Archive for May, 2014

A Hacker Looks at 40.

May 29th, 2014 5 comments

40Wow. It’s finally happened – the fabled 40th birthday that everyone loathes. It’s upon me. At 40, I think you’re supposed to reflect back on what you’ve done, what you’ve accomplished, what’s been good and bad, and where the hell you’re going in life. Right? OK, this will depend largely on the individual, but 40 feels like a pretty damn good spot to reflect. Why not?

Some of you will say “40? WTF? That’s nothing.” And you know what? You’re right. 40 IS nothing. It’s been the most amazing ride so far, and things are only getting more interesting. So…a few observations on infosec, life, and the big picture. Warning: opinions ahead, and I get it if this is content easily skipped.

First, the industry we’re in. WOW. What a shit show. Who could have known what it’d turn into – I remember how I got into infosec, and never for a second thought it’d be this. So first, I was a fucking nerd as a kid. I wrote computer games in BASIC for the Commodore and Atari systems, most of which consisted of “What do you do? Turn left. Well, you die!” So yeah…game designer was out. I exploded shit in my basement as a kid with my chemistry set. I also took apart every electronic thing I could get my hands on, and *sometimes* put them back together. I was born to be a hacker, and that is all there is to it. So when one of my college professors hired me into a large Fortune 500 program, I had no idea what I was getting into, but security felt RIGHT. And today? Man, who could have imagined this?

I get bored easily. REAL easily. I need mental stimulation, and boring ass IT gigs sucked for me. Can you imagine being a day-to-day Exchange admin? That’s a “wake up in a cold sweat” nightmare for me. Day in, day out, Exchange. GAWD. So infosec? Yeah, it is volatile, and messy, and changes all the time. Thank goodness. I think change keeps you fresh, and this industry is just insane.

I miss some of the “old days”. I think it’s natural for some of us “old schoolers” who did infosec in the 90’s (or before). Back then, people had to innovate “solutions”, and actually understand sysadmin roles, technology, and maybe even code. Today, that is more rare than ever. We have pockets of brilliance…surrounded by an ocean of “just got my information assurance degree” bullshit that belies total lack of experience and real technical competence. Some of that is likely me being old and curmudgeonly, but damn…don’t talk security until you have done the actual work, or at least SOME of it.

So at 40 – how am I feeling about my infosec career and life in general? Let’s start with infosec, naturally. Infosec is the most incredible gift I could ever have received. All cynicism aside, it pays well, is dynamic, and more than anything…I love you people. Many of you are not just assholes, but FUCKING assholes. Some of us assholes NEED other assholes to hang out with. I love the vitriol, technical condescension, and pathetic attempts to deflect Twitter comments from your employers. You’re good company, and challenge the status quo…which is exactly what the industry needs. The ridiculous focus on all these stupid ass conferences? Not so much. But…you take the bad with the good.

What about life in general? Well, I’ll keep it short. I have far exceeded all of my wildest dreams. I have no real regrets at all, even though I’ve done some of the dumbest shit you’d ever hear about (most of which will remain private). I have an incredible wife and daughter, a few good friends, a lot of insane hacker acquaintances, and a good paying gig that I absolutely love. So all is well with the universe.

What advice could I offer? Heh. If you take advice from me…a big grain of salt should be involved. But in general, a few things I’ve learned along the way:

