Re: Security books, portals, blogs and videos

[Bob Radvanovsky <rsradvan () unixworks net>]

So...you think that simply doing good, hard work will get you recognized and noticed within your company?  Interesting.

In my humble opinion, most (not all, but most) companies today have a slightly different attitude: "get what you can, 
as fast as you can".  It says nothing about hard work or "paying your dues" (which is essentially what you are 
stipulating).  I agree in that getting more actively involved within ones business organization, participating in the 
local communities is a "good thing"; however, there are a few more things (of which, you hit just a few) that many 
companies want in security folks today (of which, the TOP 3 factors are "INTERPERSONAL SKILLS"):

1.  Good "people skills".  You pretty much nailed that right on the head.  If you want to be well respected in the 
community, you need to be able to interface nicely with other people, and work with all sorts of different mental 
capacities.  Most business folks are considered "technically incompetent"; but then again, their focus is business, 
marketing and making money for their organization.  As a security analyst or administrator, your job will be to provide 
the "cold hard facts" in 30 seconds or less, 15 seconds or less if a summary.

2.  Excellent communications skills.  Just because you can interface with people doesn't mean that you are a good 
communicator or presenter.  This is highly important.  This esp. holds true of providing a VERY short report to 
management in written form.  The rule of 1/2 page or less still holds true; the more said with less -- the better.

3.  Dress nice and present you in a professional manner.  If you are technically competent, can walk the walk, talk the 
talk, but dress like a slob, people won't ever believe you.  Look the part, too.

4.  Be technically competent.  Don't state that you know something, SHOW that you know something.  Obviously, don't do 
something of an illegal nature (and nowadays, doing things without doing something illegal is getting more difficult to 
pose esp. to management).  Judge your management yourself and state to them that you'd like to try a different venue in 
something that (perhaps) combines your current technical skills with something that you'd like to accomplish, such as 
security.

5.  Know your audience.  For anything that you do, know the type of audience that you will be catering towards.  The 
better the manner that you can cater your message to different audiences, the better for you.  

6.  [OPTIONAL] Write whitepapers and publish them (if possible).  This (obviously) is an optional thing, but writing 
whitepapers shows just how much you do or don't know about something.  It also shows and demonstrates to people your 
critical thinking capabilities.  This step is optional.  If you don't feel comfortable writing whitepapers, this isn't 
a "show stopper", but do know that this will provide you with a good practice medium for your target audiences, which 
can be anywhere from government officials to corporate executives to front-line managers.  if you want some ideas about 
subject to write about, there are plenty of places to read up on them.  A "whitepaper" is nothing more than presenting 
ideas or theories without really proving them.  If at all, it shows people that you can be objective about things, or 
can thinking differently than most people can.  Here are a few examples from my web site: 
http://www.unixworks.net/uw-research.html.

7.  [OPTIONAL] Write a book.  If you have an idea that you'd like to present, and cannot seem to get noticed, write a 
book about it.  You won't get rich doing it, but might get that job you've always wanted.  ;))

8.  Get involved with your community.  For starters (and it looks like you've started good by asking questions), get 
involved with several online INFOSEC blogs and groups.  Participate in them and be as objective as possible.  Try and 
NOT show too much biasness.  Showing a strong or stern biasness gets your ignored, not noticed.  If you are biased 
about something, make sure that you have sufficient proof to back your claim.  I generally take the attitude that I am 
open to suggestions or alternative solutions PROVIDED THAT the opposing party has an equally objective response.  If 
they’re objecting you simply to object you, take notice of it and move on.  There are people out there that nothing 
better to do with their time (and you know who you are people -- at least, the NSA does) than to be nitpicky and 
criticize anything and everything that others have started doing or stated.

9.  Research, research, research.  Don't be a "book worm".  Practice, practice, practice.  If you have the time and/or 
money, build your own research laboratory.  I know that I'm not the only one who has a private research lab.  There are 
others out there, like me, who are inquisitive about things, ask ALOT of questions, and do ALOT of reading and 
researching.  Remember: Google is your friend.  here are pictures of my lab: 
http://srvr1003.unixworks.net/www/unixworks.net/lab.cgi/uw-040722.

10. Have fun.  If you don't do what you do that voodoo that you do, people will notice.  Meaning, if you're in it 
strictly for the money and NOT because you enjoy solving problems, making more money, and like helping people out, then 
it will show.

I hope that these objectives help out.  If you want to have an offline discussion, send me an email personally, and I 
would be more than happy in helping you out.  ;))

Good luck.

