Last week, the amazing Bruce Schneier talked about the bomb threats at Pittsburgh as a denial of service (DOS) attack. You can find that entry here. (Anyone who ends up reading my blog and doesn't know about Bruce Schneier, check him out. He's a sort of rockstar in the security world, but whether you're in security or not he is very intelligent, and always has an interesting view on issues.)
Articles like this, linking social issues, or social situations directly to information security is very interesting to me. Obviously the weakest link is humans ourselves, not the technology. Its the same issue as cryptography. We have algorithms that probably won't be broken in our lifetimes, however many encryption systems are easily broken because they don't implement the algorithms correctly, hence a human failure not a technical failure. Back to the point, bomb threats as a form of denial of service attack is almost brilliant. As Bruce says, the payoff is tremendous.
My girlfriend is going to graduate with a Social Work degree in about a month. When her and I discuss our careers, they're obviously extremely different. Mine is quite technical, while hers is all about social issues. When she tells me about her classes, or some discussion they are having however, I can't help but think of security. Almost any social situation can be paralleled with a technical issue, especially in the security field. It goes the other way too, almost any technical issue can be paralleled with a social situation.
Here's one example (though its not my best). She deals with clients who are drug addicts, prostitutes, violent criminals...etc. They come to her for help, and she is obligated to help them. They may steal from her, they may stay clean for a week then disappear and never come back...they may be violent or mean towards her and still ask for help...and no matter what she has to keep trying. This could mean a few things in my line of work. This could be applications, and operating systems. They're made insecurely, and I sure as hell wasn't consulted when they were being made...yet I have to figure how to secure them. Not just one, but ALL of them. If there's a critical Adobe vulnerability (which there usually is) and someone gets into one of our servers because of it, its my fault for not stopping them...it isn't Adobe's fault for not making their own product secure. If my girlfriend is helping someone get over a drug addiction, she fails if they can't stay clean...however its truthfully up to them to fix it...and only they can truly fix it. I'm not saying to blame drug addicts or Adobe, or make them deal with it themselves...but sometimes the originator of a problem needs to held accountable for that problem.
I kind of get off on tangents...This didn't exactly tie back up to the bomb threats article. It did spark my thought process though. .
I'll attempt to tie it back...though don't judge me on how poor it will be :). In keeping with the DOS attack idea...My girlfriend could DOS her clients by either refusing help (which would be a LITERAL denial of service) or referring them to someone or something else. In the same way, her clients could DOS her by coming for help twice a week for a month, then disappearing, or relapsing.
There's even bigger social issues when it comes to security if we get into cyberwarfare, hacking into machines in other countries...things of that nature. I'll save my thoughts on that though.
Any ideas, thoughts?
Thanks for reading...and don't forget to get your taxes done...like, right now! :)
Monday, April 16, 2012
Sunday, April 15, 2012
How to improve my security skills after college?
As stated in my first post, I graduated from college with an Information Assurance degree in May 2011. I promptly got hired on full-time at the job I had been interning with. It's a good job, but a small company so I'm the only "security" person. This can be good, being thrown into the fire and learning on the go...however, it can also be bad. Sometimes I wish I was on a team of security professionals, or had a sort of mentor to pick their brain and learn from their experiences.
One difficult spot I've found myself in, is how to transfer all my knowledge from college into my job. As colleges do, I was made to be "well-rounded". This means I was given lots of theoretical knowledge on information security, and lots of history. However, there just isn't time to get into too much technical detail. This leaves me trying to play catch-up, and learn that on my own while attempting to also do it at work. I was not the kid that spend all his time on my computer honing my skills when I was in college, which may have put me behind to begin with. I was heavily involved in the music program, as well as worked 30 hours per week to be able to pay rent. I've never had the free time to hone my skills like I would like, until now, when I'm out of college.
With security, theres SOOO much information that I'm really just struggling at getting myself organized and where to start. There's tons of books, tons of online articles, tons of videos...theres almost too much information. I don't know whether I should try to go through and learn a little bit about everything, such as learn a little about web app security, sql injection, perimeter defense, firewalls, database security, linux security, windows security, forensics, programming...etc. Another approach is that I could focus on an area for awhile...so, I could learn and practice SQL injection for a month...then move on to the next topic. Lastly, I could go about it by the tools I use...for instance I could learn as much as I could about Metasploit...then move to the next tool.
Knowing how to organize my "professional studying" to truly improve my value and move up in my career has proven to be quite difficult. I spend so much time trying to decide what to do, that I never get anything done. I'll start reading a book, get through about 50 pages, then switch to something else thinking it will help more.
If anyone reads this and has any good ideas or experiences, please let me know. I'd love any feedback!
One thing I can personally relate this to is drumming. I've been playing drums most of my life. I had my "woodshedding" years, in high school and college, where I worked on technique so much that now its second nature and I can essentially perform whatever I can come up with. This is where I want to be with security...its just a bit more of an abstract art.
One difficult spot I've found myself in, is how to transfer all my knowledge from college into my job. As colleges do, I was made to be "well-rounded". This means I was given lots of theoretical knowledge on information security, and lots of history. However, there just isn't time to get into too much technical detail. This leaves me trying to play catch-up, and learn that on my own while attempting to also do it at work. I was not the kid that spend all his time on my computer honing my skills when I was in college, which may have put me behind to begin with. I was heavily involved in the music program, as well as worked 30 hours per week to be able to pay rent. I've never had the free time to hone my skills like I would like, until now, when I'm out of college.
With security, theres SOOO much information that I'm really just struggling at getting myself organized and where to start. There's tons of books, tons of online articles, tons of videos...theres almost too much information. I don't know whether I should try to go through and learn a little bit about everything, such as learn a little about web app security, sql injection, perimeter defense, firewalls, database security, linux security, windows security, forensics, programming...etc. Another approach is that I could focus on an area for awhile...so, I could learn and practice SQL injection for a month...then move on to the next topic. Lastly, I could go about it by the tools I use...for instance I could learn as much as I could about Metasploit...then move to the next tool.
Knowing how to organize my "professional studying" to truly improve my value and move up in my career has proven to be quite difficult. I spend so much time trying to decide what to do, that I never get anything done. I'll start reading a book, get through about 50 pages, then switch to something else thinking it will help more.
If anyone reads this and has any good ideas or experiences, please let me know. I'd love any feedback!
One thing I can personally relate this to is drumming. I've been playing drums most of my life. I had my "woodshedding" years, in high school and college, where I worked on technique so much that now its second nature and I can essentially perform whatever I can come up with. This is where I want to be with security...its just a bit more of an abstract art.
Subscribe to:
Posts (Atom)