It's Not What You Know...
Well, actually it is.
"What you know" is critical here, because this is a security post. "Whom you know" (who? whom?) if *far* more important on the religious side of my blogging :-)
Information Technology (IT) is a fascinating industry. As people jockey for position, I now see and older generation of IT people (35+ years old) and the young upstarts go head-to-head on issues. The "oldsters" say that they have all the experience, and the youngsters say that anything they learned in IT over 5 years ago is of little or no value.
While I agree that the fact that I remember how to low-level format an MFM drive from the machine language monitor (debug;g=c800:5 or g=cc00:5) is of absolutely no value today, the same cannot be said for security knowledge.
I was reading a random article I picked up from my daily trip to Infosyssec (www.ghosthip.com) which posed an excellent question: "What basic security knowledge should be expected from security professionals?" (paraphrased). While some people disparage certifications in general and security certs in particular, this seems an excellent way to identify mastery of security fundamentals.
The problem is I'm not sure they necessarily do.
The CISSP (Certified Information Systems Security Professional), for example seems to be an excellent measure for a security officer in a corporate environment, but if one were to rely on CISSP-level knowledge for a security program, there would be significant gaps. As with any certification, it is subject to being both out-of-date and not-dated-enough.
What is needed in a security organization is a combination of good "old school" knowledge (think WarGames), best security practices, and leading-edge vulnerability awareness. Many medium to large companies have modem pools, and yet too often the security team is more focussed on the "sexier" side of security with IDSes rather than wardialing their DID (Direct Inward Dial) space. Inasmuch as IDS probably provides a far better ROSI (return on security investment) than wardialing, too often the old-school telephony stuff doesn't even make the list of concerns.
That *may* change as companies move towards IP telephony. I can see it now; a security engineer is evaluating VOIP solutions and has an ephphany:
"Hmm, I wonder if you can 'scan' VOIP numbers like you can IPs"
"You know, I'll be there's a way to cycle through these to see if a computer answers!"
"WE GOTTA DO SOMETHING!"
Yeah. It's been called "wardialing" for a few decades now...
What other fundamentals need to be known? I'll be thinking about this, and I'll post a simple quiz in the near future.
"What you know" is critical here, because this is a security post. "Whom you know" (who? whom?) if *far* more important on the religious side of my blogging :-)
Information Technology (IT) is a fascinating industry. As people jockey for position, I now see and older generation of IT people (35+ years old) and the young upstarts go head-to-head on issues. The "oldsters" say that they have all the experience, and the youngsters say that anything they learned in IT over 5 years ago is of little or no value.
While I agree that the fact that I remember how to low-level format an MFM drive from the machine language monitor (debug;g=c800:5 or g=cc00:5) is of absolutely no value today, the same cannot be said for security knowledge.
I was reading a random article I picked up from my daily trip to Infosyssec (www.ghosthip.com) which posed an excellent question: "What basic security knowledge should be expected from security professionals?" (paraphrased). While some people disparage certifications in general and security certs in particular, this seems an excellent way to identify mastery of security fundamentals.
The problem is I'm not sure they necessarily do.
The CISSP (Certified Information Systems Security Professional), for example seems to be an excellent measure for a security officer in a corporate environment, but if one were to rely on CISSP-level knowledge for a security program, there would be significant gaps. As with any certification, it is subject to being both out-of-date and not-dated-enough.
What is needed in a security organization is a combination of good "old school" knowledge (think WarGames), best security practices, and leading-edge vulnerability awareness. Many medium to large companies have modem pools, and yet too often the security team is more focussed on the "sexier" side of security with IDSes rather than wardialing their DID (Direct Inward Dial) space. Inasmuch as IDS probably provides a far better ROSI (return on security investment) than wardialing, too often the old-school telephony stuff doesn't even make the list of concerns.
That *may* change as companies move towards IP telephony. I can see it now; a security engineer is evaluating VOIP solutions and has an ephphany:
"Hmm, I wonder if you can 'scan' VOIP numbers like you can IPs"
"You know, I'll be there's a way to cycle through these to see if a computer answers!"
"WE GOTTA DO SOMETHING!"
Yeah. It's been called "wardialing" for a few decades now...
What other fundamentals need to be known? I'll be thinking about this, and I'll post a simple quiz in the near future.
Comments