Is it me? or has information security completely changed? Give you a bit of a background - I live, breathe, eat and sleep computer security. I'm not one of those"masturbating monkeys" as Linus puts it (I was gonna write this blog post, before Marcel told me about his rant about security guys).
I do; Intrusion Detection, Protocol Analysis, Threat and Risk Management - I also do digital forensics etc. I get my hands dirty where ever I can. I'm not one to point out an issue, and say fix it - I prefer to get in there and work with the people in the know to fix the issue as well.
I commend Dan Kaminsky for the epic work done on the DNS flaw - I only wish I had of sent that email to him the 2nd day after the biggest co-ordinated patch release in history. I had almost nailed the issue.
But, that's not what this rant is about. I remember a day when security people were feared - if someone from IS was coming, it probably meant something you were doing was wrong - and you hoped they passed your desk onto someone else's. Now a days it almost seems as tho security is a joke. No back swing for me - I can just sit there and yell - "Somethings wrong!" till I'm blue in the face.. or say "hey, I gotta do this to make sure your safe". Even if there is no impact, no requirements, no nothing - We still get hassled about what we need to do.
Then - it seems as tho, it must be the next big career boom - the market is flooded with these so called CISSP certified IS professionals. I can't stand them - I'm sure most of them can't even tell the difference between TCP and UDP. Let alone the fact that IPSec is a protocol just like tcp/upd/icmp/gre etc etc etc.
I'd like to see them figure out a routing issue that causes information leakage - or why an IDS can only see half a conversation. Arg.
Don't get me wrong - security needs to change from the police and fire to an EMS type job. Don't be there to police and put out fires. But be there before things happen making sure everyone is safe -- and when something does happen know how to deal with that, and the cleanup afterwards.
For those of you in IT - listen to you security people - not all of them want to stop you from doing things - just keep you safe. A good security person will not only tell you it's not safe - but help solve and make it safe - or at least explain why it's not safe and why there is no alternative.
Good luck, and don't play in the street - try the back yard as an alternative ;)
Someone understands my frustrations!
You hit the nail on the head. After being in the biz for so long, it's refreshing to find someone who's thought what I've thought for so long. On the same note, it's also very frustrating to love the profession you are in, yet you are not taken seriously and even taken for granted. It'd be nice to see Infosec be a more integral part of IT instead of being laughed at or ignored altogether.
Isn't this blog the
Isn't this blog the truth.
The biggest problem seems to be where to draw the line between convenience and security. For all practical purposes, you need to find the middle ground on both. Thats when it all works.
Just because a company buys a nice nifty UTM and hires someone to manage it, never means that you are ever completely safe. Security in IT is always going to be an evolving field for ever evolving threats.
Agreeing, if still a bit offended
I have to agree with your basic premise, even though I don't like the way you framed it. Knocking on CISSPs for no good reason only tends to make your discussion harder for some to swallow. Your article would have been better reasoned by saying that many security professionals just aren't up to snuff, and have lost sight of the goal. You are correct, our purpose is NOT to put barricades in the way of users, but to ensure that the resources and information of the company are kept safe.
For future reference, the CISSP exam requires knowledge of TCP/IP in moderate depth in order to pass. It's part of the 10 domains of information security. The common misconception though, is that the CISSP designation means that one is an expert. This is not and never was the intent of ISC^2. CISSP is meant to be a validation that a person has sufficient knowledge to manage information security in broad terms. In other words, it's a manager's certification; not a technical certification. Therein lies the problem of hiring CISSPs for technical positions. A CISSP certification does not imply mastery of network security; for that you are better off looking for SANS certifications.
To return to the topic at hand, your premise has some merit; but it fails to take into account the breadth of what information security entails. Information security requires more than just computer controls, but also document controls, personnel controls, and disaster recovery/business continuity controls. Your assumption that because a security professional does not have expert knowledge of TCP/IP and it's related protocols they are a "hack" is incorrect. In I.S., the entire AIC (Accessibility Integrity Confidentiality) triangle must be taken into account. All three are required in varying degrees of balance for information security to be successful.
If you want people to listen
If you want people to listen to you, you might want to correct the spelling errors in your post. Please proofread.
Real life
I have experienced the same situations and met the same type of people. However, I am a CISSP and I am proud of it - and I am like you capable of solving nearly any IT-related problem (take a look at my blog and you'll see). Carrying a certification (or any title for that matter) does not really say anything about a person's competence or professionalism. Yet, there's a need for these certifications, much like there's a need for higher education and the associated degrees.
The essential problem is that some people who work in IT are not overwhelmingly qualified for their job - that's true for any segment in IT, though. I've met C++ "developers" that didn't know the difference between virtual and non-virtual methods. The situation in IT-Security is no better or worse.
guidance on linux installation
dear Jason,
sorry to barge in on a technical blog like yours.I wish to try out kubuntu as a start point for using linux on my desktop.I have a mirror disc from the pcworld india ,however I'm at sea trying to install it ,ie,I don't know how to partition the disc to convert my desktop into a double boot mode.May I ,therefore request you for a little help.Oh yes,I'm pretty much a zero as far as technical knowledge is concerned(something I'm sure you've made out already)
regards
shirish