oreilly.comSafari Books Online.Conferences.


Professional Paranoia: Secrets of Security Experts

by Michael W. Lucas

The last security article I wrote generated a flood of email. Most messages said exactly the same thing: "How do I become a security professional?"

First of all, you probably don't want to become a security professional. Sure, it sounds glamorous: You strut in, violate a network a dozen different ways, and show that you know a lot about security. That really isn't a big deal; you can do the same sort of thing just by demonstrating that you're good in any field. All you have to add is the strut.

Most security professionals are contract consultants. They visit different companies and perform intrusion testing. That's where where they break into the network and demonstrate just how badly flawed the system security is. It's a pretty safe bet that you can go to any company in North America today and break in. I did this for a couple years as an independent contractor. I found that I hate to say "I told you so."

No, I take that back. I love to say "I told you so." But I get so very tired of it. Much as a front-line help desk person learns to despise callers for merely breathing, a security pro grows to despair clients of ever getting a clue. If I hear one more high-level manager say, "But we paid a $100,000 for this security system just last year," I'm going to slap them upside the head with a week-dead salmon.

Related Reading

Practical UNIX and Internet Security, 2nd EditionPractical UNIX and Internet Security, 2nd Edition
By Simson Garfinkel & Gene Spafford
2nd Edition April 1996
1-56592-148-8, Order Number: 1488
1000 pages, $39.95

If you're good, you can get a job at a company where security is paramount. Here in Detroit, several automotive firms and their suppliers demand absolute security. It's all schedules and permissions policies and making sure that someone doesn't install one of those free Unix variations without authorization. After all, users who can comfortably use desktop Unix are the most difficult to handle. They either have more of a clue about computing than the average user, or they're a menace to network safety -- possibly both. And they probably want SSh and CVS access to the Net instead of plain vanilla HTTP.

The 60-page security policy you dragged through five different committees and nine revisions says that they only get HTTP. And that same policy probably says that they only get the corporate-approved OS, even if the senior LAN troubleshooter might as well be hog-tied without his BSD laptop. You're no longer a geek. You're a paper-pusher, a "proxy Nazi," and a general pain. And every committee meeting has scraped a little bit of sunshine off your soul. You can't be a good guy even if you still want to be.

At the end, it doesn't matter. You can be as skilled as you want to be and someone, somewhere, can still kick your hiney. Arrogance isn't useful in the security business. Humility is. I'm no longer a security professional because I want to be arrogant on occasion.

What you can do quite effectively is bring a security awareness to your current job. If you're a programmer, network administrator, or even a help desk person, an understanding of the security implications of your work can do nothing but help your career.

There's two methods that have been used by professionals for hundreds of years. They apply just as well to computing professionals today.

  • Take care of your tools
  • Take care of yourself

You wouldn't see a long-term professional mover trying to shift a refrigerator without a back brace, or a doctor putting his ear to your chest without a stethoscope. Similarly, if you don't understand the ins and outs of your tools, they'll corrode and you'll slip a disk.

Pages: 1, 2

Next Pagearrow

Sponsored by: