Written by Craig Balding
July 16th, 2008 | career, wisdom | 
Email This Post
I stumbled across a great video on a blog post from the SOURCE Boston conference.
Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. This is even more true in an economy that isn’t necessarily thriving. We’re going to talk about the important skills, traits and knowledge that a security pro needs to build a long-term and successful career – not just the usual stuff (like “get certified”), but the real-world knowledge that teaches you how to have the job that keeps you challenged, growing and well-compensated.
If you are even thinking about a role in Information Security or wandering about your next step in the industry - this in-depth talk by Lee Kushner and Mike Murray is for you.
How do you keep yourself special? Share in the comments…
Written by Craig Balding
May 18th, 2008 | wisdom | Email This Post
photo credit: нσвσ
- Be A Security Cool Cat: Place penguin stickers on every surface in your cubicle. Stick at least 3 on the dual boot company issued laptop (that hasn’t had a kernel upgrade in 6 months). Use BlackHat stickers for bonus points.
- Be An Undercover Open Source Evangelist: Unfailingly, recommend open source solutions as more secure. Be sure to quote ‘more eyes, less vulnerabilities’. Recite frequently . Always forward security advisories about commercial products to your boss.
- Walk the Tech Talk: Learn at Least 10 Bash Keyboard Shortcuts. Treat this as a party trick. Perform rapidly in sequence whenever anyone watches your screen. Giggle and pass the keyboard over and say ‘Your turn!’.
- Be All Knowing, Jedi Warrior!: Say ‘Trust but verify’ whenever you are asked a question you do not understand. Make it clear in meetings that you trust no-one and “verify” solely through a Google/Secunia search.
- Impress with a Penetration Test!: Download Metasploit, spend 7 hours modifying the web interface: create custom graphics and hack up the CSS files. Start Metasploit running before you leave for the day. Use Camtasia to capture all screen activity so you can review in the morning. If all went well upload to YouTube and link out via facebook.
- Practice Defense In Depth’: When you are asked ‘What is the Risk?’, grin inanely and say ‘I’ll tell you after I break out the vulnerability scanners’. Run at least 3 vulnerability scanners to get ‘defense in depth’.
- Latest *Is* Greatest!: Clipboard stealing attacks are *always* a bigger issue than the CISCO infrastructure with default passwords (how did they get there?!).
- Educate The Great Unwashed with a Deep Dive Security Awareness Program. Educate end-users about Cross Site Scripting and SQL injection attacks. Don’t invite the outsourced developers - they already know this stuff and have deadlines to meet.
- Impress Your Peers - Perfect the RFC Shoutout: Pick at least 10 common protocols and learn the associated RFC numbers. Intimidate IT colleagues by shouting out the RFC numbers whenever they mention the protocol.
- Start A Security Blog: What Can I Say?
Written by Craig Balding
April 26th, 2008 | career, starters | Email This Post
When you picture the future, what do you see yourself doing? If you find the subject of IT security fascinating, you may be considering a career as an IT Security Professional. To help you decide, here are 10 myths about life as an IT Security Professional.
Continue reading →
Written by Craig Balding
April 7th, 2008 | books, interviews | Email This Post
7 years ago, a Cambridge Professor called Ross Anderson published a book called ‘Security Engineering’.
Up until that time, it wasn’t often you would hear anyone talk about ‘Security Engineering’ - let alone find an entire book written on the subject.
As soon as the book came out, it made a real and lasting impression on the security community.
Richard Bejtlich summed it up with his review on Amazon:
This book changes everything. “Security Engineering” is the new must-read book for any serious information security professional. In fact, it may be required reading for anyone concerned with engineering of any sort. Ross Anderson’s ability to blend technology, history, and policy makes “Security Engineering” a landmark work.
Ross has now finished a major update and the new edition is just hitting the stores. Security Wannabe caught up with him to find out more about Security Engineering 2.0. We managed to cover a lot of ground in 8 questions…
Continue reading →
Written by Craig Balding
March 17th, 2008 | books, starters | Email This Post
Today, there are more IT security books in the shops than ever before.
But what IT Security books can make a real difference to an aspiring Security Wannabe?