  1. Learn more. Constantly. If you are chillin’ with your skills from a few years back, no. Advance, learn more, or find a new gig. Infosec does NOT need dead weight.
  2. Make sure you have thick skin. If you are easily offended, or get worked up about critical comments and such, you need to toughen up. This is not an industry that cares about personal feelings. Good and bad, true, but it is what it is.
  3. Make as much money as you can. Seriously. Don’t be lulled into this “greed is bad, do it for the community” horseshit. You are in a very in-demand industry, and SOMEONE is going to make great money at it. Might as well be you. So do this.
  4. Do not make infosec your life. It’s a job. One you can, and should, enjoy SO MUCH. But your REAL life? That’s other things. If it’s not, you are putting all your eggs in one basket, and that directly defies some-or-another CISSP principle, I’m pretty sure. Seriously – get out more, explore hobbies, and think about the other part of your life that does not involve infosec. If there’s not one, you need to develop one.
  5. 1’s and 0’s are our work life. But step back. Look at the PEOPLE. Your family, friends. This is what matters most. Appreciate this more. Yes, you can.
  6. If your health sucks – change it. You cannot live a full and awesome life 200 pounds overweight and miserable. There’s nothing awesome about being a walking heart attack- and no, I’m not telling you to become a fitness nut. I am one, but that’s irrelevant. This is your LIFE. Your body lets you enjoy it. So take care of yourselves, people! I want to have a drink with you at DEF CON, and if you fucking die, that won’t happen. ūüėČ

All in all, this hacker is looking at 40 with an incredible perspective on life. I’ve had severe highs and the most guttural lows along the way, but I would not trade my life for anything. I hope you feel the same. Cheers.

Categories: Information Security, Musings Tags:

“Back to Basics”: What does this mean?

May 25th, 2014 2 comments

B2BRecently, a pretty good-sized conference was held over in Europe called Infosecurity Europe 2014, and quite a few people I know were attending or speaking there. Two colleagues at SANS, James Lyne and Dr. Eric Cole, were both in attendance and talking to the press. At some point during their respective chats, both mentioned the idea that we should “get back to basics” in infosec. It really got me wondering, “WTF does that even mean?” This is such a clich√© today, I think we may have lost sight of what the hell we’re even talking about when we say “let’s all just get back to basics”.

To be clear, both Eric and James are friends, and people that I have a lot of respect for. This really has nothing to do with them – they were just catalysts for me pondering the issue. In a post about Eric’s comments, he states that “…organizations seeking good security must return to the basics: asset identification, configuration management and change control.” In an article discussing some of James’ research and thoughts on security today, he states, “Security issues that we’ve known about for more than a decade are still a widespread problem that needs resolving. We need to get back to the very basics.”

So what ARE “the very basics”? And how exactly do we “get back to them”? Before giving my opinion on this, I think we run a real risk of oversimplifying what has become a very complex discipline. Times change, and “basics” do too. In the 1980’s or 1990’s, infosec “basics” were likely all about hardening operating systems and setting passwords for accounts, as well as limiting access and privileges. Today? I’d argue that only scratches the surface of “basics”. To adequately cover the “basics” of infosec, I think any organization, regardless of size, needs to include the following in their program:

  • Inventory management
  • Configuration management
  • Change control
  • Network access control and traffic filtering
  • Network intrusion detection/prevention
  • Host-based malware detection/prevention
  • Security policy
  • Security awareness
  • Incident response
  • Vulnerability management (emphasis on scanning and patching)

This can easily be argued, likely successfully. Should web app assessment be on this list? Secure coding? Pen testing? Forensics? The list could go on and on, but in my opinion, these are the foundational elements that every security program¬†must have. So here’s the question – have we really gotten away from these? If so, what are we spinning our wheels with? Next-Gen thingamajigs? “Advanced Malware” detection and prevention platforms? Cloud and virtualization security architecture and design? Identity management? Encryption and PKI? DDoS defense? I don’t think we’ll solve our problems in infosec by trying to categorize one or more activities or tools as “basics” and focusing there, candidly. Not anymore. All of these things have merit, depending on your organization. No, I don’t think we need to get back to the basics. I think we need to get there for the¬†FIRST TIME. Let’s face it, we’ve never had this licked. Things are more complex than ever, and we didn’t have a grasp on security when the environment was much simpler. The solution? There’s not one – not an easy one, anyway. We need more tools, more people that have real technical skills and who understand security across a lot of technologies, and more commitment from operations teams to help nail this down. So let’s drop the word “back” – let’s GET to basics first, and then we can optimize.

Categories: Information Security, Musings Tags: