Archive

Archive for March, 2009

Security’s Role in Downsizing

March 23rd, 2009 Comments off

It’s an unpopular topic for sure – letting people go from your organization. Firing, downsizing, “rightsizing”, whatever you want to call it, it’s an unpleasant experience for everyone involved. For security folks, however, there’s a lot we need to be aware of prior to, and during, layoffs in our organization; when people lose their jobs, or suspect that they soon will, they can do some not-so-ethical things. People may steal sensitive data, sabotage people, projects, and assets, or log back in with their old credentials to just “snoop around”. Whatever the case may be, here’s a list of things we need to do and think about from a security perspective:

  • Monitor logs: We should already be doing this as a security best practice (or perhaps because we want that coveted compliance checkbox). However, within the realm of log monitoring, we can shift our focus to events of a particular nature for short periods of time, and this is the case during layoffs. For example, you may want to start logging successful logon events to critical or sensitive resources (many don’t due to the volume of alerts). This can help you observe the patterns of access to the data – are people accessing the data more than normal? Are their access times a little peculiar?
  • Watch the back door: Keep an eye on VPN and other remote access methods. Much like log monitoring, you’re probably doing this already – however, you can shift more of your attention to watching events on these devices and monitor users coming into the network this way to see if they’re doing anything a bit out-of-the-ordinary.
  • Monitor physical access: Get the physical access logs of the buildings where soon-to-be-unemployed people work. Again, you’re just paying a little closer attention to patterns of behavior than normal. People coming in on weekends or after normal hours, staying late, etc.
  • Institute strict change monitoring of code and files: The recent case of the Fannie May contractor who implanted a logic bomb in a program should give us all pause. Although full-blown sabotage is fairly rare, it definitely happens. Any folks with access to code should get extra attention, and so should their code. In fact, I want a daily list of changes in their code, and you should seriously consider implementing a two- or three-tiered QA and analysis program for a short time to ensure no malicious code is inserted. Is this tedious? Hell yes. Could it save your ass? Same answer.
  • Revocation of access to resources: This is the classic problem with people let go from organizations. We need to disable or terminate their accounts and access to resources, and we’re often left to absolutely archaic methods to keep up with what they had access to in the first place. Things like spreadsheets. Emaiil distro lists. Real CUTTING EDGE technology like that. Or even worse, our own flawed memories. If you have a user provisioning or IAM system in place, this gets a lot easier.
  • Reclaiming corporate computing assets: Getting laptops, PDAs, 2-factor tokens, and the like back in the organization’s possession is also something security should be involved in.
  • Forensics: Depending on the circumstances, you may need/want to perform a drive duplication and/or forensic analysis of aforementioned computing assets. Usually, this is the case when someone is terminated for cause, and the company’s CYA instincts kick in for self-preservation in a court case or prosecution.

I’m probably missing a few considerations, and any comments are welcome. One thing to note here – some of these items implies that security teams have prior knowledge of the layoffs or terminations. In WAY too many organizations, HR teams don’t share this info and work side-by-side with security to do this effectively. If you’re in one of these organizations, you should lobby HARD to change this behavior. After all, our job is to identify, manage, and monitor ongoing risk. The risk-o-meter goes way up during layoffs and terminations, and given that we can do so much to prevent mishaps, we really should.

Categories: Information Security Tags:

The Economy Affecting Infosec? Survey Says!

