Re: How to get better security people
Subject: Re: How to get better security people
On Mar 26, 2:15pm, Sean Donelan wrote: * *On Tue, 26 Mar 2002, Tony Wasson wrote: *> >> If I was looking for top security talent, what would I ask for whether *> >> I was hiring directly or outsourcing? *> *> I agree with Steve Wilcox, incidents are important. I would ask for a *> description of the 3 most interesting incidents they've ever worked on, and *> what they contributed. * *I'm sorry, but that's confidential information and I can't disclose it. * *Would you hire a "security" person, who will likely be involved in the *most embarrassing slip ups your company makes, if he tells people about *"interesting" incidents at previous employers. * *Maybe, it depends on what he says. Long ago and downstairs, when I used to interview people for Operations Security, I asked each candidate whether s/he had ever handled a Denial of Service attack or an intrusion, and if so, could they describe in general terms how they handled it? I would specifically ask them to NOT provide any identifying info, just the process (and an explication of the attack) so I could gauge their understanding of the situation. I also had a short list of other questions that I used to try and get a feel for the person's "security minded-ness" (my term, I invented it a'ight?). Because when it comes to ISP security, there's a very limited pool of talent so candidates are unlikely to come in with the right skillset native. But if the person comes in and s/he is someone who thinks about scenarios and contingency plans and has a working knowledge of networking/computing, then I can teach him/her everything else. Kelly J. -- Kelly J. Cooper - Security Engineer, CISSP GENUITY - Main # - 800-632-7638 3 Van de Graaff Drive - Fax - 781-262-2744 Burlington, MA 01803 - http://www.genuity.net
On Tue, 26 Mar 2002, Kelly J. Cooper wrote:
I also had a short list of other questions that I used to try and get a feel for the person's "security minded-ness" (my term, I invented it a'ight?). Because when it comes to ISP security, there's a very limited pool of talent so candidates are unlikely to come in with the right skillset native.
What is the right mindset for ISP security. It seems to be a little different from the traditional security mindset found in the corporate or military security world. A lot of sharp people with that background try to move into ISP security, but they often have a difficult time making the transition. The government is about to spend a lot of money training students in "cybersecurity." Congressional aides have been coming to Internet conferences asking people what should Congress spend money on. http://www.washingtonpost.com/wp-dyn/articles/A33471-2002Mar28.html But are the students really getting the right training for working in a public network such as an ISP?
<snip>
What is the right mindset for ISP security. It seems to be a little different from the traditional security mindset found in the corporate or military security world. A lot of sharp people with that background try to move into ISP security, but they often have a difficult time making the transition.
ISPs are often in the position of having almost a conflict of interest when compared to enterprises. The idea of the Internet (and therefore ISPs) is about openness and the ability to connect to anything, anywhere. Enterprises must take almost the opposite stance of "deny all that which is not expressly permitted". ISPs have many customers and each customer has their own opinion about security. How many posts did we have recently asking which providers were filtering things like port 80 and port 25? The sad fact is that mucking up what was intended to be an open network drives away customers and there will always be someone else down the street waiting to take the customer's money who won't do it. I struggle with this myself. I don't like the idea of having routers with huge, complicated access lists all over the network. But I don't like the idea of being hammered by a DoS attack either. So, I suggest that the *best* security people are those that can actually quantify risks vs benefits, and who approach things with an "even keel". I've talked with companies that think the primary job qualification for security professionals is that they be obnoxious, ill-tempered, bark at people for no apparent reason, and write nazi-like policies that stand no chance of being adhered to. Bottom line: There is a business to run. Security people who don't understand that are worthless in my opinion, no matter how technically savvy they are.
But are the students really getting the right training for working in a public network such as an ISP?
You can lead a horse to water, but you can't make him drink. The best forum for security education is trial by fire. -- Tim Irwin, Sr. Network Engineer Architecture & Engineering BellSouth.net, Inc. e-mail: tim@eng.bellsouth.net office: 678.441.7951 "The plain and simple truth is rarely plain and never simple." --Oscar Wilde
participants (3)
-
Kelly J. Cooper -
Sean Donelan -
Tim Irwin