Thursday, July 18, 2013

a breakout of breaking in (to infosec)

Someone asked me recently how to "break in" to Information Security from another IT field. Thinking my response might be useful to others, I'm sharing it here.

Note: a colleague corrected me on the number of years you need in the industry for the cert...thank you!

Hi Dave,

Thanks for contacting me and I hope you're well. Here's some information on how to break into Infosec. 

I got lucky, I got into Infosec when it was a new thing, but now it's a pretty competitive field. The most important thing is to have a certification, because the US Government has decided that's how to tell if someone knows what they're talking about, and the rest of the country has followed suit. 

There's more than one certification, but the one that has the most prestige (currently and for the last 15 years) is the CISSP, administered by ISC2. You can find out a lot of information on their website ( but here are the basics:

  • Along with the certification is the expectation that you have worked in the field of Infosec for five years (in two of the "domains", listed below). If you have not worked in the field for five years, you can still be awarded the certification as an "Associate". It's the same as the full certification, and when you've been in the industry for five years, you're a full member without having to do anything else. You can also possibly get a year "off" this requirement if you have (for example) a degree in Infosec or another related certification.
  • The certification period is for three years, after which, if you've fulfilled certain requirements, you will be recertified. If you have not fulfilled the requirements, you will have to retake the certification test. You don't want to have to do this.
    • Each year you have to pay an $85 annual maintenance fee. Currently, they're letting people defer the fee until the recertification period, meaning that you can choose to pay three years' worth of fees all at once (with a small discount). Some companies will allow you to claim the fee as an expense.
    • During the recertification period you also have to earn Continuing Professional Education points, or CPEs. You need to earn 120 every three years and at least 20 per year (i.e. you can't earn them all in the last year). This is to prove you're staying on top of the industry. Earning CPEs is really easy; you typically get one for every hour you spend doing something related to the industry (aside from actually working). So if you attend online classes and webinars, go to conferences, write articles on Infosec, read/review books, and so on, you'll have no problem. I'm usually drowning in CPEs. 
  • It's not necessary, but it's a really good idea to take some sort of training for the CISSP exam. This could consist of buying one of those thick books with the CD in the back, or you could take live or computer based training. This can vary in price, but as an example, what ISC2 charges for their Live Online Seminar series is $2,495. In comparison, their official textbook is $79.95. 
  • ISC2 does have, for free, a webinar series to give you information on what you need to know for the exam. You can sign up for this at
  • The current price for the CISSP exam is $599, and they give you six hours to take it in (I don't test well, and I needed about four). You can take it online, which wasn't an option when I took it, or you can take it at a test center. Typically if you take a training course, the course offers an opportunity to take the exam at the end, and I would definitely recommend doing this if you took a class. Otherwise it's more convenient just to schedule the test online and take it in the comfort of your home. 
  • The exam is 250 multiple choice questions.  25 of the questions are experimental questions which are not graded - they're always changing the content of the test. A score of 700 will give a passing grade; however, you are not told what your score was when the test is graded, just if you passed or failed.
  • The content of the exam involved knowledge of ten "domains" of expertise:
    • Access control
    • Telecommunications and network security
    • Information security governance and risk management
    • Software development security
    • Cryptography
    • Security architecture and design
    • Operations security
    • Business continuity and disaster recovery planning
    • Legal, regulations, investigations and compliance
    • Physical (environmental) security
  • Once you pass the exam, you must find another CISSP holder in good standing to endorse you. This should be someone who knows you well in a professional capacity. 
  • There is a "junior" version of the CISSP, the SSCP, but there's no sense in getting it - you're much better off with the CISSP.
Having a CISSP will automatically open a lot of doors, because without it, most employers won't even talk to you about Infosec jobs. If you can demonstrate that your CISSP plus a knowledge of good coding practices makes you more valuable than someone who (for example) has been working in Infosec longer but doesn't have as diverse a background, you'll be in good shape.

In Infosec, you will never make BAD money. I had issues finding work in the Hampton Roads area, but that was because I didn't have a lot of gov/mil experience, and that's what that particular area demanded. The NY/NJ corridor has a lot of opportunities in the private sector. 

Once you've decided to definitely go for getting your certification, I have some useful employment contacts. My employer is great and I really love working for them. They won't pay any of your certification-related fees, though, which is typical of smaller gov/mil contractors. A lot of private sector companies will pay those fees. 

