Re: How to get better security people

[Avleen Vig]

On Wed, 3 Apr 2002, Richard A Steenbergen wrote:

> As for your service listing them... Smurfs aren't spam, so I'm not sure
> what you plan to accomplish by making the data available via DNS, it would
> really only be useful as a BGP feed. Even then, it's usefulness is
> limited. I suppose you could null route traffic to specific broadcast
> addresses to prevent people originating smurfs from your network with
> minimal impact on legit services, or if you are a big transit provider
> with balls you could apply it to all your customers.

SAFE is a daughter-project of the IRCNetOps project (www.ircnetops.org)
who areIRC network admins from small and large networks who came together
last year after getting rather pissed off by constant DoS attacks.
No, not just little admins with shells on little networks, but also bigger
admins on the bigger networks who run servers at ISP's too.

The service could be used to deny IRC access to their networks to people
who come from broken networks.

> There is no protocol (disclaimer: that I'm aware of) for distributing IP
> lists that could be filtered by source address, let alone other more
> intelligent things like distributing firewall rulesets so you could pick
> off only the echo replies, BUT MAYBE THERE SHOULD BE. <-- HINT!

Maybe there should be :-)
Wnat to do it? ;-)

Re: How to get better security people

[batz]

On Wed, 3 Apr 2002, Avleen Vig wrote:

:Have a look at SAFE (url in sig).
:We detect smurf amplifiers and I'm currently looking at ways to export
:data to companies regarding large smurf amplifiers (>x250 amplification)
:who refuse to close after X number of warnings.

Yeah, that uses a bit more of the anti-spam model than a network 
protection model. Aris takes IDS logs from subscriber sites, 
normalizes them and generates stats (among other things). After
the data is normalized, they show emerging trends and anomalies.
An example of this would be if an attacker started scanning across
the Internet for ssh servers, this could trigger IDS's at multiple 
sites, which would increase the profile of attackers ip addr. 

What I was suggesting is that this data be cleaned and a list of 
actively hostile hosts be distributed to subscribers for temporary
blockage, either by port filter, or blackholed by prefix on a reasonably
real-time basis.  


--
batz

RE: How to get better security people

[Zimmerman, David]

In a former life as well as my current one, we had a primary Information
Security officer, and myself acting as corporate firewall engineer.  I found
that my own role was best performed as a network security "conductor" of the
"orchestra" of sysadmins who actually built and operated our Internet
systems.  You build a mailing list and forward interesting stuff from
CERT/CIAC/Bugtraq/etc; you try to keep everyone informed, and guide them
along the way with reasonably well-stated firewall guidelines ("I'll do
this, I won't do that" with some give-and-take, and a little heartache over
the purity of the architecture).  And you get involved with the business as
much as you can to spread the network security gospel.

At some level it becomes less of a pure technical security issue, and more a
social engineering challenge.  Ultimately, it's all about risk management,
and minimizing your risk by maximizing the knowledge flow and relationships
that you build within the company.  I recognized that generally I knew more
about network security and IP/TCP/UDP than the people running the systems,
and at some level you only get so much system security given the knowledge
of the folks involved.  So you back it up with as much of a secure network
environment as you can negotiate v.s. the needs of the business, and make
sure that the top Security dog is on the same page as you are.

Ultimately you'll have an incident in spite of your best efforts -- no
matter how totalitarian you are in your security policies -- and the most
important thing is to educate everyone about the factors driving the
security architecture.  Maybe you make fundamental changes in response to
the incident, or maybe you just try to educate everyone a little better, but
hopefully in either case learn something along the way.

dp

-Original Message-
From: Sean Donelan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 10:18 PM
To: Christopher E. Brown
Cc: NANOG
Subject: Re: How to get better security people



On Tue, 2 Apr 2002, Christopher E. Brown wrote:
>   I think it comes down to being able to deal creatively with a
> lack of total control, and find ways to limit what you cannot
> eliminate.

Security specialists can't be everywhere, can't do everything, and
can't stop every bad thing.  The reality is the people who have
the biggest impact on security don't have security in their job
title. Instead of a neighborhood watch do we need a network watch?
While we need a few people with "deep" security knowledge, we also
need to spread a thin layer of security pixie dust throughout the
entire organization.

Is it really a lack of control.  While some security specilists
carry a big stick, on most projects security is just one of
many specialities required to work together. If you are a
security specialist, just getting invited to a project before
its finished is a major accomplishment.

Re: How to get better security people

[Richard A Steenbergen]

On Wed, Apr 03, 2002 at 06:22:01PM +0100, Avleen Vig wrote:
> 
> On Wed, 3 Apr 2002, batz wrote:
> 
> > Personally, I would like to see a mixture of the MAPS RBL and
> > aris.securityfocus.com available, where emerging hostile netblocks
> > can be blackholed for short periods of time using attack information
> > gathered from and coroborated by a vast array of diverse sources.
> 
> Have a look at SAFE (url in sig).
> We detect smurf amplifiers and I'm currently looking at ways to export
> data to companies regarding large smurf amplifiers (>x250 amplification)
> who refuse to close after X number of warnings.
> 
> I expect it will run on a free, but subscribed + authenticated basis (ie,
> a company subscribes and gives the IP's of their DNs servers and those
> servers are authorized to do lookups, but script kiddies cannot).

Many a year ago I ran a "scan and bitch" service for smurf amps (afaik it
was the first, predated netscan.org and powertech.no). Measuring raw 
packet multiplications is really a terribly incorrect method to measure 
the "badness" of a smurf amplifier. People routinely have T1's replying 
50,000 times, and other such junk. You might be better off going back 
through all the broadcasts you got positive hits from, and try sending 
bigger packets and measuring actual received bandwidth. You'll find that 
multiplication has almost no bearing in predicting the bandwidth of an 
attack.

As for your service listing them... Smurfs aren't spam, so I'm not sure
what you plan to accomplish by making the data available via DNS, it would
really only be useful as a BGP feed. Even then, it's usefulness is
limited. I suppose you could null route traffic to specific broadcast
addresses to prevent people originating smurfs from your network with
minimal impact on legit services, or if you are a big transit provider
with balls you could apply it to all your customers.

There is no protocol (disclaimer: that I'm aware of) for distributing IP
lists that could be filtered by source address, let alone other more
intelligent things like distributing firewall rulesets so you could pick
off only the echo replies, BUT MAYBE THERE SHOULD BE. <-- HINT!

