Step 1 to landing a security job: Become conversant in security

So last week, I wrote about the difficulty of landing a security job and promised to explore it further.

And I think the first key, and what should be the most crucial key, is being conversant in security. Having a certification is one thing, but at the end of the day, the biggest thing it means is that you passed a test. It’s possible to pass a certification test and not be able to talk intelligently about security. So in the process of interviewing, you can expect to have to answer a pile of questions, and if you don’t answer those questions well, you won’t be offered a job. Read more

Somebody just tried to hack me

Caller: “I calling from technical support. We found issue with your PC.”
Me: “What company are you with?”
Caller: “CSA is the name of my company.”
Me: “What’s our business relationship?”
Caller: “We found issue with your PC. Our technicians found your PC is running slow.”
Me: “Do you realize I wrote the book about PC performance? No, really, I wrote a book about it. I guarantee my computer is faster than yours. I also possess multiple security certifications.”
Caller: “Go on.”
Me: “You need to find someone else to social engineer.”

The caller stammered a little bit, tried to assure me it wasn’t a scam and wasn’t going to cost me money, then hung up.
Read more

12 PC tasks you should be doing and aren’t

Here’s a jewel from earlier this month from PC World: 12 easy, crucial PC tasks you should be doing and aren’t. They’re mostly related to performance and security. No wonder I like the article.

A couple of the items won’t give the kinds of gains they used to–in this era when everyone thinks they need a 3 TB drive and they’re using less than 1 TB of it, cleaning up unused data isn’t going to do all that much to improve performance. But there’s some benefit to removing unused programs, especially unused programs that run at startup.

Most critically, the article tells how to automate a lot of these tasks. Automating it so that it just happens without you having to think about it is even better than doing it. If you’re not doing these 12 things because the computer is already doing them automatically for you, then that’s OK.

Livingsocial got breached. Change your password, of course

Livingsocial got breached. You need to change your password, if you have a Livingsocial account.

There are two questions worth asking: How do you protect yourself, and how does this happen?

Read more

“They were bored and wished they had a job.”

I was catching up on security podcasts this week, and a brief statement in one of them really grabbed me. The panel was talking about people who steal online gaming accounts, I think. The exact content isn’t terribly important–what’s very important is what this person found in the forums where the people who perform this nefarious activity hang out. What she found was that there was one common sentiment that almost everyone there expressed, frequently.

They were bored, and they wished they had a job.

There was about a 30-second exchange after that, but I don’t think it’s enough. Read more

When your CISSP isn’t enough

I had a job interview Monday. I have at least one observation from it–the things on my resume that impress recruiters don’t necessarily impress a good hiring manager. Not on their own, at least.

Let’s do some post-mortem.

Read more

The ACLU has a point about smartphone security

The ACLU complained to the FTC that carriers aren’t patching vulnerable Android phones. They have a point.

Phones are profitable, and the carriers are trying to have it both ways. Read more

Linksys isn’t the only company building insecure routers

I warned a few days ago about Linksys routers being trivially easy to hack; unfortunately many other popular routers have security vulnerabilities too.

The experts cited in the article have a few recommendations, which I will repeat and elaborate on. Read more

A treasure trove of training material

Need to improve your security skills? Need a refresher course to brush up on some skills you haven’t used in a while? Or are you just looking for some CPEs or CEUs to keep your certification valid?

The United States Department of Defense offers a great deal of security training, much of which is freely available to all comers. Your tax dollars paid for it, so don’t feel bad about using it. Besides, if you use it to improve your networks, then your networks are less likely to become a source of attack on government networks, so they’re happy for you to use most of it.

Here’s a hint: Anything that isn’t viewable by the general public is marked ” *(DoD PKI Cert req’d).” If you don’t see that marking, then it’s free for you to view. Just click the link marked “Launch Training.” Read more

Troubleshooting at all layers of the OSI model

I saw this phrase in a job description last week: Troubleshooting at all layers of the OSI model. That sounds a bit intimidating, right?

Maybe at first. But let’s not overcomplicate it. Once you get past the terminology, it’s a logical way to locate and fix problems. Chances are you already do most of this whether you realize it or not. I was already troubleshooting at at least four of the seven layers when I was working as a part-time desktop support technician in college in 1995.

Read more