One of the most common criticisms of analysts is that, since they are no longer practitioners, they lose their technical skills and even sometimes their ability to understand technology.
To be honest, it’s a pretty fair criticism. I’ve encountered plenty of analysts over the years who devalue technical knowledge, thinking they can rely completely on user feedback and business knowledge. I’ve even watched as some of them became wrapped around the little fingers (maybe middle finger) of vendors who took full advantage of the fact they could talk circles around these analysts.
It’s hard to maintain technical skills, even when it’s what you do 10 hours a day. Personally, I make a deliberate effort to play, experiment, and test as much as I can to keep the fundamentals, knowing it’s not the same as being a full time practitioner. I maintain our infrastructure, do most of the programming on our site, and get hands on as often as possible, but I know I’ve lost many of the skills that got me where I am today. Having once been a network administrator, system administrator, DBA, and programmer, I was pretty darn deep, but I can’t remember the last time I set up a database schema or rolled out a group policy object.
I was reading this great article about a food critic spending a week as a waiter in a restaurant she once reviewed (working for a head waiter she was pretty harsh on) and it reminded me of one of my goals this year. It’s always been my thought that every analyst in the company should go out and shadow a security practitioner every year. Spend a week in an organization helping deal with whatever security problems come up. All under a deep NDA, of course. Ideally we’d rotate around to different organizations every year, maybe with an incident management team one year, a mid-size “do it all” team the next, and a web application team after that.
I’m not naive enough to think that one week a year is the same as a regular practitioner job, but I think it will be a heck of a lot more valuable than talking to someone about what they do a few times a year over the phone or at a conference.
Yep – just a crazy idea, but it’s high on my priority list if we can find some willing hosts and work the timing out.
And don’t forget to RSVP for the Securosis and Threatpost Disaster Recovery Breakfast!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading post on What Data Discovery Tools Really Do.
- Rich and Adrian on Enterprise Database Security (video).
- Rich, Martin, and Zach on this week’s Network Security Podcast.
- Mike on Amrit’s Beyond the Perimeter Podcast.
Favorite Securosis Posts
- Rich: I’m picking one of my older posts, going back to March 2008 on the Principles of Information-Centric Security. Not that our newer stuff is bad, but I like going back and highlighting older material every now and then.
- Mike: Pragmatic Data Security: Groundwork. We spend so much time focused on trying to stop the attackers to no avail, Rich’s point about making the data harder to access and/or blocking the outbound path really resonated with me.
- Adrian: Rich and my post on Project Quant for Database Security: Monitoring.
- Mort: FireStarter: Security Endangered Species List. Faster pussycat, kill, kill!
- Meier: The Rights Management Dilemma – I agree with Rich it has a place in the future, it’s just when and what it actually looks like that are the big questions for me.
Other Securosis Posts
- Pragmatic Data Security: The Cycle
- Low Hanging Fruit: Endpoint Security
- Data Discovery and Databases
- The Rights Management Dilemma
- Incite 1/20/2010 – Thanks Mr. Internet
- RSVP for the Securosis and Threatpost Disaster Recovery Breakfast
Favorite Outside Posts
- Rich: Brian Krebs’ Top 10 Ways to Get Fired as a Money Mule. It’s awesome to see Brian’s stuff without the editorial filters of a dead-tree publication, and he’s clearly going strong.
- Mike: Bejtlich on APT – Richard had two great posts this week helping us understand the advanced persistent threat. First, What is APT and What Does It Want? and then the follow-up, Is APT After You? Great stuff about a threat we all need to understand.
- Adrian: Oracle TNS Rootkit. Well done.
- Mort: Why I Don’t Like CRISC by Alex Hutton, and his excellent followup, Why I Don’t Like CRISC, Day Two, call out ISACA on why it’s not time for a risk based certification.
- Meier: Tor Project Infrastructure Updates in Response to Security Breach. While the Tor service itself wasn’t compromised, this just goes to show it can happen to anyone. And, well, update your Tor software to get the new authority keys.
Project Quant Posts
- Project Quant: Database Security – Audit
- Project Quant: Database Security – Monitoring
- Quant for Databases: Open Question to Database Security Community
- Project Quant: Database Security – Shield
Top News and Posts
- Microsoft issues emergency patch for the Internet Explorer 0day.
- Apple issues critical security update.
- Microsoft Confirms Unpatched Windows Kernel Flaw.
- Elsewhere in the news: The Danger of Open APIs
- RockYou breach leaks passwords. In an ironic way, RockYou just provided some value to the community by providing a good pentest dictionary and showing weak passwords are common. But then again, if you are using RockYou, do you care?
- FireFox 3.6 includes some security goodies – especially nice is detecting outdated plug-ins, such as Flash.
- The D-List interview with Jack Daniels.
- Adrew Jaquith at Forrester with our most amusing post of the week.
- Network Solutions customers hacked and defaced with a remote file inclusion vulnerability.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment comes from Fernando Medrano in response to Mike’s FireStarter: Security Endangered Species List.
While I do agree with many of the posts and opinions on this site, I disagree in this case. I believe AV and HIPS are still important to the overall protection in depth architecture. Too many enterprises still run legacy operating systems or unpatched software where upgrading could mean significant time and money. While in a perfect world I would love having all systems on the latest operating system with the latest patches, that just isn’t realistic in every scenario.
I also don’t believe that white listing can function as a complete replacement to AV, just as a compliment. I cannot speak with complete authority to this subject as I have not had experience with many products. However I could envision cases such as the Adobe exploits that might run as part of Adobe (which white listing policy might permit) yet executing embedded malicious code.
HIPS is referred to in this article as signature based, however most of the HIPS products I have used have had little or no use of signatures. HIPS products which I have experience with learn the system calls of an application and map out their logical flow. Any deviations from this flow are then blocked. This is more of a white listing technique than black listing. I may have missed some research done on the effectiveness of this technique, but I see this as a great compliment to AV and white listing on high priority systems.