These are my Seminal 7…
Photo Credit: tanakawho
The book that ignited my passion for IT security. Clifford Stoll stalks the wily hacker Markus Hess in a true edge of the seat thriller. Computer security books boring? Then you haven’t read this one. Be prepared to read in one sitting!
I remember the day I read that the author of this book - Richard Stevens - had passed away. I was shocked and saddened. This may sound strange as I’d never met him, nor had any correspondence with him. The reason is simple: through his writing, he had an uncanny ability to meet you where you were and take you on what feels like a personally guided tour of TCP/IP. Simply put, this is essential reading. I’ve read some great networking books since, but none that give you the feeling that the author wrote the book just for you. A revered classic.
The so-called bible of Crypto. With good reason too: Bruce Schneier provides a seriously comprehensive introduction to cryptography. Refreshingly, he starts at the ground floor - you don’t need a degree in maths to benefit from this tomb - its very accessible. Digest this and you will learn about the most important crypto protocols and algorithms in existence today. I still reference this book at least once a month - I’ve owned it for about 5 years now. How many books can you say that about?
Ross Anderson teaches us how to avoid repeating the mistakes of those that went before us. Another author with real passion for the subject, his intelligence and pragmatism shine through. This book will introduce you to IT security as an engineering discipline. Don’t let those last two words put you off - Anderson is a master at telling you what you need to know, when you need it. The book itself underlines why effective security design is all about “the human element”. Fascinating case studies that will make you thank your lucky stars you don’t have to design security for prepayment meters or ATMs. Want to read online? Click here. Aside from the book, I highly recommend his papers on the Economics of Information Security.
The majority of the security books on my bookshelf are pretty thick. Thick books give an air of authority - “wow, this must be a very serious book by a very knowledgeable author, if I read this, I will breathe in the knowledge of the gods and impress anyone willing to listen to me for long enough”. The author of this book - Jon Erickson - somehow manages to pack an incredible amount of content into less tree than most (he even manages to get root on the cover!). You will learn techniques that shave hours off exploit development time. A great introduction to blowing (precise) holes in software.
The holy trinity of Software Vulnerability Researchers deliver a mammoth treatise on why my eyes would bleed if I had to do what they do all day. This book will change the way you see software security auditing. If it doesn’t, you probably need to read it more carefully. This should be mandatory reading for people that get paid to do software vulnerability research. For more, check the Taossa blog.
Michal Zalewski is refreshing because (a) he does his own thing (b) those ‘own things’ tend to be interesting and (c) he enjoys the subtle/obscure/funny. And he can write! For a non-native English speaker he writes with great charm and wit. Reading this book is like stepping into the Matrix - everything we take for granted can be unwoven, refactored and turned inside out. Buy this book and read it cover to cover then go check out his lair, where he shares his ongoing digital experiments.
###
What security books would you recommend to an aspiring Security Wannabe and why? Tell us in the comments…
Written by Craig Balding
March 13th, 2008 | Uncategorized | Email This Post
Photo Credit: kk+
I, Craig Balding, Am A Former Security Wannabe.
Well..that’s not entirely true.
The truth is that you never really stop being a security wannabe - no matter how others perceive you. Its simply that if you keep moving forward, you become less of a wannabe than the people moving slower than you :-).
In the course of my security journey I have been privileged to meet and work with some of the smartest security people across the globe.
From reverse engineers at the cutting edge, to digital crime fighters of the highest caliber. All of these people shared one thing in common - at some point, they too were a ’security wannabe’.
The Questions This Blog Will Try To Address
- How do you make the transition from security wannabe to paid security security wannabe?
- What skills/experience do you need to pick up along the way?
- Are there ‘fun’ jobs in the IT security industry? What “cool stuff” do people get to do? What is a typical day like for someone employed as a ‘your-future-job-role’
- How do you do some of the things you do? (e.g. Incident Response, Penetration Testing)
If digital security sounds exciting to you, or you’re already an aspiring security wannabe then you are at the right place!
Or if you’ve always been told that security is just about ‘passwords’ and ‘antivirus’ then let me show you behind the curtain.
Finally, if you - like me - claim to be a former security wannabe…welcome home ;-).
Enjoy the blog,
Craig
P.S Something you want to see? Leave a comment or email me.
