Browsing articles from "January, 2012"

Ten Things Every ITsec Pro Should Do

10. Work for a vulnerability research powerhouse

Working for a vulnerability research powerhouse can be a rewarding experience for any curious minded security professional. On top of working in an environment fueled by out-of-the-box thinking there is typically a wealth of information at every employees fingertips. If used correctly that information can be utilized to accelerate a career and/or reach a level of subject matter expertise. Some excellent examples include IBM ISS and Rational, Sourcefire, McAfee, the NSA, and HP (with TippingPoint and SPI Dynamics). Don’t overlook smaller companies who make a significant investment into research though, companies like ImmunitySec and Rapid7 would be good as well.

9. ?Write and conduct a hands-on training course

Due largely to the fact that the term “information technology security” covers such a broad range of topics, even the most knowledgeable security professionals may overlook the depths of their own abilities. Writing and conducting a hands-on training course can sometimes help professionals guage their knowledge level. In addition, it may result in a nice knowledge exchange as well. The days of trading “philes” may be mostly dead; trading knowledge through training may be a nice substitute.

8. Openly complain about an operating system and swear to only use BSD
Realistically BSD is enough of a pain to get up and running that hardly anybody actually ever uses it as their primary desktop (unless the desktop has a very specific purpose). Regardless, ?as a security professional it’s a rite of passage to complain about every other operating system in existence.

7. Attend the RSA Code Breakers Bash

It may sound nerdy because well…it is nerdy. Either way the Code Breakers Bash is one of the biggest (if not the biggest) IT Security parties of the year. It is easy to get lost in the day-to-day operations of IT security and never see the industry for the bigger picture. ?The Code Breakers Bash can be an eye opening experience for any ITsec pro who has never experienced it. The amount of money organizers spend on the party alone make it worthwhile, however, if that isn’t enough, then taking the opportunity to see a lot of executives and mid-level managers drunk and engaged in some sort of geek tribal dancing is well worth it.

6. A Secret Squirrel Forensic Investigation

Network forensics solutions such as EnCase Enterprise, Prodiscover, Mandiant products and others are making secret squirrel investigations (investigations where an analyst images a hard drive without the user knowing) less relevant. However, the experience is so much fun that if there is any possibility doing this type of investigation, jump on it. There is a level of thrill in this type of activity that is really unrivaled by just about any other IT security activity.

5. Publish a piece on information security

Having a whitepaper published and posted on a website is an extremely rewarding experience and publishing a piece within a publication can be equally rewarding. The best part is that a publication will be around forever. Consider it as a security professionals legacy.

4. Conduct a Formal Penetration Test

Security professionals should know how to hack stuff, plain and simple. There is no better way to put these capabilities to the test other than to conduct a real world penetration test.

3. Participate in a Government Information Security Exercise

Participating in government security exercises will show anyone just how far IT security really has to go. It will also hammer home how important it is that the community bridges that gap. Unfortunately, this stuff doesn’t work how it is portrayed in the movies. Fortunately, most people don’t know that, so it always sounds cool when you can tell your friends about participating in non-secretive government exercises like, “Cyberstorm.”

2. Walk the RSA Conference USA Show Floor

The sheer amount of money flowing through the RSA show floor make it a unique experience for every IT security professional. It is easy to see IT security as a battle for control of an infrastructure or data, seeing the RSA show floor will open anyones eyes to the monetary foundation that is really running the industry. If that isn’t reason enough to go, then robbing the show floor of as many pieces of swag as possible make it worthwhile. Bringing that swag back to an office and seeing peoples faces light up as bags full of junk are laid out for them is a memorable moment to say the least.

1. Attend BlackHat and DefCon

BlackHat and especially DefCon are somewhat like a pilgrimage for security professionals. The events and talks are legendary, although the conferences have evolved over the years they are still the premiere computer hacker conference. If for no other reason, attending these conferences is worthwhile to see and meet people who are genuinely passionate about computer security. DefCon was probably the first place where a persons cool points were based on how l33t they are. As well as probably the only place where saying things like “l33t” might cause a person to get beaten with keyboards, bad odor, and old beer bottles.