March 20th, 2009 Comments off

Greetings, security people! A while ago I posted a few questions to the SANS/GIAC community asking how the economy was affecting security programs within their organizations. I had a handful of responses, but not too many. Then, thanks to a suggestion from Christophe Veltsos, I created a simple SurveyMonkey survey and got a total of 23 responses. As promised, I am sharing those results with the community, since it’s always nice to know what others are up to. Here goes…

QUESTION #1: What types of policy changes and over-arching security philosophy/mindset/risk tolerance changes are occurring as a result of fewer staff? For example, are you “locking down” Internet access more than usual since you have less time and staff to interpret user requests? (19/23 answered this question)

  • none
  • No impact so far — I am in healthcare and we are moving to an electronic health record so more than less emphasis on policy.
  • No, the people who remain have more work to do, so security is suffering as a result. It is seen as less of a priority than “giving the user what they want.” Daily, I see dozens of machines with no critical updates applied and systems with blank passwords. Security doesn’t exist here.
  • Unfortunately nothing different is happening and that’s (IMHO) the problem. Fewer IT Security staff means less hands to protect the enterprise, and less prevention / detection / response.
  • [M]ostly we just do not have the time and resources to properly handle threats. Because we are a university this means they are b[e]ing left unmanaged.
  • More dependence on policy compliance
  • Actually, the unfortunate result of having less IT/IS staff is that we are seeing a tendancy to have what are deemed business critical applications put into production, w/o the thorough review like we had done before – which in my opinion is opening the door to bigger problems that may never be analyzed, unless a breach takes place. The time, money and resources we used to have are now no longer a commodity, and proper risk analysis procedures are not critical like they used to be.
  • We have less time to analyze security problems, so tolerance of user mischief is far lower. We don’t have time to listen to mitigating factors and hold peoples’ hands.
  • Finally fear has occurred and now mgmt wants postings and awareness to the end users for their home systems. Internally, I still am not allowed to impact the users by trying to do any of the workarounds to the recent issues on Excel zero day, Adobe etc
  • we have not lost any staff. We only have one analyst (me).
    No workload is the same, there is no funding available. We still have to investigate ways to secure and meet policy, but there is no funding for anything. Waste of time.
  • We are extending replacement cycles which is having the impact of potentially losing support on hardware/software and may necessitate unplanned and unfunded purchases.
  • Insider threats from people being laid off
  • No
  • No strategic shifts in policy being contemplated
  • No changes, just longer hours. Any new automation of processes that requires new hardware or non-open source software is just not happening.
  • As the business shrinks, the security investment increases. IT and audit staff levels are staying level as supported staff decrease. There is so much legal and client pressure to improve information security that we see this as a necessary investment. We are investing in improving technology, education and procedures.
  • None
  • n/a

QUESTION #2: What types of security operations are taking a hit? Reviewing logs or IDS info less often? Resolving change/exception tickets more slowly for firewall and other access? (18/23 answered this question)

  • none
  • N/A
  • Everything is falling by the wayside. Security doesn’t matter until there is a breach. Then it is CYA time for a while, then back to business.
  • Even with a SIEM consolidating IDS, Firewall, Remote Access, VPN, Antivirus, and Active Directory (authentication) log sources we still are falling short to monitor them proactively. Response on tickets to our group has gone from measure in days to measured in weeks or even months.
  • Ids is unreviewed. VPN is not being appropriately managed. Firewall rules are not getting attention. Log review happens only during investigation.
  • [A]pplication firewall setup (web service filters, for example); service creation
  • Speaking only for my team: 1. Log analysis 2. Risk Analysis 3 Lack of vendor support for products – no money to renew. 4. Daily operations tasks, like level 3 tickets take much longer to resolve
  • Logs are getting less looks. Keeping up with the event console is about all we can handle right now.
  • None, they are looking to purchase Core Impact to compliment our Nessus and IBM ISS IDS tools and improve reporting. My group recently changed from Checkpoint to Cisco firewalls and will move the FW admin to the network team to improve the process. They are looking to hire me a Sr level cyber analyst so we are looking to improve, more people, more products
  • [W]e will not implement new projects, such as IDS/IPS due to hiring freeze.
  • Anything that costs money.
  • No hit yet, but unlikely to replace people if they leave.
  • None, actually still growing. Adding positions to address gaps.
  • Things happen more slowly of course, with fewer to do the work.
  • None. Rather, we are investing in more efficient security configurations and oversight. HIDS as part of a desktop security suite, rather than complex NIDS/IPS. Improved SEIM to make incident handling and response less demanding on staff, etc.
  • Lost a staff member who handled database ID provisioning, DB auditing, etc. Having to figure out how to split those duties across other folks.
  • Everything is just getting a budget contraction.
  • Personnel

