For Information Security Newcomers, It’s More Good than Bad.

by Dennis KuntzGood versus bad

Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:

  1. There are cliques within the established information security community

  2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

  3. As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.

When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

Most people like attention. Like we did as kids, to get that attention sometimes we engage in good behavior, and sometimes bad. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: this industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One, from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security in practice, by the way). Their main points are:

  1. There are cliques within the established information security community

  2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

  3. As a whole, the information security is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they are talking about when reading responses to blog comments, on social media outlets and forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It’s intrigued (but not surprised) me that a group whose genesis, it could be argued, stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that or at least the positive influences in information security deserve an equal – or greater – due as any negative cliques.

When I have had questions or needed a boost, there are positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has been a had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training to H.D. Moore (@hdmoore) offering his thoughts on VM’s and “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there. And they are active. Maybe we need to do a better job of seeking them out, engaging them, listening and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

Bookmark and Share

FTC Says Bloggers Must Disclose Freebies

A Closer Look at the Moneyby Aaron Titus

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

Read more

Bookmark and Share

Revisit the basics

by TrishABC Smith

As our clients and customers naturally become more computer savvy, we often assume that they know (and remember) the basic tenets of security, including good “password hygiene”: Ensure that your password is difficult to guess, that it is never given to an unauthorized party, and that it is changed on a regular basis. But something happened today that reminded me that even the more knowledgeable among us can forget to be cautious when we are online.

I was on Twitter this morning (my username there is @Astrogirl426, if you’d like to add me to your follower list) when I began seeing tweets about a new service called “Twitviewer”. This service offered to let Twitter users find out who had recently viewed their Twitter page. Curious, I clicked the link and was sent to the Twitviewer home page, where I was prompted to enter my Twitter username and password.

Hopefully, this is the point at which anyone with a moderate amount of experience online would stop and think, “Hmm, this might not be a great idea. Let me wait and see if this service turns out to be legit.” Let me state here that there ARE some legitimate Twitter services that require you to enter your username and password to access them (TwitPic is just one of several). However, a brand-new service that requires your login information should always be approached with caution – if for no other reason that to see if any reports of “suspicious activity” surface.

Unfortunately, over the next few hours I saw quite a few of the people I follow on Twitter using the service (I knew this because the service sends out an automatic tweet from the individual when they use it for the first time). Sure enough, later in the afternoon I began reading warnings from Twitter against giving Twitter login information to this service.

So what did I learn from this? What can YOU learn from this? That even as people become more sophisticated about computers in general, and security in specific, we need to revisit the basics with them from time to time to remind them that these lessons are still important, and still relevant. And if you were one of those who used the Twitviewer service – change your password!

Bookmark and Share

Into the Breach – Audio Series – The Introduction

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the last Tuesday of each month (there are 13 chapters total).

What you’ll find in this segment

The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded.

A Private Invitation to Engage with Michael Santarcangelo

Build on your experience. Sign-up for exclusive invitation-only conversations [click on the link to sign up now for your invitation] with Michael Santarcangelo, hosted by EMC. Join Michael for a live conversation two weeks after each chapter is released where he will:

  • Reveal the ideas and concepts that got cut from each chapter
  • Expand upon or update the elements in the chapter you just listened to
  • Answer questions in a candid and direct style – focused on delivering insights that lead to results

The discussion centered around the concepts revealed in the Introduction is scheduled for Thursday, July 16th. Visit http://www.configuresoft.com/securitycatalyst.aspx for more details and to get your invite!

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
  2. Subscribing to The Security Catalyst podcast & blog to get more insights
  3. Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV
Bookmark and Share

Weekend Catchup: SCC Discussion Forum Update (July 26 2008)HeThedi

The discussions continue to expand and inform in the Security Catalyst Community. Here are some of the recent hot conversations (including some I have listed before; this week they really exploded). 

With Blackhat/Defcon approaching, here are two discussions related to that:
Want to participate in the next Security Round Table? We are recording the August SRT on Monday night using TalkShoe so you can listen in!

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) – the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

Bookmark and Share