What to do between jobs, or in between jobs

It’s a good idea to ask what to do between jobs, or in between jobs. What you do in between jobs can help your career, or it can hurt you. So it’s important to take it seriously.

Read more

Is CISSP worth it?

Once people finish asking me how hard CISSP is, they often follow up with another question: Is CISSP worth it? As long as you have something to back it up with, I think the answer is a resounding yes.

Read more

Job hunting on your own vs. using a recruiter

A former coworker contacted me last week. He’d been employed in the same place for the last 16 or 17 years and he couldn’t remember how to look for a job. Who better to ask than a guy who’s changed jobs 9 times in the same timeframe? One obvious question to ask regards job hunting on your own vs. using a recruiter.

In fairness to myself, government contracting causes a lot of job-hopping. And in fairness to him, the game’s changed a lot since the last time he had to play. IT Recruiters existed back then, but back then when you wanted a new job, you found it yourself.

I still use both methods.

Read more

Your company’s juiciest Linkedin targets

People who’ve moved onward and upward within the company, bridging multiple departments are great attack targets because they probably have more permissions than someone who’s stayed in a single role.

In non-security speak, let’s talk about someone who moves from Accounting to HR. The right way to handle it is to grant access to all of the HR data and systems, and cut off all of the person’s access to accounting data and systems.

In practice, that rarely happens. In previous roles, I’ve often ended up with access to more than one group of systems after being moved around, so I’ve not only seen it, I’ve experienced it firsthand.

The bad guys know this. So they’re going to scour Linkedin for people who have multiple entries on their profiles for the same company, knowing they probably still have both feet in both worlds. People like that are going to get more phishing e-mails than average, because then they’ll have access to twice as much stuff. That means if an attacker manages to get onto their system, they’ll have access to twice as much stuff.

This gets overlooked a lot, but HR and security need to have a very good working relationship to keep these kinds of situations from happening. Employees who stay with an organization and move onward and upward within it are very rare these days, and those employees deserve every bit of the extra protection they need.

Career advisers say to make sure you show all of your upward movement within the same company on your resume and on your Linkedin profile. I know not everyone does this, but jobs are difficult enough to get that we have to assume people are looking for that edge. As security professionals, our job is to understand this reality and make sure it doesn’t mean extra exposure.

How to make it harder for a scammer to file your taxes for you

Tax fraud is one of big payoffs from data breaches. But there’s a simple thing you can do to make it harder for a scammer to file your taxes if your employer or health insurance provider gets breached and your social security number is one of the ones that gets stolen.

Change your social networking profile.

Read more

You’re telling me someone gave a stranger his password?

I was talking breaches last week when a very high-up joined the conversation in mid-stream.

“Start over, Dave.”

“OK. I’m talking about breaches.”

“I know what you’re talking about,” he said, knowingly and very clearly interested.

Read more

Remembering Dolgin’s

Remembering Dolgin’s

Growing up in Missouri, a lot of my Christmas gifts when I was young came from a catalog showroom called Dolgin’s. One of my earliest memories is going to Dolgin’s with my mom and aunt, who showed me some Tonka trucks and asked me which ones I liked best.

I know a lot of people remember going through Sears and Montgomery Ward catalogs, but I remember Dolgin’s catalogs the best. Read more

How to stop the 30% of ex-employees who want to access company data

I read on Linkedin this week that up to one-third of former employees are still accessing company data–after their last day.

I wish I could say I was surprised. But I remember on my last day at one former employer, I turned in my badge, mentioned that I still had some paperwork to fill out and asked if I could have a couple of hours before my accounts would be de-activated. The guy laughed, and I won’t say how long he estimated my accounts would still be good. It was too long. Read more

The phantom tech worker shortage

I saw a story yet again about the tech worker shortage, and the backlash against H1-B visas. Reading the comments on Slashdot, I increasingly got the feeling the shortage is a mirage. The people are out there, but the matchups with job openings aren’t happening.

My experience may be anecdotal, but it mirrors this. Read more

What Linkedin is good for

Alistair Dabbs posted a nice, curmudgeony anti-social-media rant over at The Register. In part, he asked what Linkedin is good for, noting it’s never netted him a job or a useful contact.

I found his piece entertaining, so I thought I’d talk about how I use Linkedin, besides dodging recruiters who blindly type “cissp security clearance” or “security analyst st. louis” and message every single person who comes up. Read more