Last weekend was a little oasis in the NFL desert that has been this offseason. It looked like there would be court-ordered peace, now maybe not so much. The draft reminded me of the possibilities of the new season, at least for a little while. One of the casualties of this non-offseason has been free agency. You know, where guys who have put in their time shop their services to the highest bidder.

It’s not a lot different in the workforce. What most folks don’t realize is that everyone is a free agent. At all times. My buddy Amrit has evidently been liberated from his Big Blue shackles. Our contributor Dave Lewis also made the break. Both announced “Free Agent Status Engaged.” But to be clear, no one forced either guy to go to work at their current employer each day. They were not restricted (unless a heavy non-compete was in play) from taking a call from a recruiter and working for someone else. That would be my definition of free agency, anyway.

But that mentality doesn’t appear to be common. When I first met Dave Shackleford, he was working for a reseller here in ATL. Then he moved over to the Center for Internet Security and we worked together on a project for them. I was a consultant, but he made it clear that he viewed himself as a consultant as well. In fact, regardless of whether he’s working on a contract or a full-time employee, Dave always thinks of himself as a consultant. Which is frickin’ brilliant.

Why? Because viewing yourself as a consultant removes any sense of entitlement. Period. Consultants always have to prove their value. Every project, every deliverable, every day. When things get tight, the consultants are the first to go. Fail to execute flawlessly and add sufficient value, and you won’t be asked back. That kind of mindset seems useful regardless of job classification, right?

Consultants also tend to be good at building relationships and finding champions. They get face time and are always looking for the next project to sink their teeth into. They actively manage their careers because no one else is going to do that for them. Again, that seems like a pretty good approach even inside an organization. Either you are managing your career or it is managing you. Which do you prefer?

As happy as I am for Amrit and Dave as they embark on the next step of their journeys, I wish more folks would consider themselves perpetual free agents and start acting that way. And it’s not necessarily about always looking for a bigger and better deal. It’s about being in a position to choose your path, not have it chosen for you.

-Mike

Incite 4 U

1. This is effective? I saw a piece on being an “effective security buyer” by Andreas Antonopoulos and I figured it was about managing the buying process. Like my eBook (PDF) on the topic. But no, it’s basically what to buy, and I have some issues with his guidance. Starting from the first, “never buy a single-purpose tool.” Huh? Never? I say you get leverage where you can, but there are some situations where you have to solve a single problem, with a single control. To say otherwise is naive. Andreas also talks about standards, which may or may not be useful depending on the maturity of what you are buying. Early products, to solve emerging problems, don’t know dick about standards. There are no standards at that point. And even if there are, I’d rather get stuff that works than something that plays with some arbitrary standard. But that’s just me. To be fair, there is some decent stuff in here, but as always: don’t believe everything you read. – MR
2. Game over, man! Sony is on track to win the award for most fscked-up breach response of 2011. Any time you have to take your entire customer network down for two weeks, it’s bad. Telling 77 million customers their data might be compromised? Even worse. And 10 million of them might have had their credit cards compromised? Oh, joy. But barely revealing any information, and saying things like “back soon”? Heh. Apparently it’s all due to SQL injection? Well, I sure hope for their sake it was more complex than xp_cmdshell. But let’s be honest: there are some cultural issues at play here, and a breach of this magnitude is no fun for anyone. – RM
3. ePurse chaser: eWallets are the easy part of mobile payment security. The wallet is the encrypted container where we store credit cards, coupons, signatures, and other means of identification. The trouble is in authenticating who is accessing the wallet. Every wallet has some form of an API to authenticate requests, and then return requested wallet contents to requesting applications. What worries me with the coming ‘eWallet revolution’ (which, for the record, started in 1996) is not the wallets themselves, but how financial institutions want to use them: direct access to point of sale devices through WiFi, Bluetooth, proximity cards, and other near-field technologies. Effectively, your phone becomes your ATM card. But rather than you putting your card into an ATM, near-field terminals communicate with your phone whenever you are ‘near’. See any problems with that? Ever had to replace your credit card because the number was ‘hacked’? Ever have to change your password because it was ‘snooped’ at Starbucks? Every near-field communication medium becomes a new attack vector. Every device you come into contact with has the ability to probe for weakness. The scope of possible damage escalates when you load arbitrary billing and payment to the phone. And what happens when the cell is cloned and your passwords are discovered through a – possibly unrelated – breach? It’s not that we don’t want financial capabilities on the phone – it’s that users need a one-to-one relationship with the bank to reduce exposure. – AL
4. Mac users: BOO! A new version of scareware hit over the weekend, called MAC Defender (Help Net has a good overview), which basically hijacks a Mac – requesting credit card information to make it stop. It’s not very sophisticated, but very effective. Unfortunately I know because I got a call from a buddy who inadvertently installed it on Saturday. Thankfully he called, as opposed to just entering his card information. Although it only took me 3 minutes to clean up, I spent another 15 minutes explaining why it happened and what he shouldn’t do (like installing software he’s not sure about). The moral? Malware will happen, on all platforms. Spend some time educating folks on what not to do, and maybe you can avoid having to wipe their machine. Ask Rich about that. – MR
5. Standardizing on OS X: My wife stumbled on a drive-by anti-virus scare this weekend while searching for images on Google. She hit a certain site and was immediately informed “Windows has determined your computer is infected with a virus” – which is interesting, particularly because her Mac is not on speaking terms with Windows. But we share an office, so she gets to hear me talk security ad nauseam every day, and realized clicking anything is bad (this is the MAC Defender issue mentioned above). Turns out it only iFramed her session, and any possible malware installs were averted. I looked at her computer and learned she hasn’t activated ant security settings in her browser, nor any security plug-ins, nor will she tolerate me installing them. Had the script been written better, it could have tricked her into installing something. And if the designer had the knowledge, targeting OS X would be just as easy. Any real infection would be beyond my skill to surgically remove, so I’d be forced to wipe out the OS and start from scratch. I found myself annoyed that my wife is willing to accept the catastrophic future event rather than suffer the small daily inconvenience of security. I am also annoyed that ZDNet-tards make so many blind and ignorant predictions, that sooner or later they’ll get one right like a stopped clock. I think with Crimeware Kit Emerges for Mac OS X, and its growing popularity making Mac OS X a more attractive target, this is a future certainty. – AL
6. Good company: It sure is nice to get some validation that you are aren’t steering people down the wrong road. Especially when it comes from folks like the NSA, who just released some advice on securing home computers. Use a modern operating system? It’s in there. Sandbox your web browser? Yep. Data protection on the iPad? You betcha. Heck, they even recommend using an alternate DNS provider, 3G or VPN on mobile devices, care with social networking, watching GPS coordinates in photos, and a lot of other stuff that’s bread and butter to us security folks. Now you can wave this in the face of all your family members and tell them you’ve been right all along and the NSA has your back. Or watches your back. Or watches you. I always get those confused. – RM
7. InfoSec books: Cost vs. Value?: Lenny Zeltser wonders how much an InfoSec book should cost, and I, of course, have got an opinion. Having self-published The Pragmatic CSO, a lot of folks (even Mort when I first launched) were somewhat offended at the cost of $97. The books Lenny references range from free to $795 for Charles Cresson Wood’s policy book. Do I think the P-CSO is expensive? It depends. If you are a student hoping one day to become a CISO, then yes, it’s very expensive. But students aren’t the target audience. I wrote it for technical practitioners who finds themselves in management positions, with no idea what to do. Those folks (or more to the point, their companies) will gladly pay $100, if it helps them do their job even just a little better. Given that CISOs tend to cost upwards of $200-300K per year, getting one idea from my book immediately provides great ROI. And keep in mind that this is a limited market, and the more specialized (and small) the market, the higher you expect the price to be. – MR