.
This article from DarkReading reports on the ease of interception of wireless headset technologies and how they used information gathered through that means to socially engineer themselves into a badge and desk inside a company they were hired to pentest. Not only could they listen to phone conversations with a off-the-shelf scanner, in some cases the headset remained active after a call ceased, this effectively bugged the office!
A UPI version of the article spoke to Bob Hayes, managing director of the Security Executive Council who downplayed the issue.
“There are a lot of threats that are technically possible,” he said, pointing out that monitoring telephone conversations that way without permission was a federal crime. “Why would I do that,” he asked, “when I could get the same information a dozen different ways?” For instance by going through someone’s garbage, pretext phone calling, or eavesdropping on conversations at trade shows.
It not as if this is a far fetched Hollywood style plot. Its one thing to do a risk analysis and determine its not worth taking action. Its another to just say “we’ve got bigger fish to fry”.
Jack Johnson, former chief security officer for the Department of Homeland Security and now a partner in the Washington federal practice at Price Waterhouse Coopers had a more common response. “In general when it came to new technology, “ease -of-use considerations tend to trump security.”" Its only later that the vulnerabilities are discovered. The CxO has to have the cool toys today.
One would wish that after so many years we would stop making the same mistakes. Security needs to be baked in early on. It cannot be the dismissed factor in the triad of Security – Usability – Cost.
Wireless keyboards are also an issue. In November 2007 DreamLab Technologies announced that due to weak encryption in Microsoft wireless keyboards they were able to capture and decrypt keystrokes. Would you intentionally set yourself up for wireless keystroke logging?
Now maybe I’m just jealous that my plantronics headset is from the last millennium and I’m using a standard dell USB keyboard. But it seems to me that the inherent risks in going wireless need to be addressed in any product used in the enterprise. It would be for the best if standards were followed in a company and products analyzed rather than implementing a hodgepodge of whatever is personal preference.
Second Life 0wned
Fantasy site Second Life was hacked according to Dark Reading. The second life website doesn’t provide any information other than that it was a zero day attack on unnamed web software. More info is available in their blog.
Web Application Scanning
Web application scanning is a subject that I know little about. In a recent audit, I was asked if we used any tools for that, but its not something we have addressed. It looks like this topic is going to get broader press coverage due to a presentation at this summer’s blackhat conference regarding the use of javascript and XSS to compromise intranets.
The topic’s author is the founder of Whitehat Security. I found it kind of funny that they sell a website scanning service along with an appliance for scanning your intranet. Yet on the same website there is a copy of a previous blackhat presentation they gave in 2004 that seems to argue that humans are needed to appropriately evaluate web application vulnerabilities. I’ll have to keep reading on the website to find out what has changed.
