Cybersecurity Blog Review and Analysis

Over the last eleven weeks I have blogged about a variety of subjects with what I hope is one central theme: personal knowledge.   I try to choose topics that I have had personal experience with, since I feel this gives me a better insight into the subjects and the issues that surround them.  I have written about Security versus Functionality; Planning for Security and Functionality; Security Policies and Guidelines; Flexible Security; Emerging Trends in Information Security Models; and Security Education and Training with the theme that we need a balance between Security and Functionality. There are two points I wanted to emphasize.  The first is that Security and Functionality are not mutually exclusive – If proper planning is done before an implementation, most issues can be addressed and resolved to everyone’s satisfaction.  The second point is that we all need to remember why we are here and in the position that we hold… The Security Administrators need to remember that we are hired to provide a service or solution, and while it does need to be secure, it also has to work.  The Systems/Network Administrators and Engineers need to remember that without security, the system that performs well now will not perform for long.

I also wrote about Incident Response and Disaster Planning; Risk Identification and Management; Intrusion Detection/Prevention Systems and Strategies; and Skills, Requirements, and Certifications, with the idea that a good balance of all these subjects can prevent or mitigate most security issues. For example, with properly trained administrators and engineers, solutions will be more secure and stable, thus lowering the number of incident responses and disaster recoveries.  With proper risk management and identification, projects can run more smoothly, resulting in better implementation without sacrificing scope, budget, timeline, or quality.  The best intrusion detection and prevention systems are junk without a properly trained person to install and configure them; Nothing works out of the box. Although these security topics may seem somewhat disconnected, they all come into play when performing projects, implementing solutions, and planning your enterprises.

I get my reference sources from the “Database of Infinite Knowledge,” sometimes known as Google. Once I decide on a topic, I generally first write out what my thoughts are and then google the topic and read several articles.  I try to select the most credible articles that I believe do the best job explaining the topic I chose.  Not only does that allow me to pick a source to quote, but it also allows me to supplement my objective with points that I may not have initially considered.  I believe it is OK to revise my stance on a subject while doing this, since I don’t always just pick the articles that agree with my opinion.  For example, I am a Windows Engineer and have been one for years; I started out in Unix and progressed through Novell, Linux, and eventually Windows.  I was just given an article listing 10 reasons why Linux is better in my datacenter than Windows.  While I laughed a lot, it did have some valid points, mostly about having properly trained people to run your datacenter.

I do believe a blog like this can be beneficial to an IT professional, for both the reader and the author. As the writer, I get to fully explore and research topics to increase my personal knowledge and expertise.  As an IT Professional, I myself follow several blogs and often use them when troubleshooting an issue.  Very rarely am I the first to experience a particular problem, so why reinvent the wheel?  I have had a few IT Professionals I know comment on my blog and request posts on certain subjects.  Now that class is over, I intend to fulfill a request and post on an IPV6 issue a peer is experiencing.  My advice to the next group of students is to always choose a topic in which you have experience or interest.  I have very little to do with our intrusion detection and prevention systems, so that blog post was the hardest one that I had to write, as I had to rely mostly on other people’s documentation and my limited experience.  Make sure to blog about your own individual and unique interests, experiences, and viewpoints, and you will be surprised to discover the number of other professionals who share many of your same situations, frustrations, and opinions.

http://www.writersdigest.com/online-editor/the-12-dos-and-donts-of-writing-a-blog

Skills, Requirements, and Certifications

When I started in the commercial world of IT, I was lucky.  Back then, experience counted more than certifications, education, and actual training.  Most IT professionals were self-trained or had a base amount of education with the rest filled in on their own.  I was trained in IT in the Navy and had several years’ experience by the time I got out, so getting jobs was never a problem.  At that time, most interviews were conducted by HR and a technical person, who would question you on your experience and knowledge, and they could tell if you actually had the experience you claimed.

http://www.cc-sd.edu/blog/the-great-debate-education-vs-experience

As time passed, I noticed more of a focus on certifications, and more interviews were conducted solely by a HR rep.  Certifications became your foot in the door, but you still had to perform.  There was a high level of suspicion reserved for certified people with little experience - We called them “paper techs.”  They would buy a study guide, pass a test, and were suddenly declared an expert in a system on which they had no experience.  This would usually show up pretty quickly, and they would either move on or would be paired with someone with actual experience to learn the ropes.  More recently, certifications have implemented hands-on portions of the test that help to weed out those individuals just trying to pass from a guide.  This forces you to have actual working experience with a system before you are granted expert status.