QUESTION #3: What items are getting cut out of the budget? (21/23 answered this question)

Additional answers (the “things I missed” category):

  • travel and training reduced
  • 2 factor authentication. For the first time ever they’re cutting our budget for RSA SecureID tokens, forcing us back to single factor certificate based auth for remote access. OUCH!!! Talk about one step forward and 5 steps back.
  • Everything harder to justify and subject to cuts. We’re even getting challenged on anti-virus software license renewals.
  • I am sure some items were missed, but in these dire circumstances, when people leave, the contract position is left empty, and cash is king – because nothing seems to be measured in terms of quality any longer, but more along the lines of cost!
  • security training and conferences
  • User information security awareness activities severely curtailed at my organization. The users in this case are the bank’s financial officers and their administrative staff. – Staff training – Slowing down of closing open audit items, including ‘High”
  • Training/travel budget
  • We are relying heavily on open-source right now.
  • No
  • External training non-existent – not even to pay for attending a SANS training course on a work study basis
  • subscriptions to organizations and training.
  • Available capex and opex funding is lower than normal, which means the budget is just being allocated to few projects. Otherwise, work is progressing for higher priorities.
  • Directly cutting personnel including the people doing the security checks

QUESTION #4: What tasks are you focusing on for automation? Has this changed due to the budget? (17/23 answered this question)

  • [I]dentity manag[e]ment and no
  • No changes Computerized provider order entry
  • Not much.
  • Pushing more value from our SIEM and IDS to automate manual things, that and finding other overlaps in technologies, turning on features we never used before, just basic optimization of what we’ve got, vs buying more point solutions ($$).
  • No automation tasks right now
  • log review, authorization controls; doing less because of staffing shortages
  • The same things that were automated before are being automated now…no big changes, although there is a need to look into other methods to automate tasks, in order that with less people, we can be more efficient.
  • Some of us are learning python to script the log review/reporting and implementing OSSEC
  • Money seems to be coming out of nowhere to improve security by agreeing to purchase more products
  • Our security program is in it’s infancy, and as such, we are just now developing a scanning program.
  • As we will not gain any staff we are automating as much as we can.
  • No. Log reporting
  • Improving end user processes as this will have greater impact on organizational productivity than focusing upon IT alone.
  • None.
  • High-volume highly manual tasks such as access provisioning.
  • Automating data-gathering for KPIs associated with IT security, Log analysis, Information Risk Awareness (improvements to an internally developed risk management process)
  • Incident detection (via extrusion monitoring). Nope.
  • [A]utomating everything possible. No changes.

QUESTION #5: For those tasks you are trying to automate, how are you prioritizing? (18/23 answered thia question)

Pretty interesting results, I’d say. Most of you are feeling *some* pinch from the economy, whether it’s in paring back people, technology, or training. A handful of you are not feeling much, if any, effect. Thanks to all who participated, I hope this is useful!

Categories: Information Security Tags:

The Security Hierarchy of Needs

March 15th, 2009 1 comment

Welcome back, folks, for another episode of “Dave’s Security Soapbox”. This topic is one I’ve had mulling around in my mind for quite some time. It’s hugely subjective, so it’s virtually a guarantee that some people will vehemently disagree with my thoughts on this.

For those of you with a background in Psychology (or not) you’re probably familiar with a concept advanced by Abraham Maslow called “The Hierarchy of Needs”. This took the form of a pyramid split into several horizontal categories. The base of the triangle was the fundamental stuff – food, shelter, etc. The pinnacle of the pyramid was something called “self-actualization”, where we had infinite self-awareness and could recognize our innermost desires (the more transcendental ones).