Please let me know if you have any questions about any of this. I'll be happy to help out however I can.

Wednesday, June 26, 2013

Were You Surprised About The NSA?

Spying on Americans isn’t new. What’s new is that somebody blew the whistle.

The big news in the Federal government for the past month has been the latest leak, i.e. Edward Snowden revealing the NSA’s PRISM and all that entails. There have been a host of denials, both from the NSA and from service providers, and a lot of people are very upset about the possibility of “their data” being spied on by the government.

I’m a little less naive about the situation. For one thing, I’m quite aware that once I’ve posted something somewhere, or used a “cloud” service, that data is no longer “mine” in the way that (say) my jewelry is mine. Perhaps it should be, but it isn’t, and to think that an entity as powerful as the NSA isn’t accessing “your” data in whatever way it wants shows a great deal of credulity. There has never not been a time when the US government hasn’t been able to spy on civilians, nor any reason to think they have not been doing so. Up until recently, what has mitigated the situation is that there was simply too much data to be analyzed for such spying to be useful without a definitive target. Now there’s reason to think that’s no longer the case, and that’s all that’s really changed recently. Big data and the power to crunch through it has its disadvantages.

The really amazing thing about the leak is that it happened, that somebody had not only the ability to find out hard data about the NSA’s activities but the ability to get away (so far) with it. The government has used the former fact to downplay the importance of the leak and/or try to outright deny that Snowden accomplished anything significant. That strategy having failed, they’ve tried to justify the surveillance. That strategy isn’t really working either, mostly because the Obama administration has more than once stated that it is justified in continuing Bush-era surveillance and defense programs instituted soon after 9/11, and the public is fed up with it. PRISM is seen as one more example of the current administration’s overstepping itself, whether or not that is true.

Snowden has stated that he was inspired by other whistleblowers, such as Bradley Manning, a soldier who has been denied due process for his alleged crimes. Manning, however, simply took advantage of a glaring lapse in security, whereas Snowden’s actions took more expertise (a lot more, I hope, frankly). It’s actually hard to say what motivated either man. The idea that the NSA might actually cease to conduct surveillance on American citizens is laughable. The only thing that’s fairly obvious is that Snowden was very aware of what he was doing, and what might be the result - for him - of his actions (something that was never clear about Manning’s decision to leak data).

Not surprisingly, Snowden’s actions - so soon after Manning’s, and with Julian Assange’s future still in doubt - are being seen by many as heroic, even when Manning’s and Assange’s were not. It’s almost funny that the public is more horrified at being spied on than it was at “Collateral Murder”. Funny for those of us who weren’t surprised by it, that is.

Thursday, March 21, 2013

What the Government Needs vs. How the Government Thinks

The Federal Government is trying to update its approach to security; will it succeed?

At the end of 2010, the then-CIO for the US Government, Vivek Kundra, published a paper outlining 25 points to reform Federal IT Management. I’d heard of it at the time, but not read it. However, with the President having recently signed the sequestration order into law, it’s being passed around again with “where are we now and where are we going with this” notes attached.

There's nothing wrong with the paper, per se. In a nutshell, it says that the government should focus its energies on programs that yield obvious benefits, and on hiring programs that will attract rising IT stars. The problem is that, for the most part, the Federal government has no idea what will attract such people to work for and with it. And the reason for that is that the way that most IT professionals - especially the young geniuses that the government is hoping to snare - think is complete antithesis to how the government works, and vice versa.

Like any generalization, of course, there are exceptions to what I’m talking about. There are certainly a lot of brilliant people whose way of thinking is not antithetical to the way the government works, and many of those people are in fact working for the government, or working for companies that support the government. And there are some people who, regardless of the fact that they don’t have a meeting of minds with the government, will still choose to work for it in some capacity, for various reasons. But it’s very unlikely that the government will be able to attract the sorts of people that Kundra’s paper is talking about, at least in large quantities. The fact that the government representatives who talk about this hiring concept don’t realize how unrealistic they’re being is rather worrying.

There are several reasons why the government won’t, for the most part, attract the best and the brightest young minds in IT. First of all, as I’ve mentioned, there’s the fact that the government way of thinking and doing things is antithetical to your typical hacker. (Note to the reader: if you feel that the term hacker is pejorative, then you are not one.) This isn’t true in all cases, and certainly a number of us feel that it’s worthwhile to try to work from within the government system, but I’d venture to guess that those of us who chafe less in the government are a bit older and more staid than the “cyberninjas” the government is trying to attract (most of whom ridicule that term). The government already has a lot of people in its employ who might be able to fit their idea of “cyberninjas”, but the government is not willing to spend the money to train them.