For a long time, I didn’t pay much attention to certifications.  I had twelve or fourteen years in the field by that time and was getting by on the fact that I had a lot of experience.  Then I was turned down for a job I was interviewing for simply because I didn’t have the proper certifications.  In the Navy, I had obtained a MCSE in Windows NT 3.5 but had not bothered to update anything since.  The strange thing is that I really wasn’t that interested in the job or the certs until I was denied.  I quickly updated my certs to Windows 2000, then 2003 and so on; I have also gained several other certs in various technologies, so this is no longer an issue.  I will agree that certifications are at least a fair indicator that a person has a base level of knowledge in their particular field.  One thing I don’t really trust is the “cert grabber,” like a Windows guy that has a Linux Red Hat engineer and a Cisco cert, with a Solaris cert thrown in for good measure. Pick a discipline and focus on it - There is nothing wrong with being well rounded, but a jack of all trades is a master of none.

http://www.avidtr.com/Job-Seekers/Industry-Articles/Work-Experience-vs--Certifications---What-Do-Emplo.aspx

Lately I have seen the trend shift from experience and certs to formal education.  Most job postings now have a four year degree minimum but can be offset with enough actual experience.  The majority of the IT professionals I know now are chasing a degree, and with the focus on a BA or BS, most are going to the Master’s degree level (like me) just to try and stay ahead of the game.  So if you have a good mixture of experience and certs and education, you have a better chance of filling in more of the HR person’s check boxes, getting an interview, and walking in through the door… Once in, though, you still have to prove yourself every time.

http://virtualizedgeek.com/2013/09/09/vendor-certification-vs-college-degree/

It does make me feel sorry for the guys trying to break into the IT field now.  How would you get started? At one time I would have said, “Go get a basic cert.”  The A+ used to equate to about six months in the field.  Now I guess I would say the same, but I would also advise getting into at least a two year program and building as much experience as possible.  In my opinion, formal education is more of a path for career advancement and progression to managerial levels.  But as the IT field develops more and more specialties, the certifications become increasingly important – especially those in the areas of risk, project management, and security.

http://www.cio.com/slideshow/detail/130807/18-Hot-IT-Certifications-for-2014

Intrusion Detection/Prevention Systems and Strategies

I guess I like to have my cake and eat it too.  Often in conversations about Disaster Recovery versus Disaster Avoidance, I just can’t understand why I wouldn’t want both.  The same goes for Intrusion Detection Systems vs Intrusion Prevention Systems, as most devices today will do both for your network.

http://www.inetu.net/about/server-smarts-blog/february-2011/intrusion-detection-or-prevention-ids-vs-ips

The big difference is that an IDS scans a copy of your network traffic looking for signs of intrusions while an IPS is looking at the active real time traffic.  These can be viewed as active (IPS) and passive (IDS) systems.  Nothing is perfect, so things will get past an active system that the passive system may catch.  A passive system can generally do a more thorough job digging deeper into traffic and logs than an active system, as the passive system is less time-sensitive.

https://www.sans.org/reading-room/whitepapers/detection/understanding-intrusion-detection-systems-337

Determining when and where to deploy these systems can be a source of contention.  The security guys want one on every network segment and every VLAN, with a couple monitoring the core and a few thrown in to monitor the monitoring traffic.  The network guys usually want one per entry point, POP, or VPN access.  A compromise between security, performance, and cost has to be reached, as each unit can cost from a few hundred to several thousands of dollars, depending upon the requirements, functionality, and throughput of the unit.  Each interruption of traffic also adds a hindrance to performance – Each inspection takes less than a millisecond, but add that up over your entire network for all your traffic, and it can end up being significant.

http://netsecurity.about.com/cs/hackertools/a/aa030504.htm

No one piece of equipment or technology should comprise your entire security strategy.  An IDS or IPS should be part of a layered security approach that includes network, systems, applications, and physical security.  I once attended a class that spent several hours explaining how to defend against a hacker connecting directly into your fiber channel switches in the datacenter and stealing data.  I kind of figured if I was able to get into a datacenter and couldn’t break into the switch, I’d just cart the entire SAN out with me to a place where I could take my time with it.  The point of the story is that it will do no good to spend a lot of time securing servers from outside attack if someone could just walk in and plug into my unprotected network.

Security needs to be approached as a combination of protections, starting from the outside and working inward.  Secure the doors, secure the workstations, secure the servers and the network, and so on; Otherwise, you could be locking the doors but leaving the windows open.

http://seann.herdejurgen.com/resume/samag.com/html/v08/i09/a7.htm

Risk Management Specialization

The job of an IT Administrator has greatly changed over the years.  I have talked about how when I started in IT, the network admin did it all. We managed the servers, workstations, switches, and most of the applications, but over the years it was recognized that some separation of disciplines was needed.  We have all heard the old saying, “Jack of all trades, master of none.”  This is very true, especially in today’s IT environment.  I want my network person to be great at networks; I really don’t care if he knows any Windows stuff, outside of how to make the network talk to it.  The same is true of my systems, applications, and virtualization people – I want them to do what they do well and leave the other stuff to the people who do it well.

Risk management is one of those specialties that is still hovering in the gray area.  We all know it is important, that it is a huge job, but somehow it is often still being pushed off onto the admin, engineer, or project manager.  As an administrator and later an engineer, I am more concerned with the technical issues of a project or system; I may have a vague idea of the risk, legal issues, and policies associated with what I was working on, but I could never claim to be an expert.  Risk can be very hard to predict, especially on very complex systems with lots of users and dependencies.  Risk Management professionals have developed several strategies to deal with assessing risk that they can use to determine actual risk and not just the guesses of an admin, engineer, or project manager.

http://www.zurichna.com/internet/zna/SiteCollectionDocuments/en/media/inthenews/strategiesformanaginginformationsecurityrisks.pdf

I really don’t believe that it is the admin’s, engineer’s, or project manager’s place to determine the risk, cost of the risk occurrence, and cost of mitigation to a project, product, or system.  Should all these people – as SMEs – have input?  You bet.  But as an admin, I really never concerned myself with the cost of a risk or mitigation… just that it was bad if something went down, and that more people would complain if system “A” went down than system “B.”  A Risk Management professional working with management should set those priorities, because what may be important to me as an admin or engineer may not be as important to the company overall.

http://www.sans.edu/research/leadership-laboratory/article/risk-assessment

It seems counterproductive that we would think nothing of bringing in a vendor or outsourcing a new application deployment or major project, but we try to handle something as complex as Risk Management in-house.  It may be that we don’t want to air our dirty laundry, but once again, let trained and dedicated people do what they do well.  Ever heard the phrase, “A fresh pair of eyes?” Same idea here:  look at it in-house and then let an objective outsider take a look and see what you missed.

http://outsourcemagazine.co.uk/using-outsourcing-to-address-risk-management/

We have already seen IT security and project management become a specialty, along with more dedicated IT security professional and project management positions being created.  I believe it is only a matter of time before risk management follows suit.  As we become more connected, and increasingly IT reliant, a dedicated position to handle the complexities of risk management and how it interacts with IT security and project management will have to become the standard.  Just as when it was decided that a network admin shouldn’t or couldn’t handle everything, we will need to determine the same of the project managers, engineers, and admins tasked with risk management as a side duty.