Archive for October, 2009

One for the n00bs

October 21st, 2009 16 comments

stfu_n00bWe’ve all been a n00b at some point. I don’t care who you are, at some stage of the game you didn’t know much, or started a new gig, or tried something for the first time in full view of other people, or whatever the case may be – you’ve been a n00b. My friend Raf Los at HP, who I’ve known for years and has been through the security gamut just like me, posted a really interesting semi-rant the other day. His observation? We crusty security types kind of suck at letting new people into the club. I don’t know about most of you (well, actually I do), I hated cliques in high school. The “you can’t sit at our lunch table” crowd. The “we’re having a massive party at XYZ’s house tomorrow night, and you can’t come” crowd. Yes, we all know who I’m talking about.

We’ve kind of become that crowd.

We’re not welcoming, or mentoring, or open-minded about new people coming in. Be honest – when was the last time someone arbitrarily asked you to guide them or lend some experience, where you really went out of your way to help them learn about infosec? This is, of course, for all you crusty types like me. Well, I was pretty lucky, I guess – I had a few really kick-ass people who let me ask a plethora of questions in the early days, and really bolstered my confidence and desire to keep forging ahead: Lampe, Herb, Jimmy the Slick…I’m talking to you.

So I have some advice for the n00bs. Those of you that aren’t truly n00bs anymore, you may want to check out an earlier post of mine called “Career Tips for Security Geeks.” Noobs, read this first, then read that one too. So here goes:

  1. Please please please please PLEASE do not come out of school with a degree in “Information Assurance” or some other bullshit and tell me you are a security professional. You are not. You are either a) still my intern for another year until I have hazed you sufficiently, or b) the new anti-virus admin. Yes, I’m serious. Experience and technical skills count in security – I’ma let you finish, but first you will be starting at the bottom rung of the ladder if all you have is said IA degree and a will to learn. This leads us to…
  2. Show me. Yep. Don’t talk theory, or concepts, or God forbid mention wretchedness like the Bell-LaPadula Model. Help me get security in order. Models don’t actually DO anything. They’re great for drunken whiteboarding sessions. And CISSP exams.

At this point, you’re thinking “Wow – Shack said he was going to help us out! He’s being one of those clique-ish types, though!”. Well…not really. That’s all the harshness I’m giving out, and there are good reasons for this advice. Well…one more, don’t get cocky. We’ve got way too many cocky folks already, and we’re trying to change the dynamic. So here’s some more practical advice for the n00bs:

  1. Really, the best security people came from some other backgrounds. I really think you should spend a few years doing something else first. Coding, systems admin or network admin, DBA, etc. How can you secure stuff when you have no experience with it? Security isn’t all about IDS, pen testing, etc. The most important security is mitigating risk in regular old technology design and use, and you should have some hands-on time with THAT before you go saving the world.
  2. Understand the following: TCP/IP, Cisco IOS, Windows admin (basic), Unix admin (basic). Pick a scripting language and endeavor to become a little bit proficient with it. Not a lot, that’s OK, but a little Perl-Fu or Python-Fu or Ruby-Fu or just Shell scripting-Fu can go a LONG way. These are basic skills. What about security? Re-read #1 above. Now do it again.
  3. Allocate $500 and go visit your friend Or better yet, roll Ramen noodle style and get used books by perusing titles at It rocks. What to buy? Hacking Exposed, latest edition. Counter-Hack Reloaded. Network Security Hacks (2e). Everything written by Richard Bejtlich. Malware (Skoudis and Zeltser). Security Engineering (2e). Applied Cryptography. This is a good start, look for others too – read them and keep going. Plan on spending $50-100 a month on books.
  4. Understand how to lock down operating systems. Read the CIS benchmarks, DISA STIGs, and vendor guides from M$ and others. This is 101 stuff, and you need to know it WAY before you get to the “sexy” things like pen testing.
  5. Become familiar with a packet sniffer of your choice. Wireshark is good. So is TCPdump. Both are free, and you can start breaking down packets and looking at them to see what the hell is going on.
  6. Learn about Snort. Spend a month or so installing it, tweaking the configs, learning about rule creation, planning architecture and so on. Will it be your only IDS? Maybe, maybe not, but it’s the best for the $$$ and you need to learn.
  7. Download the Backtrack security assessment toolkit from Load it up in a test network (repeat – test network. Did I mention test network?) and start running some tools to learn about scanning (nmap, hping3), vulnerability scanning (OpenVAS, maybe Nessus for local scans or if you have a license), and pen testing with Metasploit and exploits from Milw0rm and others.
  8. Plan on going for the SANS GSEC certification. Forget about your CISSP or anything else right now, you need a solid set of fundamentals, and the SANS Security Essentials course is your best bet. I teach for SANS, full disclosure, but I endorse this with no bias whatsoever – it really is the best for newcomers to the field.