-- 
Richard A Steenbergen <[EMAIL PROTECTED]>   http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

Re: How to get better security people

[Avleen Vig]

On Wed, 3 Apr 2002, batz wrote:

> Personally, I would like to see a mixture of the MAPS RBL and
> aris.securityfocus.com available, where emerging hostile netblocks
> can be blackholed for short periods of time using attack information
> gathered from and coroborated by a vast array of diverse sources.

Have a look at SAFE (url in sig).
We detect smurf amplifiers and I'm currently looking at ways to export
data to companies regarding large smurf amplifiers (>x250 amplification)
who refuse to close after X number of warnings.

I expect it will run on a free, but subscribed + authenticated basis (ie,
a company subscribes and gives the IP's of their DNs servers and those
servers are authorized to do lookups, but script kiddies cannot).

-- 
Avleen Vig
Work Time: Unix Systems Administrator
Play Time: Network Security Officer
Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf

RE: How to get better security people

[Benjamin P. Grubin]

It strikes me that much of the focus seems to be people on one hand
wanting "deep security expertise", which is considered technical, and on
another finding it difficult to actually have that single person be able
to impact enterprise/network-wide security.  Since "deep security"
experts are a valuable commodity, it is unlikely that spreading them
throughout an organization is feasible.

What needs to change in this model is how one defines a "security
expert".  While some deep technical knowledge in security technologies
relevant to your environment is critical, that person should hardly be a
bottleneck for the security organization.  In fact, that person should
rarely--if ever--communicate outside his/her organization.  What is
needed is a someone capable of "creating" the pixie dust you spoke of,
Sean.  That dust has to be sprinkled, it's hard work, and a technical
professional cannot do it.  The problem is that when an organization
sees a need to focus on security, the first thought tends to be to get
an "expert" hired on.  In reality, this expert will have little effect
since he/she will not be able to stick a finger in every piece of pie
around.  Instead, getting the HR department to focus on a "strategic"
security manager should be the first task on the security checklist.
This person need not be a deep technical expert, though some level of
technical expertise is usually desirable.  Higher on the list is
communication skills, management by influence (as opposed to authority),
educational experience or talent, and a deep understanding of how to
promote security awareness throughout an organization.

Surprisingly, these people are both easier to work with and easier for
HR to target than your average "deep security expert".  If the goal is
to establish security as a priority for an organization, and ultimately
have far greater impact than a couple of security engineers, this is the
type to be looking for.  They don't need to have 20 years of security
experience.  People with *some* security experience and a whole boatload
of business, education, management, and political experience fit this
bill.  The profile of this person usually lines up with what would be
termed a CIO.

Once this person is in place, it becomes a lot easier to coordinate
security both within and outside of an organization.  The "community"
model for incident response has been shown inadequate by most
institutions which value their privacy.  I would think the ISP/network
provider companies would be less sensitive to this, and look for
meaningful ways to cooperate.  Having a person where responsibility for
this sort of thing would rest in each of the companies would go a long
way to getting it started.  "Deep security experts" are definitely not
suited for this type of work.

Just my $.02

Cheers,
Ben

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
> Behalf Of batz
> Sent: Wednesday, April 03, 2002 11:03 AM
> To: Sean Donelan
> Cc: Christopher E. Brown; NANOG
> Subject: Re: How to get better security people
> 
> 
> 
> On Wed, 3 Apr 2002, Sean Donelan wrote:
> 
> :Instead of a neighborhood watch do we need a network watch?
> :While we need a few people with "deep" security knowledge, we also
> :need to spread a thin layer of security pixie dust throughout the
> :entire organization.
> 
> The NIPC, CERT, OCIPEP(Canada) and other organizations try to 
> fill this role. The Incidents mailing list also
> tries to do this on a more ad hoc basis, along with the honeynet
> projects, and to a great extent Nanog. If ones definition of security 
> includes integrity and reliability, then Nanog has been performing
> that role since its creation. 
> 
> The problem that exists with the neighbourhood watch model is that
> it assumes some sort of community and, despite a few exceptions, 
> there is no community of internet providers. 
> 
> There are communities of network engineers and other specialists, but 
> the possibility of corporations getting together with a common goal, 
> which may temporarily supercede their individual competetive 
> advantage, 
> is just not going to happen. They can have industry 
> associations, lobby 
> groups, interest groups, and other representative bodies, but 
> community
> is not one of these, and thus any network watch program which depends 
> on community will be hampered. 
> 
> So, the challenge is to find a model of information sharing 
> in which a 
> balance between effectiveness and the protection of 
> competitive information 
> that is slanted heavilty to the latter. This on top of providing value
> to the participants. 
> 
> There are some private security alert services like this. I 
> can personally 
&g

Re: How to get better security people

[batz]

On Wed, 3 Apr 2002, Sean Donelan wrote:

:Instead of a neighborhood watch do we need a network watch?
:While we need a few people with "deep" security knowledge, we also
:need to spread a thin layer of security pixie dust throughout the
:entire organization.

The NIPC, CERT, OCIPEP(Canada) and other organizations try to 
fill this role. The Incidents mailing list also
tries to do this on a more ad hoc basis, along with the honeynet
projects, and to a great extent Nanog. If ones definition of security 
includes integrity and reliability, then Nanog has been performing
that role since its creation. 

The problem that exists with the neighbourhood watch model is that
it assumes some sort of community and, despite a few exceptions, 
there is no community of internet providers. 

There are communities of network engineers and other specialists, but 
the possibility of corporations getting together with a common goal, 
which may temporarily supercede their individual competetive advantage, 
is just not going to happen. They can have industry associations, lobby 
groups, interest groups, and other representative bodies, but community
is not one of these, and thus any network watch program which depends 
on community will be hampered. 

So, the challenge is to find a model of information sharing in which a 
balance between effectiveness and the protection of competitive information 
that is slanted heavilty to the latter. This on top of providing value
to the participants. 

There are some private security alert services like this. I can personally 
highly recommend the securityfocus ARIS tool and their commercial Threat 
Management System. NAI's virus alert system is excellent, as is 
a similar service from sophos.com. 

The non-classified government briefings I have seen don't really provide 
value from an up to the minute threat analysis perspective. They might
help an executive hold an intelligent conversation on current affairs, 
but they do little for people who are responsible for protecting the
infrastructure.   

Personally, I would like to see a mixture of the MAPS RBL and 
aris.securityfocus.com available, where emerging hostile netblocks
can be blackholed for short periods of time using attack information
gathered from and coroborated by a vast array of diverse sources.  


--
batz

Re: How to get better security people

[Jake Khuon]

### On Wed, 3 Apr 2002 01:17:59 -0500 (EST), Sean Donelan <[EMAIL PROTECTED]>
### casually decided to expound upon "Christopher E. Brown"
### <[EMAIL PROTECTED]> the following thoughts about "Re: How to get better
### security people":

SD> While we need a few people with "deep" security knowledge, we also
SD> need to spread a thin layer of security pixie dust throughout the
SD> entire organization.

It's just like it is within the IETF process...  Security considerations
must be undertaken by everyone.


--
/*===[ Jake Khuon <[EMAIL PROTECTED]> ]==+
 | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- |
 | for Effective Bandwidth Utilisation  / |/  [_ [_ |) |_| N E T W O R K S |
 +=*/

Re: How to get better security people

[Sean Donelan]

On Tue, 2 Apr 2002, Christopher E. Brown wrote:
>   I think it comes down to being able to deal creatively with a
> lack of total control, and find ways to limit what you cannot
> eliminate.

Security specialists can't be everywhere, can't do everything, and
can't stop every bad thing.  The reality is the people who have
the biggest impact on security don't have security in their job
title. Instead of a neighborhood watch do we need a network watch?
While we need a few people with "deep" security knowledge, we also
need to spread a thin layer of security pixie dust throughout the
entire organization.

Is it really a lack of control.  While some security specilists
carry a big stick, on most projects security is just one of
many specialities required to work together. If you are a
security specialist, just getting invited to a project before
its finished is a major accomplishment.

Re: How to get better security people

[Christopher E. Brown]

On Sat, 30 Mar 2002, Sean Donelan wrote:
> >A basic security mindset is a combination of paranoia, a talent for
> >contingency planning, and an understanding of business need.
>
> My suggestion was to include a couple of courses in the curriculum.
>
>   1. Engineering Ethics
>How to play fair
>Right and wrong, dealing with conflicting responsibilities
>   2. Engineering Paranoia
>The world doesn't play fair
>Bad data, safety factors and progressive collapse
>
> I'm not sure you can really teach someone the right combination
> of ethics and paranoia to be successfull.  I can teach anyone the
> technical stuff, or give them a really thick book.  But best
> practices aren't a substitute for understanding the business and
> sound judgement.



The problem is good security people have to cover alot of
ground, and be at least /good/ in all of it.  They have to have a
solid understanding of all the systems and networks they are
protecting as well as the customer requirements and business cost/beni
stuff.


One issue I see is a general lack of understanding with
employers as to what is needed.  The idea of the paranoid block
everything type that must be restrained seems stuck in many minds.
Unfortunately, this leads to issues, total ICMP blocks, bad ECN
handling, etc.  As well as very little drive for people to learn what
they need.


I think it comes down to being able to deal creatively with a
lack of total control, and find ways to limit what you cannot
eliminate.


If the balance cannot be found, you end up with security
problems, or performance issues, pissed customers and broken networks.

 --
I route, therefore you are.

Re: How to get better security people

[Sean Donelan]

>A basic security mindset is a combination of paranoia, a talent for
>contingency planning, and an understanding of business need.

My suggestion was to include a couple of courses in the curriculum.

  1. Engineering Ethics
   How to play fair
   Right and wrong, dealing with conflicting responsibilities
  2. Engineering Paranoia
   The world doesn't play fair
   Bad data, safety factors and progressive collapse

I'm not sure you can really teach someone the right combination
of ethics and paranoia to be successfull.  I can teach anyone the
technical stuff, or give them a really thick book.  But best
practices aren't a substitute for understanding the business and
sound judgement.

Re: How to get better security people

[blitz]

>Problem is, some feces for brains boss is always going to come along and 
>tell you to do what you know is not in the best interest of security. And 
>when the problem rears its ugly head, YOU take the heat, not the idiot who 
>insisted you go against proper procedure.

All I can advise, is document, document, document, then when it does come 
down, and they point the fickle finger of fate at you, you can always 
produce the documentation that 'da bozz' made ya do it...


>Hmm.  Incredibly biased opinion follows...
>
>A basic security mindset is a combination of paranoia, a talent for
>contingency planning, and an understanding of business need.
>
>However, the paranoia must not be so extensive as to be crippling,
>the contingency planning must not be so obsessive as to be paralysing,
>and the understanding of business need should not interfere with the
>periodic difficult and unpopular decisions that must be made to
>protect the greater good.

Re: How to get better security people

[Sean Donelan]

On Fri, 29 Mar 2002, Kelly J. Cooper wrote:
> So, just out of curiousity, why are you asking this question?

Because a couple of congressional aides asked me what I would spend
the money on.  My first response was my brain didn't know how to
spend that much money.  But then you get in the swing of things,
and its just a few extra zeroes between friends.

The problem is the government has been spending varying amounts
of money on computer security for decades, and should they keep
giving money to the same programs they've always funded?  Or is
there something they haven't tried before that might have more
impact.

If I was king of the world, I have some opinions about cool stuff
the government could do.

But if there was something incredible obvious that I missed, write
your elected representative.  Who knows, they might actually listen.

Re: How to get better security people

[Kelly J. Cooper]

On Mar 29,  2:22pm, Sean Donelan wrote:
> Subject: Re: How to get better security people
*
*On Tue, 26 Mar 2002, Kelly J. Cooper wrote:
*> I also had a short list of other questions that I used to try and get
*> a feel for the person's "security minded-ness" (my term, I invented it
*> a'ight?).  Because when it comes to ISP security, there's a very
*> limited pool of talent so candidates are unlikely to come in with the
*> right skillset native.
*
*What is the right mindset for ISP security.  It seems to be a little
*different from the traditional security mindset found in the corporate
*or military security world.  A lot of sharp people with that background
*try to move into ISP security, but they often have a difficult time
*making the transition.  

Hmm.  Incredibly biased opinion follows...

A basic security mindset is a combination of paranoia, a talent for
contingency planning, and an understanding of business need.

However, the paranoia must not be so extensive as to be crippling,
the contingency planning must not be so obsessive as to be paralysing,
and the understanding of business need should not interfere with the
periodic difficult and unpopular decisions that must be made to 
protect the greater good.

Specific skill-sets that are useful for ISP Operational Security 
(pick one or mix-n-match for the overachieving):

 - Incident Response/handling capability
 - Deep understanding of TCP/IP
 - Deep understanding of the design of big WANs
 - Deep understanding of the design of switched LANs (hosting ISPs)
 - Unix adminstration and forensics
 - Microsoft administration and forensics
 - Firewall administration and forensics

(NOTE that I'm not covering Engineering Security, at least not in
this post.)

I would say the most important skill for a dedicated ISP Security
person to have is that of incident handling.  Then again, it happens
to be the one skill out of this set that I have, so extra bias hold 
the sauce.  But hear me out...

When a customer gets hit, it can be a break-in, a DoS attack, a DDoS
attack, an insider betrayal, some accidentally free porn, a really
dumb move by the marketing department, a political sit-in, bad press,
an attempted break-in, a misconfiguration, a /. overload or something
else entirely.

Whatever it is, once the intial triage is done and the Security
person is brought in, she's got to have a broad base of knowledge
about the possibilities as well as knowledge of her own organization 
to know how to engage experts to assist.  Plus she's got to document 
the whole thing and keep track of the contributions by the customer,
by the experts, by management, etc.

A really great security team has someone with each of those skills
who can be brought into an event to help, each utilising her 
particular expertise.  They've sat in with other teams so that they
understand how the network works, how triage and trouble-shooting
are done, how teams hand things off to one another, etc.  And they
have just enough cross-training to know when they should hand off
to another security team-member.

Best case scenario, most of the team has incident handling skills so 
that no particular handler is always getting paged.

So the mindset is jack-of-all-trades rather than specifically focused
on one task.  The work is interrupt-driven rather than project or 
patch/upgrade driven.  The mindset is to share information 
(judiciously) and bring people in, rather than keeping it a secret and
doing it yourself.

Those differences might explain the difficult transitions.

*The government is about to spend a lot of
*money training students in "cybersecurity."  Congressional aides have
*been coming to Internet conferences asking people what should Congress
*spend money on.
*
*http://www.washingtonpost.com/wp-dyn/articles/A33471-2002Mar28.html
*
*But are the students really getting the right training for working in
*a public network such as an ISP?

If they're being taught about security in general, like policy and
procedure writing and management, what we mean by access controls, how 
to handle disaster recovery, crypto basics, perimeter management, 
incident response, then that's fantastic.  Even if they go to an ISP, 
they'll have the right skillset to start and they can learn the rest 
on the job.

If they are ALSO being taught network design (LAN and WAN), firewall 
basics, the value of the heterogeneous network, how packets get put 
together and pulled apart, routing, end-to-end troubleshooting, DNS 
infrastructure, and maybe the specific configuration details for some 
of the top router vendors, then they are absolutely golden to go into 
ISP Security.

But since I have no idea what they're learning, I can't comment on
that specific article.  There's some indication in the article that
students are learning system hardening.  That's usually a good skill.
There's no indicat

RE: How to get better security people

[Tim Irwin]

> What is the right mindset for ISP security.  It seems to be a little
> different from the traditional security mindset found in the corporate
> or military security world.  A lot of sharp people with that background
> try to move into ISP security, but they often have a difficult time
> making the transition.

ISPs are often in the position of having almost a conflict of interest when
compared to enterprises.  The idea of the Internet (and therefore ISPs) is
about openness and the ability to connect to anything, anywhere.
Enterprises must take almost the opposite stance of "deny all that which is
not expressly permitted".

ISPs have many customers and each customer has their own opinion about
security.  How many posts did we have recently asking which providers were
filtering things like port 80 and port 25?  The sad fact is that mucking up
what was intended to be an open network drives away customers and there will
always be someone else down the street waiting to take the customer's money
who won't do it.

I struggle with this myself.  I don't like the idea of having routers with
huge, complicated access lists all over the network.  But I don't like the
idea of being hammered by a DoS attack either.

So, I suggest that the *best* security people are those that can actually
quantify risks vs benefits, and who approach things with an "even keel".
I've talked with companies that think the primary job qualification for
security professionals is that they be obnoxious, ill-tempered, bark at
people for no apparent reason, and write nazi-like policies that stand no
chance of being adhered to.

Bottom line: There is a business to run.  Security people who don't
understand that are worthless in my opinion, no matter how technically savvy
they are.

> But are the students really getting the right training for working in
> a public network such as an ISP?

You can lead a horse to water, but you can't make him drink.  The best forum
for security education is trial by fire.

--
Tim Irwin, Sr. Network Engineer
Architecture & Engineering
BellSouth.net, Inc.
e-mail: [EMAIL PROTECTED]
office: 678.441.7951

"The plain and simple truth is rarely
plain and never simple."  --Oscar Wilde

Re: How to get better security people

[Sean Donelan]

On Tue, 26 Mar 2002, Kelly J. Cooper wrote:
> I also had a short list of other questions that I used to try and get
> a feel for the person's "security minded-ness" (my term, I invented it
> a'ight?).  Because when it comes to ISP security, there's a very
> limited pool of talent so candidates are unlikely to come in with the
> right skillset native.

What is the right mindset for ISP security.  It seems to be a little
different from the traditional security mindset found in the corporate
or military security world.  A lot of sharp people with that background
try to move into ISP security, but they often have a difficult time
making the transition.  The government is about to spend a lot of
money training students in "cybersecurity."  Congressional aides have
been coming to Internet conferences asking people what should Congress
spend money on.

http://www.washingtonpost.com/wp-dyn/articles/A33471-2002Mar28.html

But are the students really getting the right training for working in
a public network such as an ISP?

Re: How to get better security people

[Roger Marquis]

"E.B. Dreger" <[EMAIL PROTECTED]> wrote:
> Service patches were never applied.  When some suspicious
> happenings left said server inoperable, they just installed
> Win2000 and went on, not caring what had happened or why.
>
> No, I was not the employee.  A friend of mine worked there before
> getting fed up and quitting.

We see this a lot too.  It is, IMHO, why good security people who
are not in finance, defense or other security-conscious sectors
tend to be consultants.

Consultant or not IS security gurus are no different than other
in-demand technical specialists.  You have to 1) pay them appropriately,
2) have a decent working environment (no windowless cubicles, junk
food cafeterias, inflexible hours, unskilled management, etc), and
3) provide constant training opportunities (conferences, classes,
good assignments).

Don't expect them to have programming degrees or be interested in
coding.  Those would be security developers as opposed to security
analysts.  Finally, NEVER ask a Unix literate engineer to use an
MS Windows PC...

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

Re: FW: How to get better security people

[J.D. Falk]

On 03/26/02, Jim Popovitch <[EMAIL PROTECTED]> wrote: 

> Somehow eTrade's following response didn't make it to the list.  I think
> it's important enough to resubmit it given the erroneous info posted
> earlier.
 [ . . . ]
> This e-mail is the property of E*TRADE Group, Inc.  It is intended only for
> the person or entity to which it is addressed and may contain information
> that is privileged, confidential, or otherwise protected from disclosure.
> Distribution or copying of this e-mail or the information contained herein
> by anyone other than the intended recipient is prohibited.  If you have
> received this e-mail in error, please immediately notify the sender by
> e-mail at [EMAIL PROTECTED]  and telephone
> at (650)-331-5269.  Please delete and destroy any copies of this e-mail.

*chuckle*

-- 
J.D. Falk  once I typed "sendmail -jd"
<[EMAIL PROTECTED]>  and my hair turned blue.

FW: How to get better security people

[Jim Popovitch]

Somehow eTrade's following response didn't make it to the list.  I think
it's important enough to resubmit it given the erroneous info posted
earlier.

-Jim P.

-Original Message-
From: David Rickling [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 26, 2002 6:02 PM
To: 'LeBlanc, Jason'; 'Jim Popovitch'; 'Sean Donelan'; [EMAIL PROTECTED]
Subject: RE: How to get better security people


E*TRADE Financial has it's full complement of System and Network Security
people still employed.  The Director and Sr. Manager of the group have been
with the Company for nearly five years and the average length of time within
the group is 2 + years.  E*TRADE Financial is dedicated to protecting it's
customer assets and holds security is a core value for all associates.

David Rickling
Lead Network Engineer
Network Architecture & Integrations
E*Trade Financial

This e-mail is the property of E*TRADE Group, Inc.  It is intended only for
the person or entity to which it is addressed and may contain information
that is privileged, confidential, or otherwise protected from disclosure.
Distribution or copying of this e-mail or the information contained herein
by anyone other than the intended recipient is prohibited.  If you have
received this e-mail in error, please immediately notify the sender by
e-mail at [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> and telephone
at (650)-331-5269.  Please delete and destroy any copies of this e-mail.
E*TRADE Group, Inc. 4500 Bohannon Drive Menlo, California 94025


-Original Message-
From: LeBlanc, Jason [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 26, 2002 11:25 AM
To: 'Jim Popovitch'; LeBlanc, Jason; 'Sean Donelan'; [EMAIL PROTECTED]
Subject: RE: How to get better security people



What eBay does as a business is of little consequence to me, as a network
engineer, though it seems they make pretty good decisions based on things
I've seen in three years here.  That "fact" came from someone who worked for
them in Atlanta, was merely an idle comment meant to share a bit of
information.  The tone of your reply is a bit off.

> -Original Message-
> From: Jim Popovitch [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 11:06 AM
> To: LeBlanc, Jason; 'Sean Donelan'; [EMAIL PROTECTED]
> Subject: RE: How to get better security people
>
>
> > -Original Message-
> > From: LeBlanc, Jason <[EMAIL PROTECTED]>
> >
> > On that note, Etrade layed off their entire net sec team a few
> > months back. I don't trade there no more. ;)
>
> Let me guess, eBay is moving into securities trading next
> Your "facts" about eTrade are wrong, very wrong.
>
> -Jim P.
>

Re: How to get better security people

[E.B. Dreger]

> Date: Tue, 26 Mar 2002 12:56:39 -0500 (EST)
> From: batz <[EMAIL PROTECTED]>

(snip)


> Nimda and CodeRed were excellent indicators of how a good
> security policy can be a competetive edge during (increasingly common)
> global incidents. Hopefully we will see more security folks pressing
> this message, and more decision makes hearing it. 

Sun Tzu and Lao Tze in the 3967/3561 thread...

...anyone else read Demming or other TQM proponents?  Visible
numbers only syndrome is the problem with many people's attitudes
toward security...

I could name a local (Wichita) company that for the longest time
was running IIS4 + SP5, vulnerable to the iishack buffer overrun.
They stored their websites and company files on said machine.
The goons^H^H^H^H^Hconsultants who set it up gave a big "it's
secure because it's NT -- look, it asks for passwords" spiel that
management bought.

Even after one of their employees _demonstrated_ how an arbitrary
person could break in.  Response?  "We're not that big... nobody
would be that interested in us."  Warnings about random scans
fell on deaf ears.

Service patches were never applied.  When some suspicious
happenings left said server inoperable, they just installed
Win2000 and went on, not caring what had happened or why.

No, I was not the employee.  A friend of mine worked there before
getting fed up and quitting.

"If it works, it must be right," versus, "It doesn't truly work
unless it's right."  I find it amusing how the same people keep
who keep things under tight physical lock and key are so lax and
apathetic about electronic security.

As Demming said, "People who buy on price alone deserve to get
rooked."


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 + (GMT)
From: A Trap <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked.

RE: How to get better security people

[Jim Popovitch]

> -Original Message-
> From: LeBlanc, Jason
>
> What eBay does as a business is of little consequence to me, as a network
> engineer, though it seems they make pretty good decisions based on things
> I've seen in three years here.  That "fact" came from someone who
> worked for them in Atlanta, was merely an idle comment meant to share a
> bit of information.  The tone of your reply is a bit off.
>

I'm sorry you feel that way, you misunderstood the tone of my reply.  Your
one-off assessment about eTrade (accented by your smirk about trading
elsewhere) was wrong, and I was just pointing that out.  To counter this is
futile, as is continuing this thread.

-Jim P.

RE: How to get better security people

[Rowland, Alan D]

Title: RE: How to get better security people



A 
knowledgeable investor would ask your HR department a few 
questions:
 
1. 
Which half of the resume do you believe?
 
2. Is 
it really more economical to ignore half your talent than spend a little 
checking resumes?
 
3. 
What does it say about your company's ethics that you accept that all your 
employees are liars?
 
but 
then you have to find that knowledgeable investor first...
 
Just 
my 2¢ and in similar circumstances,
 
-Al
 
USAF 
Ret.

  -Original Message-From: James Smith 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, March 26, 2002 12:03 
  PMTo: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; 
  '[EMAIL PROTECTED]'Cc: '[EMAIL PROTECTED]'; 
  '[EMAIL PROTECTED]'Subject: RE: How to get better security 
  people
  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, March 26, 2002 2:41 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: 
  How to get better security people 
  | The problem right now is if you advertise for a job, you 
  will get | blasted with literally tens of thousands of 
  resumes.  What should I | be telling the HR 
  department to look for? 
  New careers. 
      Sean. 
  = 
  That's the problem. Too many folks seeing the big money going 
  to the tech weenies, and upon taking an MCSE boot camp, think they now qualify 
  for a senior Admin/Security job. That and resume inflation, real or percieved. 
  Too much noise in the system and inefective noise reduction 
  methods...
    My resume is factual, and when I got out of the 
  military, I was penalized by my first civilian employer. When I stated I could 
  in fact set up a needed DNS, I was told they would hire it out. I asked why 
  hire it out when I could do it. I was told, "we only believe half of any 
  resume we get, and we don't think that you have the necessary experience." If 
  setting up and running .af.mil (now gone), and doing the very 
  first .af.mil DNS located on the base (complete with off-site 
  secondaries), and running it until transitioned about a year later to the comm 
  squadron folks I trained didn't count, then what did?
  Not bitter, though. Got a new employer... 
  James H. Smith II NNCDS NNCSE Systems 
  Engineer The Presidio Corporation 

RE: How to get better security people

[Avleen Vig]

On Tue, 26 Mar 2002, Stephen J. Wilcox wrote:

> And qualifications should never outnumber instances of hands on
> experience, what good is an academic with little knowledge in the field!

Finally, people who agree with me.
How many management personnel are out there who don't have degrees? Very
few I imagine.
How many techies are out there without degrees? Quite a high number.

This industry is such that (IMHO) experience is *FAR* more valuable than
any piece of paper.

A piece of paper won't tell you what to do what you have someoen in your
system, how to watch them, what to do, who to call..

-- 
Avleen Vig
Network Security Officer
Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf

RE: How to get better security people

[Blake Fithen]

It's also a matter of the market being saturated with 
unemployed people with paper certs, genuine competence,
and some with both.  The company I worked for sold out
5 months ago - I too have been looking ever since.

I've made it a point to ask the recruiters/companies 
how much interest they've had in the position.  The 
/typical/ response is "*gasp*, we've received over 1300
(thirteen hundred) resumes for this position in the 
past week, I only talk to the people who call to 
follow-up".

Extremely frustrating to say the least.

--
Blake Fithen
[EMAIL PROTECTED]
www.pobox.com/~fithen



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Avleen Vig
> Sent: Tuesday, March 26, 2002 10:39 AM
> To: LeBlanc, Jason
> Cc: 'Sean Donelan'; [EMAIL PROTECTED]
> Subject: RE: How to get better security people
> 
> 
> 
> On Tue, 26 Mar 2002, LeBlanc, Jason wrote:
> 
> > On that note, Etrade layed off their entire net sec team a 
> few months back.
> > I don't trade there no more. ;)
> 
> Fewer and fewer companies are paying attention to network 
> security with
> the right mindset. They all want peopl who have been in the field for
> 7-10+ years, with 10+ years of general systems admin skills.
> 
> I'm 21. I have 5 years of combined network security and sysadmin
> experience. No-one is interested.
> I spent 5 months looking for a job, applied at at least a few hundred
> locations, only to be told each time that I didn't have 
> enough experience.
> 
> I know around 100 other security admins, and I think 2 have that much
> experience.
> 
> It's semi-understandable when a MNC wants that kind of experience, but
> when your run of the mill start up wants to too, it gets rather sick.
> These people aren't going to get what they're looking for.
> They'll realise it too late I guess.
> 
> I dropped out of security and went back to sysadmining.
> I prefer the job I have now to any I've had in the past, and 
> I wouldn't
> trade it for a security job with some of these firms in 10 lifetimes.
> 
> -- 
> Av
> Go here, now - http://www.ircnetops.org/smurf
> 
> 

RE: How to get better security people

[James Smith]

Title: RE: How to get better security people





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 26, 2002 2:41 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: How to get better security people





| The problem right now is if you advertise for a job, you will get
| blasted with literally tens of thousands of resumes.  What should I
| be telling the HR department to look for?


New careers.


    Sean.
=


That's the problem. Too many folks seeing the big money going to the tech weenies, and upon taking an MCSE boot camp, think they now qualify for a senior Admin/Security job. That and resume inflation, real or percieved. Too much noise in the system and inefective noise reduction methods...

  My resume is factual, and when I got out of the military, I was penalized by my first civilian employer. When I stated I could in fact set up a needed DNS, I was told they would hire it out. I asked why hire it out when I could do it. I was told, "we only believe half of any resume we get, and we don't think that you have the necessary experience." If setting up and running .af.mil (now gone), and doing the very first .af.mil DNS located on the base (complete with off-site secondaries), and running it until transitioned about a year later to the comm squadron folks I trained didn't count, then what did?

Not bitter, though. Got a new employer...



James H. Smith II NNCDS NNCSE
Systems Engineer
The Presidio Corporation

RE: How to get better security people

[batz]

On Tue, 26 Mar 2002, Sean Donelan wrote:

:If I was looking for top security talent, what would I ask for whether
:I was hiring directly or outsourcing?  Do I want a bunch of ex-miltary,
:ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
:of which have existed for 10 years, published papers, can answer tricky
:questions about checkpoint firewalls (why is a confusing firewall
:configuration a good thing?), a college degree in crypto, big 5
:accounting firm (or is that now big 4 accounting firm)?

I would ask for personal referrals. They are generally the only thing
worth counting. 

The accounting firms have brand recognition, but the way the business 
works, you are rolling dice the same way you would using a boutique. 

Certifications are handy from a diligence perspective, but shouldn't 
be a deal breaker. Product knowledge is handy, but doesn't demonstrate
expertise. Published papers will show expertise, but not indicate 
reliability or business focus. Industry specific experience will 
demonstrate business focus, but not neccesarily show clue.  Academic
credentials will show persistance and some clue, but probably won't
ultimately help you sell more widgets.   

:Likewise, if I was going to outsource.  What should I be looking for
:in a security management provider?

Track record over the last 3 years, and personal referrals. This on
top of whatever criteria you have for requiring one in the first 
place.  

Brands mean very little in the face of a referral from someone
you trust, or have paid enough to trust. Services companies only real 
asset is their staff, and many will debase their brand by diluting
their talent pool to deliver a more reliable recurring revenue stream
to investors. 

This means fewer high clue people delivering complex but high return
services, and more middle to low end consultants delivering simple
managed services to a much broader customer base. Think of it as a 
race to the bottom.   

So, it depends on the solution you need. If you need enterprise network 
architecture, customised IDS and incident response solultions, and 
bleeding edge technology to defend your network against theoretical threats
and imagined hostile governments, find a geek-boutique of people 
who speak at blackhat briefings, tell spook stories, and can show signifigant
contributions in openbsd change logs. I hear some will even throw in a tinfoil
hat, gratis. 

If you need reasonably reliable, cost effective anti-virus, managed 
IDS, and a checkmark or smiley face on your next audit, but aren't 
terribly concerned about specific threats, read some Gartner Group 
reports and pick one that seems reasonable. 

I suppose this could just have been summed up by saying, get a personal
referral, as the industry hasn't been around long enough to really judge 
from track records, who can provide the best service. 

--
batz

Re: How to get better security people

[Kelly J. Cooper]

On Mar 26,  2:15pm, Sean Donelan wrote:
> Subject: Re: How to get better security people
*
*On Tue, 26 Mar 2002, Tony Wasson wrote:
*> >> If I was looking for top security talent, what would I ask for whether
*> >> I was hiring directly or outsourcing?
*>
*> I agree with Steve Wilcox, incidents are important. I would ask for a
*> description of the 3 most interesting incidents they've ever worked on,  and
*> what they contributed.
*
*I'm sorry, but that's confidential information and I can't disclose it.
*
*Would you hire a "security" person, who will likely be involved in the
*most embarrassing slip ups your company makes, if he tells people about
*"interesting" incidents at previous employers.
*
*Maybe, it depends on what he says.

Long ago and downstairs, when I used to interview people for Operations
Security, I asked each candidate whether s/he had ever handled a Denial
of Service attack or an intrusion, and if so, could they describe in 
general terms how they handled it?

I would specifically ask them to NOT provide any identifying info, just
the process (and an explication of the attack) so I could gauge their
understanding of the situation.

I also had a short list of other questions that I used to try and get
a feel for the person's "security minded-ness" (my term, I invented it
a'ight?).  Because when it comes to ISP security, there's a very 
limited pool of talent so candidates are unlikely to come in with the
right skillset native.  

But if the person comes in and s/he is someone who thinks about 
scenarios and contingency plans and has a working knowledge of 
networking/computing, then I can teach him/her everything else.

Kelly J.

-- 
Kelly J. Cooper-  Security Engineer, CISSP
GENUITY-  Main # - 800-632-7638 
3 Van de Graaff Drive  -  Fax - 781-262-2744
Burlington, MA 01803   -  http://www.genuity.net

RE: How to get better security people

[Sean M. Doran]

| The problem right now is if you advertise for a job, you will get
| blasted with literally tens of thousands of resumes.  What should I
| be telling the HR department to look for?

New careers.

Sean.

RE: How to get better security people

[LeBlanc, Jason]

What eBay does as a business is of little consequence to me, as a network
engineer, though it seems they make pretty good decisions based on things
I've seen in three years here.  That "fact" came from someone who worked for
them in Atlanta, was merely an idle comment meant to share a bit of
information.  The tone of your reply is a bit off.

> -Original Message-
> From: Jim Popovitch [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 11:06 AM
> To: LeBlanc, Jason; 'Sean Donelan'; [EMAIL PROTECTED]
> Subject: RE: How to get better security people
> 
> 
> > -Original Message-
> > From: LeBlanc, Jason <[EMAIL PROTECTED]>
> >
> > On that note, Etrade layed off their entire net sec team a few
> > months back. I don't trade there no more. ;)
> 
> Let me guess, eBay is moving into securities trading next 
>  Your "facts"
> about eTrade are wrong, very wrong.
> 
> -Jim P.
> 

Re: How to get better security people

[Sean Donelan]

On Tue, 26 Mar 2002, Tony Wasson wrote:
> >> If I was looking for top security talent, what would I ask for whether
> >> I was hiring directly or outsourcing?
>
> I agree with Steve Wilcox, incidents are important. I would ask for a
> description of the 3 most interesting incidents they've ever worked on,  and
> what they contributed.

I'm sorry, but that's confidential information and I can't disclose it.

Would you hire a "security" person, who will likely be involved in the
most embarrassing slip ups your company makes, if he tells people about
"interesting" incidents at previous employers.

Maybe, it depends on what he says.

RE: How to get better security people

[Jim Popovitch]

> -Original Message-
> From: LeBlanc, Jason <[EMAIL PROTECTED]>
>
> On that note, Etrade layed off their entire net sec team a few
> months back. I don't trade there no more. ;)

Let me guess, eBay is moving into securities trading next  Your "facts"
about eTrade are wrong, very wrong.

-Jim P.

RE: How to get better security people

[Stephen J. Wilcox]

Surely you're looking for someone who can tell you what they are trying to
protect from ie hacking, DoS, DDoS and how and why that is a security
problem..

Then I guess you want them to have had sufficient experience to know how
the different security products address these issues.

No other major points really..

Product specialisations must be a distraction - if their knowledge and
training comes from Checkpoint training then they may not know the details
of the attack method and are more familiar with config'ing a checkpoint
than what it is doing and in what areas it lacks..

And qualifications should never outnumber instances of hands on
experience, what good is an academic with little knowledge in the field!

Steve


On Tue, 26 Mar 2002, Sean Donelan wrote:

> 
> On Tue, 26 Mar 2002, Avleen Vig wrote:
> > On Tue, 26 Mar 2002, LeBlanc, Jason wrote:
> > > On that note, Etrade layed off their entire net sec team a few months back.
> > > I don't trade there no more. ;)
> >
> > Fewer and fewer companies are paying attention to network security with
> > the right mindset. They all want peopl who have been in the field for
> > 7-10+ years, with 10+ years of general systems admin skills.
> 
> I attended my first IETF meeting in 1991.  There were 384 attendees.
> There are very few people who really have 10+ years experience in this
> industry.
> 
> If I was looking for top security talent, what would I ask for whether
> I was hiring directly or outsourcing?  Do I want a bunch of ex-miltary,
> ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
> of which have existed for 10 years, published papers, can answer tricky
> questions about checkpoint firewalls (why is a confusing firewall
> configuration a good thing?), a college degree in crypto, big 5
> accounting firm (or is that now big 4 accounting firm)?
> 
> The problem right now is if you advertise for a job, you will get
> blasted with literally tens of thousands of resumes.  What should I
> be telling the HR department to look for?
> 
> Likewise, if I was going to outsource.  What should I be looking for
> in a security management provider?
> 
> The best information security person I've ever met/worked with/etc was
> at Disney Imagineering.  I've yet to find anyone at a security consulting
> firm or other company that came close to matching him.
> 
> 
> 

-- 
Stephen J. Wilcox
IP Services Manager, Opal Telecom
http://www.opaltelecom.co.uk/
Tel: 0161 222 2000
Fax: 0161 222 2008

RE: How to get better security people

[Sean Donelan]

On Tue, 26 Mar 2002, Avleen Vig wrote:
> On Tue, 26 Mar 2002, LeBlanc, Jason wrote:
> > On that note, Etrade layed off their entire net sec team a few months back.
> > I don't trade there no more. ;)
>
> Fewer and fewer companies are paying attention to network security with
> the right mindset. They all want peopl who have been in the field for
> 7-10+ years, with 10+ years of general systems admin skills.

I attended my first IETF meeting in 1991.  There were 384 attendees.
There are very few people who really have 10+ years experience in this
industry.

If I was looking for top security talent, what would I ask for whether
I was hiring directly or outsourcing?  Do I want a bunch of ex-miltary,
ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
of which have existed for 10 years, published papers, can answer tricky
questions about checkpoint firewalls (why is a confusing firewall
configuration a good thing?), a college degree in crypto, big 5
accounting firm (or is that now big 4 accounting firm)?

The problem right now is if you advertise for a job, you will get
blasted with literally tens of thousands of resumes.  What should I
be telling the HR department to look for?

Likewise, if I was going to outsource.  What should I be looking for
in a security management provider?

The best information security person I've ever met/worked with/etc was
at Disney Imagineering.  I've yet to find anyone at a security consulting
firm or other company that came close to matching him.

Re: How to get better security people

[matthew zeier]

> I don't know where you get your information, but E*Trade hasn't laid-off
> their network security department.  In fact, we're currently adding to it.
> I know there are some good network security experts on this list so if
> you're looking for a position then send your resume my way.

Or to me if you're in Southern California (Orange County).

RE: How to get better security people

[Jay Fielding]

Jason,

I don't know where you get your information, but E*Trade hasn't laid-off
their network security department.  In fact, we're currently adding to it.
I know there are some good network security experts on this list so if
you're looking for a position then send your resume my way.

Jay Fielding
E*Trade NetOps

-Original Message-
From: LeBlanc, Jason [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 26, 2002 11:28 AM
To: 'Sean Donelan'; [EMAIL PROTECTED]
Subject: RE: How to get better security people



On that note, Etrade layed off their entire net sec team a few months back.
I don't trade there no more. ;)

> -Original Message-
> From: Sean Donelan [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 25, 2002 7:05 PM
> To: [EMAIL PROTECTED]
> Subject: How to get better security people
> 
> 
> 
> 
> According to a recent salary survey telephone companies have some
> of the lowest paid information security professionals in comparison
> with other technology corporations, federal government, or financial
> companies.  When the US Transportation Security Administration (aka,
> the agency in charge of airport screeners) is paying their computer
> security people more than telephone companies, its hard for phone
> companies to attact top security talent.
> 
> Customers need to let companies know that security and responsiveness
> affects their purchasing decisions.  I think some companies 
> are getting
> the message.  But in today's market, with tight budgets and layoffs,
> security is often viewed as overhead.  A lot of providers are lucky
> if they have one network engineer who does security stuff in her spare
> time.  Full-fledge security departments are rare.
> 
> 
> On Mon, 25 Mar 2002, Eric Whitehill wrote:
> > UUNet, by far is the best.  I've had mixed results with 
> Sprint.  A couple
> > of years ago I had to deal with Hurricane Electric and the 
> tech was really good about
> > it - he added in the ACL I needed right over the phone.
> >
> > Also, I know of a couple  providers in the upper midwest 
> that are pretty
> > good at working with DOS stuff.  Email me off list if you are
> > interested.
> 

RE: How to get better security people

[Avleen Vig]

On Tue, 26 Mar 2002, LeBlanc, Jason wrote:

> On that note, Etrade layed off their entire net sec team a few months back.
> I don't trade there no more. ;)

Fewer and fewer companies are paying attention to network security with
the right mindset. They all want peopl who have been in the field for
7-10+ years, with 10+ years of general systems admin skills.

I'm 21. I have 5 years of combined network security and sysadmin
experience. No-one is interested.
I spent 5 months looking for a job, applied at at least a few hundred
locations, only to be told each time that I didn't have enough experience.

I know around 100 other security admins, and I think 2 have that much
experience.

It's semi-understandable when a MNC wants that kind of experience, but
when your run of the mill start up wants to too, it gets rather sick.
These people aren't going to get what they're looking for.
They'll realise it too late I guess.

I dropped out of security and went back to sysadmining.
I prefer the job I have now to any I've had in the past, and I wouldn't
trade it for a security job with some of these firms in 10 lifetimes.

-- 
Av
Go here, now - http://www.ircnetops.org/smurf

RE: How to get better security people

[LeBlanc, Jason]

On that note, Etrade layed off their entire net sec team a few months back.
I don't trade there no more. ;)

> -Original Message-
> From: Sean Donelan [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 25, 2002 7:05 PM
> To: [EMAIL PROTECTED]
> Subject: How to get better security people
> 
> 
> 
> 
> According to a recent salary survey telephone companies have some
> of the lowest paid information security professionals in comparison
> with other technology corporations, federal government, or financial
> companies.  When the US Transportation Security Administration (aka,
> the agency in charge of airport screeners) is paying their computer
> security people more than telephone companies, its hard for phone
> companies to attact top security talent.
> 
> Customers need to let companies know that security and responsiveness
> affects their purchasing decisions.  I think some companies 
> are getting
> the message.  But in today's market, with tight budgets and layoffs,
> security is often viewed as overhead.  A lot of providers are lucky
> if they have one network engineer who does security stuff in her spare
> time.  Full-fledge security departments are rare.
> 
> 
> On Mon, 25 Mar 2002, Eric Whitehill wrote:
> > UUNet, by far is the best.  I've had mixed results with 
> Sprint.  A couple
> > of years ago I had to deal with Hurricane Electric and the 
> tech was really good about
> > it - he added in the ACL I needed right over the phone.
> >
> > Also, I know of a couple  providers in the upper midwest 
> that are pretty
> > good at working with DOS stuff.  Email me off list if you are
> > interested.
> 

How to get better security people

[Sean Donelan]

According to a recent salary survey telephone companies have some
of the lowest paid information security professionals in comparison
with other technology corporations, federal government, or financial
companies.  When the US Transportation Security Administration (aka,
the agency in charge of airport screeners) is paying their computer
security people more than telephone companies, its hard for phone
companies to attact top security talent.

Customers need to let companies know that security and responsiveness
affects their purchasing decisions.  I think some companies are getting
the message.  But in today's market, with tight budgets and layoffs,
security is often viewed as overhead.  A lot of providers are lucky
if they have one network engineer who does security stuff in her spare
time.  Full-fledge security departments are rare.


On Mon, 25 Mar 2002, Eric Whitehill wrote:
> UUNet, by far is the best.  I've had mixed results with Sprint.  A couple
> of years ago I had to deal with Hurricane Electric and the tech was really good about
> it - he added in the ACL I needed right over the phone.
>
> Also, I know of a couple  providers in the upper midwest that are pretty
> good at working with DOS stuff.  Email me off list if you are
> interested.