kenswain.com

Protect 08

All security professionals have been there. That meeting where the flashy sales guy spouts off some terms and our upper leadership is sitting, smiling and ready to write checks that the tech guys can not cash. The reason this works is because of some key terms that these polished sales guys love to spout off. So that everyone is warned I feel it is time we list them all.

1. Deep packet inspection - Give me a break. All IPS and IDS can do deep packet inspection. This is nothing new so stop talking like it is.

2. Protocol based security - Really? So you are saying that you do not just watch ports and actually look at protocols no matter which ports they are traveling on? WOW thank you for saving the world.

3. Synergistic approach and holistic view - So let me get this straight. You take into account the environment, work with other vendors and do not assume we will deploy all of your product suites? Really? Thank you sir may I have another.

4. Standards compliant - Ummm OK. So you followed who’s standards? Your own? Or did you actually take the time to implements some of the other standards that are defined, but never used.

5. Best of bread - Who’s bread?

Over my years in the security field I often get asked, by people trying to get into security, what a security “person” be. I also get told, by people who are in the field, what they think a security “person” should be. I have never really written a post on it, but I have given my opinion many times. So what should a security person be?

1. Smart - Security practitioner should be able to adapt quickly and be able to learn on there feet. It is said statement, but most administrators are not fully verst in there system and a security person most know how the architecture of those systems work so they can advise and write policy.

2. A good verbal communicator - Most business people do not speak geek well at all. It is up to the security professional to be able to translate geek speak into real business terms. This will go along way in gaining points with those that can help you make your environment more secure by giving you there support.

3. Teacher - You must be able to educate people on why they should not do the things that will increase risk. And the phrase “or Hackers will get you!” does not work. For example, most people do not understand the real reasons they should chose a strong password so they need someone to educate them.

4. Social - Being social helps avoid the “unapproachable geek” syndrome.

There are some people that believe that people need to be programers, authors, accountants or various other things that they are interested in. I would like to take a few moments to give you my opinion of these issues.

1. programer - It is nice if your security person can read code, but they really do not have to be programers. I understand where this comes from with buffer overflows being a common attack, but it is not really needed. What they must be able to do is understand what they should put in policies to be audited against. Also if you do not develope your own programs in house you will put the secure coding requirments in contracts, but that does not mean you need to be a lawyer. See Smart from above.

2. authors - I believe this stems from the fact that security professionals need to be able to educate and communicate. While this is noble it is not necessary but is a nice to have. What is important is at least a decent written communication skill set.

3. accountants - This is one that I really do not understand. I guess it has to do with accounting and auditing practices, but I do not see this one as necessary either.

Keep in mind that these are just my opinions and they are open for debate. I would be interested in hearing yours.

Seems that this is the perception of most information security departments. I personally feel that this is a mistake. Maybe it is because I work in information security or maybe because I work so hard to not be that guy.