And this lack of desire to spend money where it would do good leads to the second problem: the government works by spending the least amount of money possible to achieve the best result it can. If a particular company or entity is the lowest bidder on a project while promising the same or a better result, that entity will be awarded the job. Because the citizenry are the ones paying for the project through their taxes, that’s the way it has to be. However, it doesn’t give the government a lot to work with in terms of attracting “cyberninjas”, who can make a lot more in the private sector. In general, a government job is comfortable and secure, but it can’t match the perqs and thrills that come with being a famous name in IT culture. In fact, the government would frown on a lot of those perqs and thrills (which brings us back to the difference in mindsets), and it wouldn’t want to or be able to fund even those it would not frown on (such as extensive traveling to security-related conferences and training).

A third issue is something I touched on in my previous article about Continuous Monitoring. The Federal government is so focused on compliance that it’s seemingly forgotten that there’s a lot more to security. I see a lot of people saying “what is the right thing to do” and other people saying “it says right here that...”. Adherence to policy is necessary and I’m not trying to knock it, but it’s not the be-all and end-all of securing information. The government as an entity may know that - although I’m not taking any bets - but I would estimate that 99.9% of the people who are actually in the trenches doing security don’t have the first clue to proceed, other than finding out what the policy is so they can tell other people how to adhere to it. And that is a problem.

Vivek Kundra’s paper was written only a couple of years ago, and it’s still very germane. However, I’m not sure how realistic it is. Kundra has himself returned to the private sector, but I wonder what he thinks now, especially about methods to attract young and brilliant IT professionals. The government really needs fresh blood, but I’m not sure it will know what to do if it can get what it needs.

Wednesday, January 23, 2013

Continuous Monitoring: You’re Doing It Wrong

The Federal Government is not really sure what it’s talking about. Are you?

[This article also appears at Great Lakes Computer.]

One of the surprising challenges of being an Information Security professional is keeping up with the current buzzwords and jargon in the industry, and it’s made more difficult by the fact that not everybody uses those terms in the same way. For instance, given the posture of an organization and whether or not it’s sales-based or based on something else (research, defense, etc.), the term Data Loss Prevention (DLP) can mean different things. However, when I went back to work for the US Federal Government, I thought that Continuous Monitoring was one term that was clear as crystal.

It turns out, however, that the government, which of necessity places a huge emphasis on regulatory compliance, is using the term in an entirely different way from the commercial sector. Continuous Monitoring, as used by the private sector,  is actually a relatively new concept, and that’s because it’s only really been in the last few years that we could spin up machines with enough speed and power to do the job in real time.

What Continuous Monitoring should mean is a way to watch what’s happening on your network in real time, integrated with logging so that you can go back and follow patterns, graph anomalies, and so forth. For instance, a good CM setup should tell you when most of your users are using social media, or if there’s a spike in activity to or from a certain address, and so on. The information has always been there, but it’s been hard to find, and now we have the means to automate grabbing those details and presenting them in such a way that network and security admins can form a much better mental picture of what’s going on.

However, NIST and the Federal Government have made this term their own, and they mean something completely different - and far less useful, security-wise - by it. I think that the government’s use of the term completely misses the point and buries CM under a pile of compliance paperwork, and the result is that nobody is really watching the network the way that they should be.

What the government means by Continuous Monitoring is looking at the NIST-defined security controls - policy statements dealing with regulatory compliance - for a given network and deciding if they are applied correctly, given the threats list that the government subscribes to and the vulnerabilities that routine scans discover.

NIST does define CM as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions”, which sounds as if it would fit in with the automated approach that I described briefly above, but the problem is that most of the people who are actually responsible for performing this monitoring are using completely manual methods to demonstrate compliance. For instance, I have been told that presenting auditors documented evidence of testing security controls in small batches over time constitutes Continuous Monitoring because it shows “continuously” action promoting the security of the network I’m responsible for. I suppose it doesn’t hurt, but that’s not what CM should be.

Change is slow in the government, but I’m hopeful, as many agencies (including mine) are installing new vulnerability and monitoring solutions that I think will really be an eye-opener on the subject of CM. Compliance is important, but it doesn’t define Information Security; it’s just one part of the whole.