-r

----- Original Message -----
From: offset [mailto:offset () ubersecurity org]
To: security-basics () securityfocus com
Subject: Re: Security books, portals, blogs and videos


> I know way too many certified people that dont know sh*t in the trenches. 
> Businesses that put too much emphasis on certs and not experience I would
> stay away from.  Personally, I am more suspicious of someone with a lot of
> certs with no experience to back it up.  If something is broken at 2am, you
> better figure it out or know how to get help.  The business generally still
> pays the bills and they hired you to keep the business secure (even if the
> business in many cases is their own worst enemy (lack of funding, training,
> priorities)).
>
> A UNIX admin wanting to jump to security?  How good is your network of
> people?  Do people know that you like security? Most jobs are through word
> of mouth/recommendations.  Attend local security sig user groups, volunteer
> to be the security advocate for your area of responsibility, do something in
> the field you want to pursue.  Maintain the UNIX hardening scripts at your
> company, research security in the area that you already have strengths in,
> expand later.  At the end of the day, you have to know what you are doing,
> be very strong technically, have good people skills.  Having worked in the
> InfoSec field for awhile, it was always great to have those with a security
> mindset that are closest to the systems, as no matter the level of
> separation of duties, you will have more success having a positive working
> relationship with the technical groups than an adversarial relationship.  If
> a job opening presents itself in the InfoSec group, the security minded
> technical person that I worked with previously would be high on my list of
> candidates.
>
> -off
>
> On Sat, Sep 09, 2006 at 10:32:43PM -0400, Miguel Valentin wrote:
> > I don't work in the security field nor am I certified in any security
> > profession. I guarantee you that being a bookworm is not going to get you
> > anywhere as far as a job is concerned. If you want further proof of this
> go
> > to www.scmagazine.com and check out their story on certifications and the
> > process required to get certified as security professional. I work in Unix
> > and have been since '95 and I've learned more from other's in my field,
> > hands-on / classroom training than from books alone. No one is going to
> hire
> > someone especially in the security field just because you studied the
> books
> > and passed the tests. A lot of what a security professional knows is
> derived
> > from years spent working in I/T and he/she most likely progressed from
> > System Administration position's to the security field. You must know your
> > enemy in order to defeat your enemy!! Most security professionals have
> > worked in I/T for approximately 10 or more years before jumping into the
> > security field. You can't get that same knowledge and expertise from just
> > reading books, blogs, or magazines. You're probably thinking that if I'm
> not
> > certified in security then how would I know this? Because I keep up with
> > what's going not only in my own field, Unix, but everything that happens
> in
> > the I/T in general. I receive emails daily from Security focus on
> different
> > security-related topics and from other website's, magazine's, and just
> plain
> > ol' detective work on my part throughout the internet. Plus I also pick
> the
> > brains of my fellow co-worker's on what's going on that they may know that
> I
> > missed. Does that give me the knowledge necessary to just read a few books
> > and then take the exams to become certified as a security professional??
> > No!! Why?? Because I lack the daily hands-on knowledge necessary to know
> > what to do, what to look for, how to use the various tools security
> > professionals use when doing forensic work, and most of all the skill's to
> > do all this and present it to management in a manner in which they
> > understand. Plus everything else a security professional needs to know in
> > order to be able to effectively market them self. In other words, you have
> > to know how to walk the talk. Paper certifications will get you no where
> if
> > you can't show that you know how to do what is expected of you. In the
> early
> > 90's when Novell was the King of Network's there were lot's of guy's out
> > there selling themselves off as CNE's, CNA's, and whatever other title
> > Novell gave out. But when they tackled their first assignment they fell
> flat
> > on their face because they were what was then called "Paper CNE's" or
> "Paper
> > CNA's". They took the same approach you're trying and it didn't do
> anything
> > good except cause themselves much embarrassment and ultimately getting
> > fired. Go around the internet a few times and find out exactly what is
> > required in order to get into the security field CORRECTLY before going
> > about it the way you intend to. Later on you'll be glad you did. ISC(2) is
> a
> > good place to start and the SANS website is another as is
> > www.securityfocus.com They have ton's of information online to give you an
> > idea of what is required and how to go about it. Good luck in whatever you
> > choose to do!!
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On
> > Behalf Of sun sadm
> > Sent: Saturday, September 09, 2006 11:50 AM
> > To: security-basics () securityfocus com
> > Subject: Security books, portals, blogs and videos
> >
> > Hi colleague,
> >
> > I work since a few years in Sun Solaris system administration. I wish
> > to get a job as security professional, rather than UNIX guy. By auto
> > didactic training I will get the necessary knowledge for information
> > security.
> >
> > - What books would you recommend me? Whats essential reading for every
> > security guy?
> > - What blogs you recommend me?
> > - What print magazines and online portals?
> >
> > Generally speaking: What did you do to get a job in security field?
> >
> > thanks
> > Nico
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------