Click here to read the latest newsletter! This is an iEntry.com Website
Search iEntry News

Submit Your Site For Free!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

ITManagementnews
SecurityProNews
NetworkingFiles





Security Engineers Giving Tricks Away

By Dan Morrill
Expert Author
Article Date: 2008-03-04

Should security engineers and people working in security be giving our tricks away so that anyone can find them on line and use them? This is a good ethical debate for security professionals to be having. There are a number of reasons why I think that security engineers should be openly talking about hackers, hacking, protecting your company.

The ISC Code of ethics (and even though I am not a CISSP, it is a good general ethical standard that people can live with) states:
    Identifying, mentoring, and sponsoring candidates for the profession (ISC2)
The idea that by blogging we can find and mentor people who will make excellent security engineers is a given. I have hired 2 people who have reached out through this blog, developed a personal relationship with, and went through an extended interview basically by tossing issues back and forth. If I did not discuss things openly on this blog, I would have missed those two hires. These have been the best hires I have ever made, by the time they got to the job, I already knew them, knew what they could do, and have just the right personality and desire to learn as I could ever want.

I also want to hire two other people who are regular's to the blog, but they don't want to work in information security. I cannot convince them that a job in information security can be rewarding, fun, and cool. They have already run into security engineers who have given them the proverbial "bad attitude" when it comes to infosec. They are lost to the industry, which is a loss over all, good talent should not be turned off by the people in the industry.
    Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. (ISC2)
This one is trickier; there are people with the CISSP who are a discredit to their profession. There are people without the CISSP who are equally disreputable. I know this will cause a knee jerk reaction that I am wrong, all CISSP's are great, but there have been far too many conversations about paper CISSP's, and too many interviews with people who had the CISSP who would make great auditors, but bad security engineers.

The idea of best qualified is subjective, the best qualified is usually the kid or adult with a burning desire to learn, to grow, and to understand everything. The best qualified candidate is usually the person with the lifelong desire to learn. The best candidate is one who is continually hanging out with bugtrac, full disclosure, and can tell me the internet threat level today. The worst candidate is the anti-social can't think outside the box wants to have a faraday cage to test wireless functionality, whose primary vocabulary consists of "no".

This usually means that I am not hiring the "grizzled veteran" of the information security war. It means that I tend to hire young or young thinking, brash, intelligent, puzzle solving people who are willing to and can successfully think outside not just the box, but the playing field as well. The bad guys are trying to hire the same people, and succeeding. This is one of the reasons that we are seeing a sharp break in information security into two roles.

These two roles are the "Crime Fighting Role" and the "Corporate Audit and Compliance" role, with a touch of "application hacking/network hacking" in both roles. This is what makes it all the more interesting, because everyone needs someone who can function in both roles, but the verticals, knowledge and needs are distinctly separate from each other.

Should we spill the beans? Yes, yes we should because if we professionals do not do it, openly, and willingly discuss methods that are already out there, the next generation of hackers will get it somewhere else. The more we ivory tower our industry, the harder we make it for people to get in and do something wonderful. The more we cloister ourselves, the more we come off as arrogant and unapproachable.

The bad guys are talking, the bad guys are running hacking boards, and doing the same thing that I am doing, with better results. The bad guys carefully screen the potential candidates, give them things to do to prove their worth, and eventually move them up higher in the organization, more money, more exciting things to do, some travel, low odds of getting caught.

We cannot even come close to matching the excitement of the hacking underground, but we can educate, inform, and discuss openly issues that influence the industry. We should be talking about hacks that are common even though they have been out there for years. The same issues we were dealing with unauthorized access to databases in the 1980's we are still talking about 30 years later. The method has changed, but the results remain the same.

If we can't get this right, we will have a hard time recruiting, maintaining, and creating the next generation of security engineers.

Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.


Newsletter Archive | Article Archive | Submit Article | Advertising Information | About Us | Contact

ITManagementNews is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved Privacy Policy and Legal