Wed, 30 January 2008
Rich and I were joined by a pair of special guests tonight, Marcin Wielgoszewski and Andre Gironda from the ts/sci security blog.
The story goes something like this: Andre and Marcin plied Rich with
beer after the last SunSec meeting until he agreed to let them on the
podcast. In any case, Marcin and Andre bring a level of web
application security knowledge we don't often have on the podcast.
They'll be giving a talk at Shmoocon called Path X: Explosive Security Tools using XPath. Good luck guys, I just wish I could be there (with a couple shmooballs)
Show Notes:
 Time: 35:48 |
Wed, 23 January 2008
We're back to a standard format tonight with Rich and I catching up on
recent events in our lives and talking about current events in security. We talk about our brief meeting while he attended Macworld and I went to watch Fortify's New Face of Cybercrime. As I promised over the weekend we talk about credit protection and the companies offering it. Thanks to reader Ed, who gave us more information on the companies in the field. We wrapped up tonight with some career advice for reader Roman Daszczyszak. Rich and I respond to Roman as best we can in a short time, but I know there are others out there who will be able to add a lot more to what we've said. I'm including Roman's email in the extended show notes, please leave comments with suggestions of your own for the next step in his career. Show Notes:
Time: 40:30 Roman's Letter: I've been listening to the netsec podcast for a couple of months now, along with going back and listening to the older ones as my commute allows. I recently listened to one referencing the August 2007 Security Roundtable regarding security careers and wanted to ask some questions. The SR podcast seemed to deal with the means of finding a security job, which is always good to know, but I am more concerned with what types of jobs are out there and what skillsets are "Good to have", "Must have" and similar. I realize that information security is a large field, and skills for one job do not necessarily translate into skills for another, but I believe there is a great deal of overlap. Let me give a brief overview of my own situation and maybe what I'm asking will be a bit clearer. I'm relatively new to the IS field. My current job is an information systems security guy for the US military, with 4 years prior experience as a soldier doing similar work. As a soldier, I was stuck with the 'many hats' problem, being lead systems administrator, squad leader, information assurance officer, COMSEC officer, along with my standard duties (Humvee driver and user-level mechanic, etc). FYI, 'officer' is misleading; I was a junior enlisted with a lot of responsibilities yet little authority. The job did give me a taste for security work though, and once my enlistment was up, I switched to being a contractor. My current job has allowed me to focus on information security, but I am the only person in the shop specifically tasked for it. Most of the shop is composed of Windows systems administrators whose security experience seems to be "rather light". I had hoped to work with a team of security professionals first as a junior member, to gain experience and sponge off their collective knowledge, but that isn't the case so far. I have been working in this job for almost three years now and know that I do not plan to stay more than an additional two years at most. It's a good job, but I feel that I will have done all I can for them and me by that point. I feel this would be different if I were not "on my own" as it were, but I do not foresee that changing. Recently, I did obtain my CISSP (partly my own initiative, partly due to DoD Instruction 8570.1 requiring certification for government IA personnel). I am aware of several broad areas of 'jobs', such as a penetration tester, security auditor (like your new job, congrats!), and technically-specific jobs (firewall administrator, IDS administrator, etc). In planning for 'my next step' I would like to figure out which way to go, and thus what sort of skills are important (or will be, which I don't expect you to prognosticate) in these areas. The areas I feel are important are programming, understanding the basic technologies "out there", understanding how they all work together, and most importantly how the organization's business works so these technologies can be applied securely. To that end, I read O'Reilly books almost every night, along with going to school to finish my Bachelors (see below for more on that). I'm working on learning Perl for its versatility, yet I really hope to get a good foundation in 'programming' in general (via school and self-study) so that as vulnerabilities come out, I can at least understand what it is and really, how much of a threat it can be to an organization. I want to understand the technologies, so that I truly can secure what the organization is using (as well as know when the sysads are trying to snow me). At the same time, I know security isn't all about technology; the users and human processes are THE weakness normally. Does this mean I need to pick up a minor or double major in Business? Will I hate myself afterwards? :) Speaking of school, I'm a 'non-traditional student' currently attending a school that really caters to soldiers trying to pull off 'some sort of degree while being in non-optimal locations', so the degree choice I have for computers is 'Computer and Information Sciences' which really feels like 'CompSci lite; aka lacking higher math requirements'. I have the option of moving to a better location to get an actual Computer Science or Computer Engineering degree, but I'm not sure if that would be relevant or necessary to security. I agree with the SR points about writing well, being able to network, and sell yourself.. but my question comes down to, 'OK, I sold myself and got the job; now what?' Thank you for taking the time (in advance) to read this. I look forward to your thoughts; I'm not expecting the 10 commandments or something, just hoping for some sound advice from someone with more experience/greater depth in the field than I currently possess. Regards, Roman |
Wed, 16 January 2008
Martin is flying solo on the podcast tonight, sort of. Rich is at
Macworld this week and phoned in a two segments, one on Steve Jobs
keynote address and one on security vendors at the show. Add to that
one Mac-related security item and we've got a pretty Apple heavy show
this week. Everyone else in anything related to tech is covering
Macworld, so why not us?
Show notes:
Time: 27:41 |
Tue, 8 January 2008
We're back, just not as soon as we'd hoped. I'm on some older sound
hardware, since I'm waiting for the coffee to finish drying inside my
Yamaha mixer after last Friday's server meltdown.
And maybe older is better, since Rich and I had pretty good sound this
week. We're getting the year started with a topic that's near and dear
to both Rich and I, Privacy. Rich will be at Mac World next week, so I
may be flying solo. Won't that be strange? If you haven't already done so, please subscribe to the FeedBurner RSS. The old ones are permanently broken. Show Notes:
Network Security Podcast, January 8, 2008 - Episode 89 Time: 35:26 |
