As a vulnerability management professional, I talk about vulnerability scanning best practices a lot. There’s a lot more to vulnerability management than just scanning, but if you don’t get scanning right, the rest of the program suffers.
I’m going to talk about a lot of technical controls here, but don’t forget the nontechnical side. People and processes have to support all technology.
So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.
The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more
I learned the hard way a few weeks ago how net neutrality can be equated with socialism, an argument that puzzles people who work on computer networks for a living and see networking as a big flow of electrons. I think it’s very important that we understand how this happens.
Here’s the tactic: Find a socialist who supports net neutrality. Anoint him the leader of the movement. Bingo, anyone who supports net neutrality follows him, and therefore is a communist.
Political lobbyist and Fox News contributor Phil Kerpen told me Robert W. McChesney was the leader of the net neutrality movement, and he sent me a quote in the form of a meme longer than the Third Epistle of St. John. Yet in a Google search for the key words from that quote, “net neutrality bring down media power structure,” I can’t find him. So then I tried Bing, where I found him quoted on a web site called sodahead.com, but I couldn’t find the primary source.
For the leader of a movement the size of net neutrality, he sure keeps a low profile. Google and Netflix are two multi-billion-dollar companies that support net neutrality. I’m sure it’s news to them that they’re taking orders from Robert W. McChesney. Read more
I saw a story yet again about the tech worker shortage, and the backlash against H1-B visas. Reading the comments on Slashdot, I increasingly got the feeling the shortage is a mirage. The people are out there, but the matchups with job openings aren’t happening.
My experience may be anecdotal, but it mirrors this. Read more
I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.
For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.
Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.
I also know about this training that Snowden put on his resume. Read more
My tell-all about my encounter with “Computer Maintenance Department” was a little heavy on the jargon yesterday. It occurs to me that explaining what some of the terminology means, and the problem with their reasoning, may be helpful. I’ve also heard a few questions through various channels, and I think those are worth answering. Read more
So last week, I wrote about the difficulty of landing a security job and promised to explore it further.
And I think the first key, and what should be the most crucial key, is being conversant in security. Having a certification is one thing, but at the end of the day, the biggest thing it means is that you passed a test. It’s possible to pass a certification test and not be able to talk intelligently about security. So in the process of interviewing, you can expect to have to answer a pile of questions, and if you don’t answer those questions well, you won’t be offered a job. Read more
Caller: “I calling from technical support. We found issue with your PC.”
Me: “What company are you with?”
Caller: “CSA is the name of my company.”
Me: “What’s our business relationship?”
Caller: “We found issue with your PC. Our technicians found your PC is running slow.”
Me: “Do you realize I wrote the book about PC performance? No, really, I wrote a book about it. I guarantee my computer is faster than yours. I also possess multiple security certifications.”
Caller: “Go on.”
Me: “You need to find someone else to social engineer.”
The caller stammered a little bit, tried to assure me it wasn’t a scam and wasn’t going to cost me money, then hung up. Read more