What is your involvment in Computers and/or Computer Security Everyday?

This was a (in my mind) natural progression from the other poll running right now - What did you expect from forums? - that seemed to spark some interest in me.

I have been posting (trolling too? ) here for almost 2 years now, and I found myself wondering "Do I hang out here for interesting comentary on security issues or do I hang out here to get the 'secret' item that will be on the scavenger hunt list before I get to DefCon?" /shakes fist at HW

I found that I'm here to have my ear to ground on all things DefCon, and not really to add any value to my daily digest of RSS feeds, news groups and secuirty bulletins.

This is fine, I was just wondering if others were kind of bumbed that there is not as much white hat talk here as I expected two years ago. Perhaps talks about best practices, thoughts on cert's (GAIC, CISSP, etc) latest "issues" on the web.

Take today for example. isc.sans.org and other sites are activly watching port 1025 (Windows RPC) due to strange spike in request to this port in last 24 hours. But this forum is the least interested in that current issue. Is this bad? I don't know. What I do know is this forum is what you make of them, and the current state seems just fine by me. Above example is just monitored/talked about on other sites in my daily web walk though.

/lurk off
Intriguing thread, though I find the poll question a bit nebulous. Using Merriam-Webster definitions as a frame of reference:

"security" = http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=security&x=0&y=0
Seven entries were found. I chose the first entry. There are four base definitions for this word. I will assume that for this topic Cot was alluding to the fourth: "4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security."

"professional" = http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=professional&x=0&y=0
Three entries were found. I again chose the first. There are 3 base definitions for this word. I will again assume for this topic Cot was alluding to the second: "b : having a particular profession as a permanent career <a professional soldier> c : engaged in by persons receiving financial return <professional football>"

If these definitions are the intended frame of reference then, yes, one could say I am a "security professional." However, if a title is required, I prefer the title, "Information Security Technologist," because that is the aspect of my craft which I currently practice. I perceive "security" as being an element of business risk management, not the sum of it's parts.

Business risk management is the whole life-cycle process of ensuring that an entity (business) has knowledge of risks pertinent to their business silo. And that they have been advised of appropriate measures to secure their information assets from fraud, waste and abuse. It means assisting an entity understand their core business drivers. It means assisting an entity determine what are their
legal and regulatory obligations. It means assisting an entity to define what are their critical business processes and information assets. It means assisting an entity define the policies and procedures that will govern how those assets will be protected. Sometimes (the "sexy" stuff) it means putting one's hands on the physical and logical resources that support the critical business processes mentioned above to hack at and identify important gaps. It means assisting an entity to understand how these gaps are directly applicable to their business. It means assisting an entity determine worst case scenarios and devising strategies to mitigate them. It is a continual, multi-layered process. In my career, I have dabbled in many of them.

I do not agree with the assertion that "after users, poorly engineered and tested software is the leading cause of exploitable vulnerabilities." They are merely symptoms of the actual problem. The leading cause of exploitable vulnerabilities is lack of understanding and management of business risk. Enforceable and enforced policies and procedures go a very long way to manage users and poorly
designed software. Yes, hacking the software and systems is important to ensure "works and implemented as designed." And these skills are necessary to ensure the on-going integrity of the systems to support critical business processes. But they are not the heart, the core of information security management.

This field of "security" has evolved so over the past 15 years that I contend one individual cannot maintain mastery over every domain that comprises risk management or they wouldn't have the time necessary to actually practice their craft. Those who specialize in security policies and procedures are just as valuable to a "security team" as those who hack systems and code. And possessing the skills to successfully identify the resources, build and motivate those teams to deliver actual value to a client is probably most important.

As an aside, the CISSP certification was developed to determine whether an individual has the basic knowledge necessary to assist their clients in determining high- to mid-level risk in 10 of the (then defined) security domains. The certification has some value if one practices as a consultant. Tends to make clients feel warm and fuzzy. It was not intended, however, to indicate that the individual is a "l33t h4xor". There are drill down certs (GIAC, product certifications) that require one demonstrate those types of skills.

FWIW, while perhaps it may have been phrased a bit differently I did not find this poll a troll or an insult, other opinions notwithstanding. It is a good question to which open dialog. And while I find my craft to be exciting and absorbing to the extreme, I agree with AlxRogan. Perhaps it's time to consider farming. :-)

Long winded, I know. A topic dear to my professional heart. If you are offended by content or length, I humbly suggest you get over it.

lurk on/

r0cketgrl that was/valkyrie that is
__________________________________________________ ______________


sapre aude

r0cketgrl,

Interesting take on all things security.

-------
Perhaps I should state my definition of "secuirty professional" as this seems to be boiling over issue to the relevents of the thread. Set to a brief history of hackajar

When I started getting into "my computers are not secure, I should do something" mode back in 1999, I started looking into log reading. This was done on my home boxes connected to the Internet. Perhaps this fits role of "I'm not a security professional (I just play one on weekends)".

It wasn't until I was taking proactive approch to security at a credit card firm that this became "I'm a security professional (between the hours of 9:00AM and 10:00AM) consulting clients who were smart enough to ask about security, while I did my other 12 jobs at that company.

Now I have left there to focus 100% on security for a new firm. This, in my mind, puts me down for "I'm a security professional" at this point in my life.
--------

What it all comes down to: Everyone should be concerned about secuirty, and all of it's implications. Some must take the role on insuring security is meet by all, and mitigate risk when it's not. Those who take on this resposibility - Network admins, firewall admins, information assurance personal, "all of the above" people, etc - should concider themselfs "Security Professionals". It is of my option, at this stage in the game, that if your not providing security and #1 before you follow though in your current job (listed above) then your company/clients are in big trouble!

Now i am really a scared rabbit. :-) No worries. That is how I spend my time.

First, I did not mean to offend anyone with my post. Merely my opinion based upon my experience in industry. Second, I agree that your migration to this field is similiar to many I have spoken with.

You nailed it Hakajar. Some are attackers, some are defenders. There is a place for this. And yes, the general public needs to take appropriate measures to ensure that they are too, well defended. *me thinks of her paper on the legal implications of being on the net, via IPV6* I really believe that the truth, at a cellular level, is that if you are on the net, you are culpable to pay attention to "security", regardless if one plays at being a "security professional" or is a weekend warrior... the world has become much smaller. We must pay attention.

I will shut up now.

r0cketgrl that was/valkyrie that is

__________________________________________________ ____________
sapere aude

Voted for option 'just a noob in search of an email hack'

... in which ...

where can I find a non-noob to hack my email account? I 'lost' the password, and I have correspondance from nigerian royalty I need to complete! I'll give you 10% of the 40 million I'm getting for forfeiting my passport and bank account.

Throw in a free ipod and some viagra and we're talkin'

Well according to today's currency rates, if this 40 million you speak of is the nigerian niara that's only 303,893.64 USD, 10% of that being 30,389.36 USD. What are you trying to do, CHEAT US??

I cast a 33rd level warlock entity spell on you. You should be melting.

Man, forget that noise. How good will your little entities be after i headshot you with my awp.....just joking.

:)

OMG WALLHACK!!!!!21!@!!#!#!!!!

This thread is officially dead

guess we ran out of sunshine for management ass ....

i agree with this statement by actalpus, esxcept i do it for fun for the rush and i would love to be a professional that gets paid for it, and while im at work just do it becuase i have to to get paid, but then when i get off of work im back to doing it for the rush and for fun.

I am not a security professional yet, but i am studying to become one. I currently work in Network Support as a CCNA. I am going to college right now, studying Computer Network Systems and Information Systems Security.