How to get better security people
Kelly J. Cooper
kcooper at genuity.net
Fri Mar 29 23:09:49 UTC 2002
On Mar 29, 2:22pm, Sean Donelan wrote:
> Subject: Re: How to get better security people
*
*On Tue, 26 Mar 2002, Kelly J. Cooper wrote:
*> I also had a short list of other questions that I used to try and get
*> a feel for the person's "security minded-ness" (my term, I invented it
*> a'ight?). Because when it comes to ISP security, there's a very
*> limited pool of talent so candidates are unlikely to come in with the
*> right skillset native.
*
*What is the right mindset for ISP security. It seems to be a little
*different from the traditional security mindset found in the corporate
*or military security world. A lot of sharp people with that background
*try to move into ISP security, but they often have a difficult time
*making the transition.
Hmm. Incredibly biased opinion follows...
A basic security mindset is a combination of paranoia, a talent for
contingency planning, and an understanding of business need.
However, the paranoia must not be so extensive as to be crippling,
the contingency planning must not be so obsessive as to be paralysing,
and the understanding of business need should not interfere with the
periodic difficult and unpopular decisions that must be made to
protect the greater good.
Specific skill-sets that are useful for ISP Operational Security
(pick one or mix-n-match for the overachieving):
- Incident Response/handling capability
- Deep understanding of TCP/IP
- Deep understanding of the design of big WANs
- Deep understanding of the design of switched LANs (hosting ISPs)
- Unix adminstration and forensics
- Microsoft administration and forensics
- Firewall administration and forensics
(NOTE that I'm not covering Engineering Security, at least not in
this post.)
I would say the most important skill for a dedicated ISP Security
person to have is that of incident handling. Then again, it happens
to be the one skill out of this set that I have, so extra bias hold
the sauce. But hear me out...
When a customer gets hit, it can be a break-in, a DoS attack, a DDoS
attack, an insider betrayal, some accidentally free porn, a really
dumb move by the marketing department, a political sit-in, bad press,
an attempted break-in, a misconfiguration, a /. overload or something
else entirely.
Whatever it is, once the intial triage is done and the Security
person is brought in, she's got to have a broad base of knowledge
about the possibilities as well as knowledge of her own organization
to know how to engage experts to assist. Plus she's got to document
the whole thing and keep track of the contributions by the customer,
by the experts, by management, etc.
A really great security team has someone with each of those skills
who can be brought into an event to help, each utilising her
particular expertise. They've sat in with other teams so that they
understand how the network works, how triage and trouble-shooting
are done, how teams hand things off to one another, etc. And they
have just enough cross-training to know when they should hand off
to another security team-member.
Best case scenario, most of the team has incident handling skills so
that no particular handler is always getting paged.
So the mindset is jack-of-all-trades rather than specifically focused
on one task. The work is interrupt-driven rather than project or
patch/upgrade driven. The mindset is to share information
(judiciously) and bring people in, rather than keeping it a secret and
doing it yourself.
Those differences might explain the difficult transitions.
*The government is about to spend a lot of
*money training students in "cybersecurity." Congressional aides have
*been coming to Internet conferences asking people what should Congress
*spend money on.
*
*http://www.washingtonpost.com/wp-dyn/articles/A33471-2002Mar28.html
*
*But are the students really getting the right training for working in
*a public network such as an ISP?
If they're being taught about security in general, like policy and
procedure writing and management, what we mean by access controls, how
to handle disaster recovery, crypto basics, perimeter management,
incident response, then that's fantastic. Even if they go to an ISP,
they'll have the right skillset to start and they can learn the rest
on the job.
If they are ALSO being taught network design (LAN and WAN), firewall
basics, the value of the heterogeneous network, how packets get put
together and pulled apart, routing, end-to-end troubleshooting, DNS
infrastructure, and maybe the specific configuration details for some
of the top router vendors, then they are absolutely golden to go into
ISP Security.
But since I have no idea what they're learning, I can't comment on
that specific article. There's some indication in the article that
students are learning system hardening. That's usually a good skill.
There's no indication that students are focusing on ISP skills or on
ISP jobs.
So, just out of curiousity, why are you asking this question?
On the NSF's website, I found the Education & Human Resources (EHR)
pages - www.ehr.nsf.gov. It includes the Division of Undergraduate
Education (DUE) - www.ehr.nsf.gov/due/ - which includes the Federal
Cyber Service: Scholarship for Service (SFS) page, which appears to be
the program referenced in the article.
http://www.ehr.nsf.gov/ehr/due/programs/sfs/
But it's hard to tell without digging through each of the awards that
has been made what they're focusing on, although the general sense I
get is that they're trying to increase the number of clueful IT
Security personnel.
So is your point idle speculation? Or that we should be designing
curricula to increase the number of ISP Security folks? Or are we
bemoaning the government's possibly misguided focus?
Regards,
Kelly J.
--
Kelly J. Cooper - Security Engineer, CISSP
GENUITY - Main # - 800-632-7638
3 Van de Graaff Drive - Fax - 781-262-2744
Burlington, MA 01803 - http://www.genuity.net
More information about the NANOG
mailing list