I’m going to map out a fundamental hierarchy of needs in the infosec products space. I am headed out to RSA 2009 in a month or so (see the Events page for my presentation info), and my thoughts are all over the infosec vendorspace. The last two years I’ve gone, I’ve been spectacularly underwhelmed at the plethora of “me too!” and buzzword-laden product offerings that are just NOT technically innovative or exciting at all. And so blog I must.

Let’s start with the categories, and then I’ll explain my simple methodology. I actually used last year’s (2008) RSA Conference Guide as a reference just to make sure we’re all talking the same talk. The RSA guide categorized all the vendors on the Expo floor, and I’ve culled from that (with some condensation and modifications). Here goes:

  • Access Controls: Network/Host
  • Administrative Password Mgmt
  • Anti-Spam
  • Anti-malware (spyware & virus prevention/detection/eradication)
  • Application Security (code analysis)
  • Application Security (Web App Firewalls, etc)
  • Audit and compliance Tools
  • 2-factor Auth (biometrics, smart cards, tokens, etc)
  • Content filtering/mgmt
  • Database monitoring
  • Database encryption
  • Email encryption
  • Email security
  • Encryption/key mgmt
  • End-point Security solutions (NAC and such cruft)
  • Endpoint encryption
  • Network Firewalls
  • Host-based firewalls
  • Forensics solutions
  • ID mgmt
  • IM Security
  • DLP
  • IDS / IPS
  • Log Management
  • NBAD solutions
  • Patching and configuration management
  • Penetration testing and VA tools
  • Remote Access / VPN
  • Risk mgmt and analysis
  • SEM
  • SSO
  • Storage Security
  • Wireless security

Wow. Even with my extensive efforts at consolidation and simplification, that’s a fair-sized list. To be sure, you could wrangle this in a number of ways, too. For instance, you could consolidate all email and IM solutions into something like “Messaging security”. You could lump IDS/IPS/Firewall into “Network Security”. I didn’t want to OVER-simplify here, though, just to make sure the individual purpose of each category was obvious. So now let me explain my general methodology. I broke the hierarchy into four categories, which I’ll explain here:

  1. Fundamental security solutions: This is the “base” category that is essential to sound security in an enterprise. Without this, chances are you’re toast or soon will be.
  2. Important security solutions: These are “things you SHOULD have”. If you don’t have them, you may be able to get by, but you’re really not in that nebulous “best practices” area we love so much. You will also NOT be popular at security geek cocktail parties. Just saying.
  3. Enhancing security solutions: These are “things you COULD have”. These solutions can make routine tasks much easier, can simplify your life, and are great if you have budget money. In certain cases, you may have a very specific business need that warrants a point solution in this category, but in many cases these are things on your wish list, and maybe the things you sort of covet at the aforementioned cocktail parties when your compadre from down the street brags about HIS sweet new implementation.
  4. Holistic solutions: These are the “umbrella” solutions that overarch the rest and provide “glue” that links everything together. This is the tip of the pyramid, the most technically sophisticated solutions(and the most complicated, in many cases). They’re almost always unnecessary, but let you achieve very granular control over your security controls with more centralized reporting, correlation, and all that stuff that lets you REALLY smirk a bit at these mythical infosec cocktail parties I keep talking about.

