Archive for September, 2017

Infosec Education: What are the “right” credentials?

September 19th, 2017 1 comment

Well, the infosec community has done it again. We’ve gotten good and riled about something, with (maybe) good reason. In case you’ve been under a rock, here’s the breakdown:

  1. Equifax suffered a massive breach of consumer credit data (started in May 2017 and was announced in September).
  2. The CIO and CSO resigned from the company in the wake of all this.
  3. Many accused the company of being negligent for hiring the CSO, Susan Mauldin, because she has degrees in music, not infosec.

Well, this whole debacle relates to #3. HOW DARE THEY SUGGEST A CISO OR CSO NEED AN INFOSEC DEGREE!!?? OR ANY DEGREE!!?? Blah blah blah.

Look, I agree to some extent – but with a caveat. To be candid, I think the mill of “infosec bachelors degrees” is bogus. Just unbelievably immature and sending ill-equipped folks out there to do jobs they’re unprepared for. Here’s why this doesn’t work well for many people: Infosec is NEVER an entry-level job. It just isn’t, and the reason is simple:

You must know what you’re securing.

Not at an expert level, necessarily, but reasonably well. So if you don’t know networking, Windows, Unix, some code, and so on, you really aren’t ever going to do well out of the gate, and you could actually impact your personal credibility (and the security organization’s) severely. The whole damn industry is partially at fault for this – we should really sign up bright young Bachelor degree folks and immediately run them through some on-the-job training in operational areas, if we care enough and can afford it. But this is tough. And it’s been debated a LOT. So rather than repeat a lot of other smart folks on this topic, I’ll get to the caveat.

The caveat: Higher education has a ton of value. A masters degree or higher in infosec could actually augment your knowledge and skills dramatically. In full disclosure, I am on the Board of Directors for the SANS Technology Institute masters program. I’ve worked long and hard, along a lot of people much smarter than I am, to create a program that actually means something and proves a Masters degree holder can actually DO some shit. But this kind of degree comes with experience – we don’t have any real “junior” people getting that degree. Could they? Sure. We don’t block people because they’re younger, etc. But an infosec “degree” should really augment your real-world experience and ride alongside it, perhaps filling in gaps, improving your personal and career maturity, etc.

Which brings us back to the issue. There ARE no “correct credentials” for infosec. Curiosity, problem solving, and a track record of actually doing good work in the field – that should really be it.

As usual, Daniel Miessler has done a far better job than I ever could really nailing down this issue – check out his blog here for more information, which is really a good (short) read.

Categories: Information Security Tags:

Where are the “Actionable Defense” talks?

September 4th, 2017 1 comment

This year, for the first time, I did not make it to DEF CON, B-Sides Las Vegas, Black Hat, etc. I was bummed, because this has been a yearly pilgrimage for a really long time for me, but too much work sandwiched on both sides of it.

Naturally, I was thinking, “What did I miss?” Aside from seeing friends and getting up to shenanigans, of course. As for talks, I went looking for some that had a few criteria:

  1. Focused mostly on defense
  2. Immediate tools, tactics that can be put to use

That’s it. Nothing fluffy there. I asked people on Twitter about their experiences, too, and got a few good responses:

  • @sarapeters pointed me to the InSecurity conference lineup from Dark Reading…which looks very defense-oriented (if you can stay awake through the compliance talks):
  • @oh3px pointed out two talks that were “actionable” (not all defense, but good examples). One was on attacking a DevOps CI/CD pipeline by @spaceB0xx: and a DFIR DC workshop by @AlanOrlikoski:
  • @cyphermike mentioned “Lee Holmes (@Lee_Holmes) talks at DEF CON and blue team stuff in packet hacking villages”.

And that, folks, was about it. Here’s the full list of DEF CON talks:

I don’t have the time to go through them all, but a huge number are all about attacks, exploits, “weaponizing” this or that, “owning” this or that, “offensive” such and such. Nice.

I’m not trying to pick on DEF CON – far from it. I’ve always had a great time there, and it’s one of my favorites. Given that I think most cons are a massive waste of time, that’s saying something. But if I am your employer, and you ask me to send you to something that I am paying for, what do I get out of it? What can you come back to work and actually DO?

Can we be honest for a minute? Most of ya’ll aren’t pen testers. You’re not exploit writers. You’re not “weaponizing” a fucking thing. Hacking is cool. It’s sexy. Apparently, defense in depth, innovative security architectures, improving on the classic blocking and tackling stuff…none of that is worthy. You hate hearing that horrible cliche about how “we’re losing”? Well, this may be a factor. We all get so excited about the latest exploit or hacking technique, but very few are actually in positions that use any of that shit. So folks go out to the desert, get drunk, nerd out with friends for a few days, and have almost nothing to really show for it in terms of true impact on their respective organizations. Does that make it bad? Intrinsically, no. But out of all the talks I see, especially at BH/DC, very little tells anyone how to defend something.

We *DO* need some stunt hacking, future thinking stuff. The latest info on pacemakers needing firmware updates confirms this. But we really need a lot more emphasis at some of the biggest cons on defense, and people being able to walk away with real, actionable skills and ideas for improving DEFENDING. No, this is not a thinly-veiled argument for training – that’s different. This is basically me just ranting about how most of the con talks these days are offense, and while that whole “offense informs defense” thing has some merit, it’s really not applied often.

If ya’ll have been to some good talks about defense, that left you with tons of notes, ideas, and specific tactics you could immediately use back at the ranch, I would LOVE to hear them in the comments.


UPDATE: Got a response from Lee Holmes (and updated his Twitter handle above). Good to hear re: Derby.


Categories: Information Security Tags: