Re: How to get better security people
On Wed, 3 Apr 2002, Richard A Steenbergen wrote: As for your service listing them... Smurfs aren't spam, so I'm not sure what you plan to accomplish by making the data available via DNS, it would really only be useful as a BGP feed. Even then, it's usefulness is limited. I suppose you could null route traffic to specific broadcast addresses to prevent people originating smurfs from your network with minimal impact on legit services, or if you are a big transit provider with balls you could apply it to all your customers. SAFE is a daughter-project of the IRCNetOps project (www.ircnetops.org) who areIRC network admins from small and large networks who came together last year after getting rather pissed off by constant DoS attacks. No, not just little admins with shells on little networks, but also bigger admins on the bigger networks who run servers at ISP's too. The service could be used to deny IRC access to their networks to people who come from broken networks. There is no protocol (disclaimer: that I'm aware of) for distributing IP lists that could be filtered by source address, let alone other more intelligent things like distributing firewall rulesets so you could pick off only the echo replies, BUT MAYBE THERE SHOULD BE. -- HINT! Maybe there should be :-) Wnat to do it? ;-)
Re: How to get better security people
On Wed, 3 Apr 2002, batz wrote: Personally, I would like to see a mixture of the MAPS RBL and aris.securityfocus.com available, where emerging hostile netblocks can be blackholed for short periods of time using attack information gathered from and coroborated by a vast array of diverse sources. Have a look at SAFE (url in sig). We detect smurf amplifiers and I'm currently looking at ways to export data to companies regarding large smurf amplifiers (x250 amplification) who refuse to close after X number of warnings. I expect it will run on a free, but subscribed + authenticated basis (ie, a company subscribes and gives the IP's of their DNs servers and those servers are authorized to do lookups, but script kiddies cannot). -- Avleen Vig Work Time: Unix Systems Administrator Play Time: Network Security Officer Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf
RE: How to get better security people
In a former life as well as my current one, we had a primary Information Security officer, and myself acting as corporate firewall engineer. I found that my own role was best performed as a network security conductor of the orchestra of sysadmins who actually built and operated our Internet systems. You build a mailing list and forward interesting stuff from CERT/CIAC/Bugtraq/etc; you try to keep everyone informed, and guide them along the way with reasonably well-stated firewall guidelines (I'll do this, I won't do that with some give-and-take, and a little heartache over the purity of the architecture). And you get involved with the business as much as you can to spread the network security gospel. At some level it becomes less of a pure technical security issue, and more a social engineering challenge. Ultimately, it's all about risk management, and minimizing your risk by maximizing the knowledge flow and relationships that you build within the company. I recognized that generally I knew more about network security and IP/TCP/UDP than the people running the systems, and at some level you only get so much system security given the knowledge of the folks involved. So you back it up with as much of a secure network environment as you can negotiate v.s. the needs of the business, and make sure that the top Security dog is on the same page as you are. Ultimately you'll have an incident in spite of your best efforts -- no matter how totalitarian you are in your security policies -- and the most important thing is to educate everyone about the factors driving the security architecture. Maybe you make fundamental changes in response to the incident, or maybe you just try to educate everyone a little better, but hopefully in either case learn something along the way. dp -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 10:18 PM To: Christopher E. Brown Cc: NANOG Subject: Re: How to get better security people On Tue, 2 Apr 2002, Christopher E. Brown wrote: I think it comes down to being able to deal creatively with a lack of total control, and find ways to limit what you cannot eliminate. Security specialists can't be everywhere, can't do everything, and can't stop every bad thing. The reality is the people who have the biggest impact on security don't have security in their job title. Instead of a neighborhood watch do we need a network watch? While we need a few people with deep security knowledge, we also need to spread a thin layer of security pixie dust throughout the entire organization. Is it really a lack of control. While some security specilists carry a big stick, on most projects security is just one of many specialities required to work together. If you are a security specialist, just getting invited to a project before its finished is a major accomplishment.
Re: How to get better security people
On Tue, 2 Apr 2002, Christopher E. Brown wrote: I think it comes down to being able to deal creatively with a lack of total control, and find ways to limit what you cannot eliminate. Security specialists can't be everywhere, can't do everything, and can't stop every bad thing. The reality is the people who have the biggest impact on security don't have security in their job title. Instead of a neighborhood watch do we need a network watch? While we need a few people with deep security knowledge, we also need to spread a thin layer of security pixie dust throughout the entire organization. Is it really a lack of control. While some security specilists carry a big stick, on most projects security is just one of many specialities required to work together. If you are a security specialist, just getting invited to a project before its finished is a major accomplishment.
Re: How to get better security people
### On Wed, 3 Apr 2002 01:17:59 -0500 (EST), Sean Donelan [EMAIL PROTECTED] ### casually decided to expound upon Christopher E. Brown ### [EMAIL PROTECTED] the following thoughts about Re: How to get better ### security people: SD While we need a few people with deep security knowledge, we also SD need to spread a thin layer of security pixie dust throughout the SD entire organization. It's just like it is within the IETF process... Security considerations must be undertaken by everyone. -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=*/
Re: How to get better security people
On Tue, 26 Mar 2002, Kelly J. Cooper wrote: I also had a short list of other questions that I used to try and get a feel for the person's security minded-ness (my term, I invented it a'ight?). Because when it comes to ISP security, there's a very limited pool of talent so candidates are unlikely to come in with the right skillset native. What is the right mindset for ISP security. It seems to be a little different from the traditional security mindset found in the corporate or military security world. A lot of sharp people with that background try to move into ISP security, but they often have a difficult time making the transition. The government is about to spend a lot of money training students in cybersecurity. Congressional aides have been coming to Internet conferences asking people what should Congress spend money on. http://www.washingtonpost.com/wp-dyn/articles/A33471-2002Mar28.html But are the students really getting the right training for working in a public network such as an ISP?
Re: How to get better security people
On Fri, 29 Mar 2002, Kelly J. Cooper wrote: So, just out of curiousity, why are you asking this question? Because a couple of congressional aides asked me what I would spend the money on. My first response was my brain didn't know how to spend that much money. But then you get in the swing of things, and its just a few extra zeroes between friends. The problem is the government has been spending varying amounts of money on computer security for decades, and should they keep giving money to the same programs they've always funded? Or is there something they haven't tried before that might have more impact. If I was king of the world, I have some opinions about cool stuff the government could do. But if there was something incredible obvious that I missed, write your elected representative. Who knows, they might actually listen.
Re: How to get better security people
E.B. Dreger [EMAIL PROTECTED] wrote: Service patches were never applied. When some suspicious happenings left said server inoperable, they just installed Win2000 and went on, not caring what had happened or why. No, I was not the employee. A friend of mine worked there before getting fed up and quitting. We see this a lot too. It is, IMHO, why good security people who are not in finance, defense or other security-conscious sectors tend to be consultants. Consultant or not IS security gurus are no different than other in-demand technical specialists. You have to 1) pay them appropriately, 2) have a decent working environment (no windowless cubicles, junk food cafeterias, inflexible hours, unskilled management, etc), and 3) provide constant training opportunities (conferences, classes, good assignments). Don't expect them to have programming degrees or be interested in coding. Those would be security developers as opposed to security analysts. Finally, NEVER ask a Unix literate engineer to use an MS Windows PC... -- Roger Marquis Roble Systems Consulting http://www.roble.com/
RE: How to get better security people
On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;) -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 7:05 PM To: [EMAIL PROTECTED] Subject: How to get better security people According to a recent salary survey telephone companies have some of the lowest paid information security professionals in comparison with other technology corporations, federal government, or financial companies. When the US Transportation Security Administration (aka, the agency in charge of airport screeners) is paying their computer security people more than telephone companies, its hard for phone companies to attact top security talent. Customers need to let companies know that security and responsiveness affects their purchasing decisions. I think some companies are getting the message. But in today's market, with tight budgets and layoffs, security is often viewed as overhead. A lot of providers are lucky if they have one network engineer who does security stuff in her spare time. Full-fledge security departments are rare. On Mon, 25 Mar 2002, Eric Whitehill wrote: UUNet, by far is the best. I've had mixed results with Sprint. A couple of years ago I had to deal with Hurricane Electric and the tech was really good about it - he added in the ACL I needed right over the phone. Also, I know of a couple providers in the upper midwest that are pretty good at working with DOS stuff. Email me off list if you are interested.
RE: How to get better security people
On Tue, 26 Mar 2002, LeBlanc, Jason wrote: On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;) Fewer and fewer companies are paying attention to network security with the right mindset. They all want peopl who have been in the field for 7-10+ years, with 10+ years of general systems admin skills. I'm 21. I have 5 years of combined network security and sysadmin experience. No-one is interested. I spent 5 months looking for a job, applied at at least a few hundred locations, only to be told each time that I didn't have enough experience. I know around 100 other security admins, and I think 2 have that much experience. It's semi-understandable when a MNC wants that kind of experience, but when your run of the mill start up wants to too, it gets rather sick. These people aren't going to get what they're looking for. They'll realise it too late I guess. I dropped out of security and went back to sysadmining. I prefer the job I have now to any I've had in the past, and I wouldn't trade it for a security job with some of these firms in 10 lifetimes. -- Av Go here, now - http://www.ircnetops.org/smurf
Re: How to get better security people
I don't know where you get your information, but E*Trade hasn't laid-off their network security department. In fact, we're currently adding to it. I know there are some good network security experts on this list so if you're looking for a position then send your resume my way. Or to me if you're in Southern California (Orange County).
RE: How to get better security people
Surely you're looking for someone who can tell you what they are trying to protect from ie hacking, DoS, DDoS and how and why that is a security problem.. Then I guess you want them to have had sufficient experience to know how the different security products address these issues. No other major points really.. Product specialisations must be a distraction - if their knowledge and training comes from Checkpoint training then they may not know the details of the attack method and are more familiar with config'ing a checkpoint than what it is doing and in what areas it lacks.. And qualifications should never outnumber instances of hands on experience, what good is an academic with little knowledge in the field! Steve On Tue, 26 Mar 2002, Sean Donelan wrote: On Tue, 26 Mar 2002, Avleen Vig wrote: On Tue, 26 Mar 2002, LeBlanc, Jason wrote: On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;) Fewer and fewer companies are paying attention to network security with the right mindset. They all want peopl who have been in the field for 7-10+ years, with 10+ years of general systems admin skills. I attended my first IETF meeting in 1991. There were 384 attendees. There are very few people who really have 10+ years experience in this industry. If I was looking for top security talent, what would I ask for whether I was hiring directly or outsourcing? Do I want a bunch of ex-miltary, ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none of which have existed for 10 years, published papers, can answer tricky questions about checkpoint firewalls (why is a confusing firewall configuration a good thing?), a college degree in crypto, big 5 accounting firm (or is that now big 4 accounting firm)? The problem right now is if you advertise for a job, you will get blasted with literally tens of thousands of resumes. What should I be telling the HR department to look for? Likewise, if I was going to outsource. What should I be looking for in a security management provider? The best information security person I've ever met/worked with/etc was at Disney Imagineering. I've yet to find anyone at a security consulting firm or other company that came close to matching him. -- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
Re: How to get better security people
On Tue, 26 Mar 2002, Tony Wasson wrote: If I was looking for top security talent, what would I ask for whether I was hiring directly or outsourcing? I agree with Steve Wilcox, incidents are important. I would ask for a description of the 3 most interesting incidents they've ever worked on, and what they contributed. I'm sorry, but that's confidential information and I can't disclose it. Would you hire a security person, who will likely be involved in the most embarrassing slip ups your company makes, if he tells people about interesting incidents at previous employers. Maybe, it depends on what he says.
RE: How to get better security people
| The problem right now is if you advertise for a job, you will get | blasted with literally tens of thousands of resumes. What should I | be telling the HR department to look for? New careers. Sean.
Re: How to get better security people
On Mar 26, 2:15pm, Sean Donelan wrote: Subject: Re: How to get better security people * *On Tue, 26 Mar 2002, Tony Wasson wrote: * If I was looking for top security talent, what would I ask for whether * I was hiring directly or outsourcing? * * I agree with Steve Wilcox, incidents are important. I would ask for a * description of the 3 most interesting incidents they've ever worked on, and * what they contributed. * *I'm sorry, but that's confidential information and I can't disclose it. * *Would you hire a security person, who will likely be involved in the *most embarrassing slip ups your company makes, if he tells people about *interesting incidents at previous employers. * *Maybe, it depends on what he says. Long ago and downstairs, when I used to interview people for Operations Security, I asked each candidate whether s/he had ever handled a Denial of Service attack or an intrusion, and if so, could they describe in general terms how they handled it? I would specifically ask them to NOT provide any identifying info, just the process (and an explication of the attack) so I could gauge their understanding of the situation. I also had a short list of other questions that I used to try and get a feel for the person's security minded-ness (my term, I invented it a'ight?). Because when it comes to ISP security, there's a very limited pool of talent so candidates are unlikely to come in with the right skillset native. But if the person comes in and s/he is someone who thinks about scenarios and contingency plans and has a working knowledge of networking/computing, then I can teach him/her everything else. Kelly J. -- Kelly J. Cooper- Security Engineer, CISSP GENUITY- Main # - 800-632-7638 3 Van de Graaff Drive - Fax - 781-262-2744 Burlington, MA 01803 - http://www.genuity.net
RE: How to get better security people
Title: RE: How to get better security people -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 2:41 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How to get better security people | The problem right now is if you advertise for a job, you will get | blasted with literally tens of thousands of resumes. What should I | be telling the HR department to look for? New careers. Sean. = That's the problem. Too many folks seeing the big money going to the tech weenies, and upon taking an MCSE boot camp, think they now qualify for a senior Admin/Security job. That and resume inflation, real or percieved. Too much noise in the system and inefective noise reduction methods... My resume is factual, and when I got out of the military, I was penalized by my first civilian employer. When I stated I could in fact set up a needed DNS, I was told they would hire it out. I asked why hire it out when I could do it. I was told, we only believe half of any resume we get, and we don't think that you have the necessary experience. If setting up and running deleted.af.mil (now gone), and doing the very first deleted.af.mil DNS located on the base (complete with off-site secondaries), and running it until transitioned about a year later to the comm squadron folks I trained didn't count, then what did? Not bitter, though. Got a new employer... James H. Smith II NNCDS NNCSE Systems Engineer The Presidio Corporation
RE: How to get better security people
It's also a matter of the market being saturated with unemployed people with paper certs, genuine competence, and some with both. The company I worked for sold out 5 months ago - I too have been looking ever since. I've made it a point to ask the recruiters/companies how much interest they've had in the position. The /typical/ response is *gasp*, we've received over 1300 (thirteen hundred) resumes for this position in the past week, I only talk to the people who call to follow-up. Extremely frustrating to say the least. -- Blake Fithen [EMAIL PROTECTED] www.pobox.com/~fithen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avleen Vig Sent: Tuesday, March 26, 2002 10:39 AM To: LeBlanc, Jason Cc: 'Sean Donelan'; [EMAIL PROTECTED] Subject: RE: How to get better security people On Tue, 26 Mar 2002, LeBlanc, Jason wrote: On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;) Fewer and fewer companies are paying attention to network security with the right mindset. They all want peopl who have been in the field for 7-10+ years, with 10+ years of general systems admin skills. I'm 21. I have 5 years of combined network security and sysadmin experience. No-one is interested. I spent 5 months looking for a job, applied at at least a few hundred locations, only to be told each time that I didn't have enough experience. I know around 100 other security admins, and I think 2 have that much experience. It's semi-understandable when a MNC wants that kind of experience, but when your run of the mill start up wants to too, it gets rather sick. These people aren't going to get what they're looking for. They'll realise it too late I guess. I dropped out of security and went back to sysadmining. I prefer the job I have now to any I've had in the past, and I wouldn't trade it for a security job with some of these firms in 10 lifetimes. -- Av Go here, now - http://www.ircnetops.org/smurf
RE: How to get better security people
Title: RE: How to get better security people A knowledgeable investor would ask your HR department a few questions: 1. Which half of the resume do you believe? 2. Is it really more economical to ignore half your talent than spend a little checking resumes? 3. What does it say about your company's ethics that you accept that all your employees are liars? but then you have to find that knowledgeable investor first... Just my 2ยข and in similar circumstances, -Al USAF Ret. -Original Message-From: James Smith [mailto:[EMAIL PROTECTED]]Sent: Tuesday, March 26, 2002 12:03 PMTo: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'Subject: RE: How to get better security people -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 2:41 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How to get better security people | The problem right now is if you advertise for a job, you will get | blasted with literally tens of thousands of resumes. What should I | be telling the HR department to look for? New careers. Sean. = That's the problem. Too many folks seeing the big money going to the tech weenies, and upon taking an MCSE boot camp, think they now qualify for a senior Admin/Security job. That and resume inflation, real or percieved. Too much noise in the system and inefective noise reduction methods... My resume is factual, and when I got out of the military, I was penalized by my first civilian employer. When I stated I could in fact set up a needed DNS, I was told they would hire it out. I asked why hire it out when I could do it. I was told, "we only believe half of any resume we get, and we don't think that you have the necessary experience." If setting up and running deleted.af.mil (now gone), and doing the very first deleted.af.mil DNS located on the base (complete with off-site secondaries), and running it until transitioned about a year later to the comm squadron folks I trained didn't count, then what did? Not bitter, though. Got a new employer... James H. Smith II NNCDS NNCSE Systems Engineer The Presidio Corporation
RE: How to get better security people
-Original Message- From: LeBlanc, Jason What eBay does as a business is of little consequence to me, as a network engineer, though it seems they make pretty good decisions based on things I've seen in three years here. That fact came from someone who worked for them in Atlanta, was merely an idle comment meant to share a bit of information. The tone of your reply is a bit off. I'm sorry you feel that way, you misunderstood the tone of my reply. Your one-off assessment about eTrade (accented by your smirk about trading elsewhere) was wrong, and I was just pointing that out. To counter this is futile, as is continuing this thread. -Jim P.
Re: How to get better security people
Date: Tue, 26 Mar 2002 12:56:39 -0500 (EST) From: batz [EMAIL PROTECTED] (snip) Nimda and CodeRed were excellent indicators of how a good security policy can be a competetive edge during (increasingly common) global incidents. Hopefully we will see more security folks pressing this message, and more decision makes hearing it. Sun Tzu and Lao Tze in the 3967/3561 thread... ...anyone else read Demming or other TQM proponents? Visible numbers only syndrome is the problem with many people's attitudes toward security... I could name a local (Wichita) company that for the longest time was running IIS4 + SP5, vulnerable to the iishack buffer overrun. They stored their websites and company files on said machine. The goons^H^H^H^H^Hconsultants who set it up gave a big it's secure because it's NT -- look, it asks for passwords spiel that management bought. Even after one of their employees _demonstrated_ how an arbitrary person could break in. Response? We're not that big... nobody would be that interested in us. Warnings about random scans fell on deaf ears. Service patches were never applied. When some suspicious happenings left said server inoperable, they just installed Win2000 and went on, not caring what had happened or why. No, I was not the employee. A friend of mine worked there before getting fed up and quitting. If it works, it must be right, versus, It doesn't truly work unless it's right. I find it amusing how the same people keep who keep things under tight physical lock and key are so lax and apathetic about electronic security. As Demming said, People who buy on price alone deserve to get rooked. Eddy Brotsman Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence -- Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to [EMAIL PROTECTED], or you are likely to be blocked.