A few things are not included at all. It’s tempting to argue that things like policies, configuration standards, processes (operational/administrative) and the like are all critical here, and they ARE. However, I think those are somewhat of an overlay alongside the entire pyramid, and so let’s assume that those are integral at every layer, in varying degrees. So without further ado, my Security Hierarchy of Needs:

Alright, now for the explanations and caveats. Starting at the bottom of the hierarchy, here are some additional insights that will help explain my reasoning:

Core fundamentals layer:

  • I don’t care what kind of anti-malware you use. Security people reading this may not even USE traditional anti-malware (I personally hate it), but think of the users. I know it hurts, but try. 🙂
  • Network firewalls, in some form or fashion, are just a must. You could argue that this falls into “access controls”, and I would agree as a macro-level category, but firewalls have enough individuality these days to warrant their own category, and I can’t imagine not having one. Sort of like my network infosec “wubby”, or security blanket.
  • IDS and IPS – I could care less which you use, really. However, you need eyes/ears on the network, and this fills that role. Whether you play the inline game or not, you need network intel and here you go.
  • Some of you will scream bias in “patching and config mgmt” since I work for a vendor in this space. Of course you’re right, but this ain’t my first rodeo, either, so I’m perfectly capable of being objective during this kind of analysis. I’ve been in the trenches a LONG time, and this one is critical. If you use WSUS for patching and Windows’ included Group Policy for config mgmt (or scripting for that matter), I don’t really care about that either. As an area of infosec, this one is hands-down a core fundamental.

Important solutions layer:

  • Spam can be used to trick users via phishing, etc. Gotta kill spam.
  • Code analysis? Damn right. It’s all code at the end of the day, folks – hardware has no brain. We need to start getting this drilled into our brains NOW – review code. Fix code. Repeat.
  • Encryption is, in many cases, the right answer. We’re not quite there yet, it’s expensive and tough to manage, but we need more of it. Just like code analysis tools, we need to get our arms around this and do it QUICKLY.
  • Pen testing and VA tools can tell you what’s f***ed before someone else finds it. If you’re not proactive, you’re reactive. Get proactive and start scanning and assessing yourself regularly.

Enhancing solutions layer:

  • Most platforms and such have password management sort-of built-in, so additional password mgmt really just adds a bit more functionality etc.
  • End-point tools and host-based firewalls (or HIDS for that matter) sound great in theory, but they are tough to manage and keep up with. Plus more overhead on remote systems can start to clog them.
  • Forensics wonks will likely pitch a fit about this category being where I placed it, but sorry. Most people don’t have the time or budget to really “do forensics”. For those of you that do, rock and roll. It’s great stuff, and can really help you get to the root of the most difficult infosec incidents. Most business owners don’t give two shits, though. Find it, fix it, get back in business. And this can be done 90% of the time sans forensics.
  • Wireless security I need to make a point on: this ONLY applies to wireless security PRODUCTS. Enabling and configuring inherent wireless security in WAPs and other gear is ESSENTIAL, and really falls under the fundamental category of configuration management. You MUST have strong wireless security, I’m just saying you can usually get what you need with the gear you’re using, as it’s typically built right in.
  • DLP? Ummmmm…..buzzword? If you do most of the other things right, you won’t need it. My main beef with this solution is its lack of maturity, it really does have promise and we DO need to prevent data leakage. But damn that’s one hell of an expensive enhancement to Regex.
  • Log mgmt is like wireless – you really should do it, I am just not sold on BUYING anything to do it. I’ve built homegrown solutions, they worked. This is a “nice to have”, without a doubt. You may really see a need for this one, and I could go along with moving this one down a rung in the hierarchy. Convince me.

Holistic solutions layer:

  • Identity management is the most nightmarish project many of us have ever been exposed to. I have candidly NEVER seen it done right, and there’s probably a plethora of reasons for that. Could it be amazing and enlightening if implemented and architected properly? Hell yes. But it’s just not practical for most enterprises.
  • SSO is in the same boat as ID mgmt, and some would argue it’s a sub-category of ID mgmt in fact. Same logic applies – can be a PITA, and most of us just don’t have the time etc.
  • SEM solutions can be an albatross or panacea, and sometimes both. I’ve used a lot of them, and I have seen a number of cases where these can be the ultimate tools to have and use. I’ve also seen cases where people were drowning trying to get it to work. But for my money, I’ll take SEM solutions as the best investment you can make for getting a good portion of your security house in order.
  • Risk management is 100% integral to our profession, especially those (like me) with a serious business mentality. In fact, if you DON’T do this, you won’t be relevant for long in this field (I’ve ranted about this before). But do you need a SOLUTION? I don’t think so, in most cases. So the moral of the story is risk management is required, risk management solutions are not.