You now have the basics. Specialties, like code security, Web app security, pen testing, network security, etc all come a bit later. I won’t go into all that here, but you should be waking up every day with a fire under your ass. READ! Check out blogs and sites like,,, and others. Listen to Paul, Larry, John, Carlos and gang at to get in the spirit of things. And when you tell someone you are new to the field, and you have a legitimate question that they can help with, don’t let their lack of social skills get in the way. If they won’t help you, find some of us that aren’t worried about impressing the clique and we’ll help you. I got my OWN lunch table. And you’re invited. Unless you have, like, body odor or something. Then you’re not.

Categories: Information Security Tags:

Random Thought: We Should Not Tolerate Zero Tolerance

October 14th, 2009 2 comments

spork-sul-lSo I was, as usual, inspired by everyday events and news to relate to the infosec community. In its own way, so many of the things we encounter day-to-day have parallels in our security community…but I digress. The topic of the day is “zero tolerance” policies. I recently read an article about a nice young man named Zachary Christie. He’s a good student, learning karate, and a Cub Scout. He’s also a criminal. Well, at least in the eyes of his school system. Why? He had the AUDACITY to bring a fork/spoon/knife camping utensil to school to use at lunch and show his classmates. Zachary, incidentally, is 6 years old. SIX.

I could understand a gentle reprimand. The ol’ “We have a policy here” talk. But Zachary didn’t get that. Nope, this hardcore 6-year old got suspended for 45 days! With the last week in solitary confinement for shanking a fellow inma…errrr, student! OK, I’m kidding about the last part. But the point should be clear – 45 days for this offense is actually punishing the student (very excessively), the parents (who will have to accommodate him with work schedules), and any rational, thinking person in the USA. That’s right, we’re all being punished because this makes us realize just how stupid we can be. And that hurts.

So. What about infosec? Well, we infosec people are policy creators and enforcers. Influencers, too, in many cases, but that’s less relevant here. I’ve had some really interesting conversations in the past with SANS students and Advisory Board members on this same topic. Some are all for draconian policies. Yaaar, matey, walk the plank! Others take a less heavy-handed approach. Which is right? Well, in my opinion (and we all know what THAT means), there are a few policy areas where we must be 100% black and white:

  • Theft or intentional mishandling of sensitive data (PII, Trade Secrets, etc).
  • Possession of child pornography.
  • Intentional hacking or circumvention of access controls to do…anything.
  • Espionage.

That’s it. Yep, really. Supporting evidence plays a big role in most (if not all) of these, so even these may not be completely cut and dry. Generally, though, it’s a safe bet to have clear violation rules in place for any of these. What about others, though? What about all those myriad policies that we have painstakingly written that everyone in the organization hates? Some make sense, sure, but there’s probably some that should be visited on a per-case basis. Many people in many organizations hate security people. Some of you will say “so what?”. I say – you’re losing the game. People WILL get around you one way or another, and if they hate you they will try 10 times as hard. I’m not advocating being wishy-washy, and there are plenty of reasons (governance, compliance, industry standards, etc) why certain policies should have less “wiggle room” than others. But if we always approach policy with a “my way or the highway” attitude, we are going to isolate ourselves even more in infosec, and that’s a tragedy. Just something to think about. </rant>

Categories: Information Security, Rants Tags: