So, the big news for me is on the career front. As it turns out, about 4-5 weeks ago I left my glamorous jetsetting (ahh, sweet sweet sarcasm…) Internal IT Auditor position for some real RockStar status. I can hear all of you asking, “Jeff, what could possibly make me want to leave the excitement and thrills of internal IT audit?” Seriously though, the past 4 months or so I’ve been really examining my career and taking a long hard look at what I like and dislike in my day to day grind and came to the conclusion that being an auditor was not the direction I wanted to continue in. Add that to the fact that after working in the banking/finance industry now for almost 8 years I was quickly reaching the point of complete and utter PCI/GLBA/FFIEC burnout, and I could see the writing on the wall.

I like to keep my hands “dirty” so to speak and not being able to directly solve the security and IT problems I see on a daily basis was just too much for me. Quite frankly, I’m an ops guy, I like getting in and actually working on the tech. I knew that already, but sometimes it takes me longer to figure things out than others. =)

So, during this period of realization one day in April, I just happened to stumbled across my “dream opportunity”. I’ve always wanted to find a position where I could get in to a small startup on the ground floor and build a world-class IT dept/infrastructure from the beginning. Someplace small and nimble yet with the same IT needs and issues as the big boys. Someplace I could go that I didn’t have to worry about what FFIEC says, but how things really should be. Not “security for regulatory’s sake”, but real, common-sense security. After years of shaking my head at the PHB’s stupid IT decisions I wanted to go someplace I could “put my money where my mouth was” (so to speak) and see if I could do it better. Careful what you wish for… =)

So, the opportunity presented itself and things moved extremely quickly from there. Suddenly I’m no longer in banking, and I’ve had more fun in the past 4 weeks then I have in the previous 4 years! It’s been hectic and challenging as I shake off the rust on some of my technical skills, but I have not had this much enjoyment going to work in years.

The new position? Director of IT for an up and coming startup here in Portland called Iterasi. We’ve just gone beta, so be sure to check it out.

After a short 10 year build time (I kid…), one of the best security tools out has reached the v1.0 milestone. Wireshark 1.0.0. was released this weekend! You can read more about it in this news item as well as grabbing the file from the Wireshark site. I’ve used Ethereal since the early days and it’s always been one of my staple network/security tools. I big congrats to the team! Here’s the news release:

I’m proud to announce the release of Wireshark 1.0. This is the culmination of nearly ten years of hard work by a team of brilliant and talented developers. It is an honor to be able to work with these people.
On behalf of the development team, I would like to thank Wireshark’s user community for all of your enthusiasm and support over the years. Wireshark development will continue, and we have lots of great features to offer in the coming years.

In this release

Security-related vulnerabilities in the X.509sat, Roofnet, LDAP, and SCCP dissectors have been fixed. See the advisory for details.
This release includes an experimental package for Mac OSX Intel. For a complete list of changes, please refer to the 1.0.0 release notes.
Official releases are available right now from the download page.

Computer Forensics Show 2008 — Peter Tippett thinks it’s time for security professionals to wake up and stop wasting their energy.

In a presentation here yesterday, Tippett — who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus — said that about one third of today’s security practices are based on outmoded or outdated concepts that don’t apply to today’s computing environments.

Once you get past the incendiary statements, it seems to me like Peter is discussing getting back to basics with our security thinking. Nothing is 100% safe, but in the rush to try and secure everything, many tend to forget about the basics. It seems the past two years many companies (and many in the netsec field) have gone overboard in trying to manage every risk to the point of CYA insanity, instead of using a more holistic approach of basic security best-practice and prudent risk assessment/management. As anyone that has worked in the security field knows, we netsec folk have to get a million things right to keep the bad guys out, but the bad guys only have to get one thing right to get in. Of course, that’s why the argument for defense-in-depth is so important.

Yet, while I do agree with most of the points Peter brings up, we can’t just throw up our hands and give up. We still have to approach security with due diligence as one of the goals.

There is a good discussion on the article over at Slashdot. Put on your fire-retardant suit before clicking the link…

The Register reports on a new UK guideline that makes it illegal to create or distribute so-called hacking” security tools.

The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.

I was amazed when the German computer crime laws came into effect in August 2007, but it looks like the insanity is spreading to other parts of Europe as well.

Josh Wright’s Wednesday evening talk on bluetooth eavesdropping was excellent (as usual, great talk Josh!) and showed just how bad bluetooth security is. He has a great YouTube video up showing the issues as well as a great paper on Dispelling Common Bluetooth Misconceptions that he just released. I highly recommend taking a look at both. Also, be sure to check out his website www.willhackforsushi.com for lots more wireless info.

Tonight is the PaulDotCom security podcast live here at SANS and I’ll be dropping in for that. It’s only fitting since I was lucky enough to be at their first podcast at SANS 2005 in LA. They’ve come a long way since then! =) They will be running a live stream as well as taking questions over IRC, so be sure to jump over to their site and get the info, then join us tonight!

I’m heading down to check out the vendors, pick up some swag, and mingle with the security elite. =) Also on the agenda for after-hours Wednesday night is a talk from Josh Wright on Bluetooth Headset eavesdropping, as well as a presentation from Ed Skoudis on VM Escape. I’m also going to try to get over to the PaulDotCom sec podcast on Thursday.

SANS Network Security 2007 is almost upon us! It’s been over 18 months since I’ve been to SANS so I’m really looking forward to going to the Vegas conference this year, even if it is a management track. I’ll be doing the MGMT411 track this time, covering the ISO 17799/27001. It’s a good overview to refresh my memory on the “official” security framework in my new role, but I would be much more excited about the malware or forensics tracks. I guess it can’t alway be fun and games… =)

If anyone reading this (all 2 of you…) is going to the Vegas conference and would like to get together, be sure to drop me a line and we can schedule a night. I always like meeting fellow netsec geeks for food and fun!

[MM] When you’re interviewing for a position, you’re interviewing a person, not a certificate. If you’re interviewing a CISSP to be a router jockey, you better hope they have a couple of other certs to back up their claims of knowledge. Or you better have some really good questions for them, preferably both. By definition, the CISSP shows no in depth knowledge of any particular aspect of security.

That’s one of the things that really bugs me about certs in general, the attitude of some (both cert holders and employers) that just because they hold a CISSP or GSEC, they have reached some pinnacle and know all they need to know about security. The attitude always astounds me! =) I’ve been in IT for about 15 years and yet I feel like I learn something new every day. In fact, that’s one of the main reasons I love the security field so much, the constant challenge to stay current, to learn and grow. =)

[MM] The CISSP certificate is useful setting a baseline of the person’s overall knowledge of security. And if it’s treated as nothing more than a simple measuring stick, it works well. But it’s not meant to measure someone’s networking knowledge and using it do so won’t work.

Marty pegs it here. Certs are (IMHO) a simple baseline that employers can use to assess that we in the security arena have a minimum “baseline” of security knowledge, but it is not the end-all be-all of measuring the skill of a person. We’ve all met loads of IT people with a bucketful of certs who could not troubleshoot their way out of a wet paper bag. So I thing Marty’s point is valid here, we cannot assume that a CISSP knows about things not covered in the official study guide. In a perfect world that foundation knowledge would be there, but this is not a perfect world. =) That’s where Daniel’s point rings true:

[DM] It’s simply absurd to claim that people in “management” roles don’t need to be versed in technology. Chefs learn about food. Architects learn about the structural integrity of their building materials. Physicists learn math. Why should information security experts not have to learn the building blocks of their discipline like everyone else?

I’ve held off taking the CISSP for years, but not for the reasons you might suspect. I guess it was the rebel in me, but as someone who was “in the trenches” for years I didn’t see the need to take a cert that did not (IMHO) add much to my knowledge base and was more of a resume checkbox.

This past year I think I’ve finally made peace with myself on this whole cert subject and have come to the conclusion that it’s part of the resume game we all must play sooner or later. I’ve changed the way I look at these certs and have even come to see the advantage of going through the motions, and will even admit to learning a thing or two in studying for the CISSP and CISA tests this year. I guess you can teach an old dog at least a few new tricks… =)

Update 9/7/07: This exchange has sparked some great comments around the web this week. Mike Rothman over at SecurityIncite.com wrote a great blurb on the issue. Marty also talks more about the issue in Episode 75 of his great podcast.

On the job front, I have some changes to announce. After a lot of contemplation I decided it was time to move on from my Security Architect role at US Bank, I role I’ve been at for the past 15 months. I met a lot of great people, learned a few things about myself, but in the end decided the position was just not a good fit for me. I’m grateful I had a chance to meet some truly talented security people while I was there and made some great friends. It was a tough decision, but I’m excited about the change.

I’ve accepted a new position at a great financial software/solution company in downtown Portland that I’m extremely excited about, and will be starting Monday. It’s a role I’ve been resisting for over three years but circumstances seem to keep pushing me in that direction, so after a lot of thought and discussions with my new employer I’ve decided to accept the inevitable and become an Information Security Auditor.

So for those of you that know me, yes i’ve moved to the dark side. I can hear you chuckling from here. =)

All in all, this was one of the more interesting (read stressful) certification tests I’ve taken. Now that I can look back at it knowing I passed, it was a test that I probably worried more than I needed to, but one I had to prepare for the most due to it covering areas that I did not have as much experience in as I’ve had with other certification subjects in the past.

Now comes the fun part, filling out the application and documenting my past security experience so I can claim a new set of letters to add behind my name. All of which really means nothing in the grand scheme of things… =)