So here’s the rub – I’m not bashing anything on this list. I work with a lot of vendors, I teach this stuff at SANS, I have architected solutions for my consulting clients that involved everything on this list. But if I were pressed to argue what solutions are more important than others in most cases, this is probably how the chips would fall. What say ye?

Categories: Information Security Tags:

A Bot by Any Other Name…

March 7th, 2009 1 comment

So the Oak Ridge boys are at it again. No, not the terrible hillbilly group that sang “Elvira” whenever the hell THAT was, but the enterprising geeks at the Oak Ridge National Laboratory. And there’s probably women there, too. Probably. Anyhoo…

They’ve hatched a brilliant scheme to build a massive botnet that will defend US computers. Apparently, said botnet will be managed and controlled by a “hive mind”, and here’s where things start to get interesting: the system, called UNTAME (Ubiquitous Transient Autonomous Mission Entities) will “…be able to form groups, function autonomously and respond almost immediately.”

OK, I am a bit of a paranoid, sci-fi geek. I am totally thinking SKYNET here. Can’t help myself. These things will be able to make decisions on their own, replicate and regenerate! Even the project director, Joe Trien, admits that “…If we don’t put some boundaries on these cybots, they could turn against us. The potential is always there.”

This project is at least two years out, according to estimates. This really reminds me of the whole “Ethical Worm” debate we’ve had in security for years, though. While it sounds like a good idea on the surface (quick, self-replicating remediation and protection capabilities), I think most of us have come to the conclusion that anything self-replicating could be a nightmare. What if things break? What about “downstream liability” if the thing escapes our network? How do you shut it off? You know what they say about the best-laid plans of mice and men…

Full article @ FOX News here: http://www.foxnews.com/story/0,2933,505159,00.html

Categories: Information Security Tags:

Infosec Impacts from Understaffing

March 5th, 2009 1 comment

***Update: I have not received many responses from this, so I have created an anonymous Web survey here –D ***

The economy right now is “teh suck”.

I’m not telling anyone something that they don’t know. You can’t read the news anywhere right now without being assaulted with horrid financial news. For any of my infosec “extended family” hoping to retire soon – hope you got it under your mattress, and I’m sorry.

But let’s get back to today. You’re working in information security – maybe you’re the intrusion analyst, monitoring sensors and alerts, or the forensic gal staring into the EnCase console, or the “go to” security wonk who does a bit of everything. Whatever the case, you have a few specialties (most of us do), or things that you have traditionally been tasked with and enjoy or hate doing. There’s the initial premise. NOW…

Back to the economy. Budgets are frozen. Or hacked and slashed. Maybe even increased a bit, BUT…no more headcount. And very likely fewer headcount. So here’s the rub: You’re wearing a lot of hats. You’ve got more responsibilities than ever, some of which you love, others you may hate. The question though: what’s changing in your organization’s security program as a result of too few people to do all the work? On the GIAC mailing list, a fine fellow named Frank suggested that he would be a bit less stringent in his Web filtering policies if he had a little more bandwidth: right now, he’s so taxed that he has no time to reprimand people or debate what sites are questionably OK to allow. He’s getting CRUSHED. And I feel for him – you probably do, too.

So, a few questions I’d love to hear back on:

  1. What types of policy changes and over-arching security philosophy/mindset/risk tolerance changes are occurring as a result of fewer staff?
  2. What types of security operations are taking a hit? Reviewing logs or IDS info less often? Resolving change/exception tickets more slowly for firewall and other access?
  3. What items are first to go out of the budget? Maybe just technology plans, etc.
  4. What tasks are you really trying to automate, and how are you prioritizing? By skill needed? Time needed? Services or consulting costs needed? Etc.

