Last week's New York Times had an interesting article (Who Needs Hackers?) on the differences between a network architecture failure and the more sensationalized "Hollywood" hacker attacks.

"We don’t need hackers to break the systems because they’re falling apart by themselves," said Peter G. Neumann . . . Steven M. Bellovin, a professor of computer science at Columbia University, said: "Most of the problems we have day to day have nothing to do with malice. Things break. Complex systems break in complex ways."

What sounds more interesting to you: hold a briefing that says "nasty hackers infiltrated the airline's reservation system and wreaked havoc" or the "DMZ was improperly isolated at layer 2 and rapid MAC address flooding from a bargain NIC caused the switches to fail?" In the former, the organization can blame the "evil-doers"; in the latter, the problem is a lack of proper planning.

You may find it odd that as an information security company that performs penetration testing, we're pointing out an article that says "hey, hackers might not be your #1 issue." Yes, you may find it odd, until you realize that we offer--and have offered, since day one--network infrastructure design and audit services. Ah yes, I can hear the cash register "ding" from across the office.

Friends (and potential customers), the truth is that without a solid review of your foundation, a penetration test alone will not provide you with the most accurate view of your organization's security posture. Let us pour through your massive stack of Visio diagrams and router ACL's and we'll provide effective and thoughtful optimization recommendations.

There is nothing like feeling like you are late to the game (4th quarter, up by 20 -- put in Shaw), but I had to chime in on the recent blog cage fight between CISSP'ers and GSEC'ers. Having the painful distinction of passing the CISSP on two occasions (more on that later) and being the fourth person to complete the GSEC (#13, but they started counting at 10), I have a little history on which to build my soap box.

The differences between the two certifications and the impacts they can, and likely will, have on a security professionals career are significant:

When I was doing IT contract work for the Navy in Charleston, I stumbled upon a relatively new organization: SANS. At the time, I had little functional knowledge of security and their GSEC track seemed like a great introduction to "usable" information security. The sub-sections included OS Security (Unix/Windows), encryption, and the use of specific tools (l0phtcrack). The lessons were at times rough around the edges, but I felt like my interests were piqued, which was what I needed to make a career change. I am embarrassed to reread my paper, but it is a good reminder of where I was in IT. When my GSEC finally expired, I didn't realize it, nor did I worry about it. The GSEC to me is more of a point in time achievement. It was a tool that helped me learn and explore the field. I approached the GCIH in much the same way. FINAL THOUGHT: If you are interested in information security, getting started in the field, or have a job related need to interface with infosec staff, the GSEC is a well-rounded certification that touches on numerous practical elements of information security.

Fast forward 2+ years and I am now pulling shifts for a managed security provider. I decided that while being hands on was something I enjoyed, my interest in management was equally as strong. It was at this time that I decided to pursue the CISSP. I knew that there would be very little that I would learn that would be applicable to my current job, but also knew that most hiring managers valued the certification. I decided to skip the boot camps and simply use a study guide. I opted for Shon Harris' CISSP All-in-One Exam Guide. A month later, I was certified. I won't go into the specifics of the test, as that is an entirely different discussion. What surprised me the most, was the difficulty I had (and continue to have) in obtaining the required number of CPE credits. The perfect storm of time with the family, time in the office, and a severely limited training budget resulted in an insurmountable deficit of credits. I realize that there are many ways in which to earn CPEs, but none of them seemed to fit my life's mold. After three years, I ultimately found it easier to retake the exam. I wouldn't wish that upon anyone, so I committed myself to keeping up with the required CPEs this time around. Well I am happy to say that after the first year of my new three year cycle, I have zero credits. Something has to change and I doubt it will be our company's training budget or the amount of free time I have. Any suggestions? FINAL THOUGHT: The CISSP is virtually a must have for information security managers and above. The certification won't help you implement technical controls to improve your environments security, but it will likely extend the boundaries of your security thinking.

So what does an infosec professional do to actually learn ways to improve the security of their infrastructure? I recommend vendor specific training, LOTS of reading (books, blogs, documentation), and late nights in the office or home lab. A couple thousand dollars spent on hardware, software, and/or books can do what no certification will -- give you the skills to excel in your field.

Side Note:
I have talked with many colleagues who are insulted when asked if they have, or would obtain, the CISSP. The feeling is that it is not an worthwhile reflection of their technical abilities. My question to anyone who feels this way is: does any one element of your resume reflect all of your abilities? Your college degree(s)? Your clearance? The answer is obviously, no. So why not enhance your marketability?

Today the U.S. Dept of Justice released a statement that states ISP's should be allowed to charge a fee for "priority" web traffic (see Associated Press story).

So as not to spin off tangentially into an argument about why DoJ issued a statement that has more to do with telco lobbying than about justice, I'd like to just limit comments and discussions to the pro/con of Net Neutrality. To me, a die-hard network infrastructure junkie, I can see grains of truth in both sides of the argument.

My heart tells me to support Neutrality--the Internet is based on the egalitarian concept of everyone (no matter how wealthy) having equal access to information. My brain tells me that certainly we should be prioritizing some traffic (VoIP) and slowing down other traffic (SPAM). This brings me to another part of my anatomy: my gut. Unfortunately, my gut is telling me that although my brain has a good point, the way this will be corrupted by evil telco's is that a new batch of fat-bandwidth DoubleClick.net video adverts ("business" premiere customer) will be prioritized and my email to grandma will be delayed (since I'm only a lowly "residential" customer).

Anyone else having these conversations with parts of their body?

Today the National Security Archives at George Washington University (not to be confused with my friends at the NSA) announced that they have filed a lawsuit in U.S. District Court requiring the Executive Office of the President to recover and restore some five million mysteriously missing e-mails from March 2003 to October 2005.

Again, hoping to steer this blog and its readers' comments away from political commentary, I'd like to take this moment to ask what would YOU do if you were the I.T. administrator asked to recover these missing messages? Certainly there is a vacuum of information: as outsiders we don't know if the messages were caught on backup tapes and then later deleted or if they were never archived in the first place. But let's not let the lack of facts ruin a perfectly good round of "what if"!

Removing it from the public sector, imagine you worked at MortgageCorp and that several thousand e-mail messages were deleted from the server under your control. Now that the sub-prime lending market is in a tailspin, consumers start to fling class action lawsuits at MortgageCorp. How do you deal with the recovery of messages that, if recovered, would certainly do considerable harm to your employer and that--precisely because of this--the person who performed the deletion was probably quite crafty in covering their tracks. Would you immediately call in forensics experts? or duck the issue and tell the boss "they vanished--I can't get them back. Now it's general counsel's problem."