Thanks for reading!

–Shack

Categories: Information Security Tags:

“Practical Intelligence” in Infosec

March 3rd, 2009 3 comments

I recently finished reading Malcolm Gladwell’s latest book, “Outliers”. The book examines the reason why certain people and groups behave and perform in certain ways, or why certain events seem to happen to particular groups in disproportionately large numbers. Great book, fairly simple premise. I won’t dig much into the book’s conclusions, leaving that instead for the erstwhile reader.

One section really grabbed my attention, though. In a discussion of really smart people, namely Chris Langan and Robert Oppenheimer, Gladwell examines why they each ended up where they did. Langan, arguably the smartest man alive, is a nobody: he lives in some rural town on a farm, got no real higher education, and has bounced around doing various jobs his whole life. Oppenheimer, on the other hand, ran the Manhattan Project and is widely considered one of the true geniuses of our time. Both, however, are inherently brilliant by the scales we commonly use (the modern IQ test, for example). Both were also presented with some significant hurdles along their unique paths, and the truth of it is that Oppenheimer had far more serious issues to contend with overall.

However, Oppenheimer prevailed where Langan did not. In reviewing the individual cases, Gladwell points out that Oppenheimer had something Langan did not: “practical intelligence”. To quote from the book:

It is procedural: it is about knowing how to do something without necessarily knowing why you know it or being able to explain it. It is practical in nature: that is, not knowledge for its own sake. It’s knowledge that helps you read situations correctly and get what you want.

In short, Oppenheimer could deal with people. Read body language, interpret situations. Figure out the best story to tell to BS himself out of a jam. It’s more than common sense. It’s a learned ability to interact with people and manipulate situations to benefit us the most. How can we think of this in terms of information security?

I’ve been saying for quite some time now that people skills are inherently more important then pure technical skills for both advancing your career and getting the job of security done day-to-day. It’s time to revisit that. First, people promote people they LIKE. People hire people they LIKE. People also tend to want to surround themselves with people LIKE THEM. Get the point? If you are a total goober, who still thinks your soldering iron is your best friend, then a wake-up call is in order: your days are probably numbered unless you’re just absolutely at the top of your game and your technical skills are in high demand.

Second, getting the job of security accomplished takes some politics. It takes some ego stroking. Some subtle manipulation. That’s really true of all the best business “dealmakers” out there today. I’m not suggesting dishonesty, or a lapse in ethics. Just the reality that you can’t be a bull in a china shop and expect people to give a damn about whatever it is you’re saying. I meet way too many supergeeks in this industry, some with real technical skills, who think that’s going to get them ahead forever. I especially love the geeks who can only feel superior by challenging other geeks publicly and trying to denigrate those with a lesser degree of technical skill. These people are sorely confused about, well, lots of things. And they CERTAINLY don’t have any practical intelligence!

Consider a simple example. Just tonight on one of the SANS GIAC mailing lists I am on, a guy was debating the age old struggle between the paranoid security guy and the user who wants to use Facebook a bit during the day. How do you handle this? Block all Internet? Only block some? This is really a totally open-ended question – the answer is absolutely “It Depends”. But working with business units and other organizational players may require some debate and tact. What if the CIO wants to use Facebook? Do you just stick to your technical guns and hope that works out? Errrr…..no. Probably not.

I am a geek. I love technical skills and topics, and read highly technical material voraciously. I constantly play with new technologies and techniques, convinced that this is important. And I really believe it is. But the skill I cherish the most? And the one I’ll be working on more than ever? You got it – my “practical intelligence”, or “dealing with people” skill. It will help me articulate security issues, explain my reasoning, and try to persuade people to see things my way much better than those obscure Unix commands ever will. 🙂

Categories: Information Security, Musings Tags: