Design IT Security for a Death Star

May 3, 2014

Interested in developing the skills you need to be an IT security professional supporting the U.S. Federal Government? Are you currently trying to follow NIST security guidance but are feeling overwhelmed? Why not collaborate to build a set of examples that can enhance your skills, while at the same time providing the security community with tools to improve security?

For 15 years now I have been an IT Security contractor for the U.S. Government. For much of that time I have been using standards published by the National Institute of Standards and Technology (NIST) to design and document security architecture.

While I have found NIST publications to be well written, the sheer volume of material I had to read and the lack of  examples of security documents has often left me feeling overwhelmed.

 

Problem of Collaboration

One of the problems with collaborating in security planning is that details are often too sensitive to share broadly. This often leads to security engineers developing templates, spreadsheets, and databases for themselves or their group, leaving others to develop their own material. This duplication of effort wastes a great deal of time and lessens the effectiveness of the security controls that are implemented.

 

Crowdsourcing a Fictional Project

I propose that one way to collaborate and keep sensitive information secure is to build a fictional collaborative project. Crowdsourcing security architecture and planning using the NIST security framework on a fictional architecture with supporting documents that can be shared and improved is one of the best ways to collaborate without risking the release of sensitive information.

To have fun with this, and to avoid encouraging the cutting and pasting that minimizes real security, I have an idea for a government project to base the security architecture on.

In 2012, “J.D.” from Longmont, CO posted a joke (I hope) proposal on the whitehouse.gov website suggesting the U.S. build a Death Star. Over 34,000 people “signed” on to this idea, which encouraged the White House to respond. Paul Shawcross, Chief of the Science and Space Branch at the Office of Management and Budget (OMB), responded with some fun of his own.

I suggest that for our fictional collaborative project, we plan IT security for a Death Star. Something like this is flexible enough for a small number of volunteers to create some simple documents (well, as simple as NIST allows), or for a larger group to create significantly more detailed plans. In any case, the documents created would all be subject to a Creative Commons license, allowing anyone to use and share whatever is produced.

The result would be an educational opportunity for anyone who wants to better understand NIST security, and the project would provide valuable examples and perhaps simple tools that would make it easier for those designing NIST-compliant security.

This could also lead to a group that could discuss issues related to NIST compliance, without having to share details of their projects.

 

Get in Touch

Updated May 11, 2014

To kick things off, I’ve created two ways to begin a dialogue with everyone who is interested in this project. I just created a bare-bones LinkedIn group called:
NIST Security Development

Alternatively, if you’d prefer email, I’ve created a Yahoo email list. subscribe by going to the Yahoo Groups site https://groups.yahoo.com/group/NISTsec, or just send an email to:
nistsec-subscribe@yahoogroups.com

 

Updated May 27, 2014

A project wiki has been created for this effort. There is still a great deal of work to get the wiki going, but it is ready for users and editing. The site is:

https://sfads.org

This is the same wiki software that is used for Wikipedia, so there are lots of resources on creating pages for it. While it might seem a bit intimidating to those who have not used wikis before, the syntax is really pretty easy, and you’ll get the hang of it quickly.

The best thing about a wiki is that it is easy to edit, and easy to revert to an older version if something goes wrong.

I’ll also be creating and sharing spreadsheets via Google Docs because spreadsheets are just easier there. Google Docs can also handle presentation slides, diagrams, and document templates.

If you are interested in helping, please create an account on the wiki and we can start collaborating on this project.

Jim

Advertisements

Narrow Your Career Focus

January 14, 2013

In my last blog post, I hope I sold you on the idea of pursuing a career in information security. OK, you have questions: What education do I need? How about certifications? How can I build an effective resume that will make it easier to get one of these jobs? These are important questions, and I will address them in a future post, but let’s not get ahead of ourselves. Many who begin to pursue a career try to make themselves as broadly attractive to employers as possible. They assume that the more jobs they qualify for, the easier it will be to get a job. That is rarely the case.

In his book titled, Purple Cow, Seth Godin argues that the best way to get a job is to narrow your focus. Godin says, “In your career,… being safe is risky. The path to lifetime job security is to be remarkable.” If I can paraphrase him a bit, suppose you are the director of a major hospital and you need someone to handle your information security. You have resumes from tens, perhaps hundreds, of security professionals who have a solid education in security. Each has the right certifications and the right technical skills. But one applicant stands out. This applicant specializes in the security of medical records. She blogs about hospital security issues. She has attended conferences related to hospital administration that didn’t even have a security focus. She is competent in security and understands the specific needs of hospitals. Who will the director hire? One of the applicants with lots of broad experience or the one who specializes in hospitals?

You get the idea. Narrowing your focus helps you stand out and makes it more likely that you will have the career you want, not just the career you fall into. Before you start pursuing certifications, advancing your education, or even writing your resume, take the time to research various information security positions, industries that employ people in these positions, and specific companies of interest to you. Narrow your target as much as possible. Once you know where you want to go, figuring out how to get there becomes much easier.

What do you think? Leave comments or questions below.


Introduction to Your Information Security Career

December 27, 2012

According to The Wall Street Journal, in March of 2012, Global Payments, a credit card payment processor, discovered a breach of its system that exposed the personal information of at least 1.5 million customers to criminals. SC Magazine reported that the cost of the breach for Global Payments was $84.4 million with a potential for an additional cost of $55 to $65 million. Brian Krebs, a well-respected security blogger, broke the story, and his account is well worth reading. These kinds of incidents are all too common, and their frequency and impact are growing.

Computers control more and more critical parts of our daily lives. Google is experimenting with computer-driven cars, and computing and networks are becoming increasingly essential to health care, including computer-assisted surgery. Computing is also essential to managing much of our critical infrastructure, including nuclear power plants, emergency systems, transportation and banking. Under these circumstances, it is vital that our computers be protected. This requires people skilled in information security. Unfortunately, there are far too few information security professionals to meet a growing demand. This may be a career you should consider.

What do we call it?

There are a number of terms that some use interchangeably for this field, while others insist that there are subtle or even major differences among the terms. Such terms include information technology (IT) security, cybersecurity, information assurance, and computer security. Since an in-depth conversation about these terms is well beyond the scope of this blog, I’m going to stick with the term “information security.” Just remember that you may encounter other terms that refer to the same field.

If the many names are not confusing enough, there are also numerous jobs and job titles for information security professionals. However, unlike the terms for information security, many of the various job titles have significantly different demands and experience levels. I will discuss the various types of information security positions in greater detail in a later post. For now, three of the major categories are defenders, auditors/testers, and management. Each requires a distinct, though overlapping and related, set of skills and body of knowledge.

Meaningful Career

There are many good reasons why you should consider information security as a career. The most important is that security is worthwhile work. Our advancing technology promises us a world with significant improvements in standard of living, better medicine, greater collaboration, more interesting work, and even better entertainment: think movies and video games. None of this, however, will be possible without the reliability that information security provides. By joining this field, you can help to ensure the continued growth of information technology and the promise that it provides.

I may sound overly enthusiastic about this field, but waking up in  the morning and knowing that what you will do all day actually matters is a great feeling.

Another good reason to consider this field is that, when done properly, information security demands creativity and problem solving. A career in information security can be personally challenging and can lead to constant learning and growth. Additionally, because security expertise is needed in a staggering number of industries, there is no end to the flexibility that this career provides.

Practical Considerations

More practically, security careers tend to be a good path to a comfortable salary. Salary, of course, depends on many things, including your level of experience, your special skills, your education, and the industry with which you are involved. But, according to salary.com, a security administration position can pay from $50,000 to $95,000, and I have seen information security positions that pay much higher, especially for talented and driven security professionals.

Security also provides career stability. While companies come and go, and no job is immune from layoffs, with solid information security experience, it should be much easier to find your next job than it will be for many other professionals. According to a survey of security professionals by ISC2, an international non-profit that provides security education and certifications, of the 2,250 respondents, only 7 percent were unemployed at any point during 2011. At the time of the survey, only 80 of the 2,250 were unemployed, and only half of them had been laid off. Other aspects of a security career that you should carefully consider are staying current with advances in the field and work/life balance.

Staying Current with Advances in the Field

It is essential that information security professionals stay current with advances in the field. Technology, threats, vulnerabilities, and management all change, and the changes can occur rapidly. All of these changes require that information security professionals continue their education, acquire certifications, receive training, attend conferences and vendor presentations, and read books, blogs, and articles. This can be exhausting, but it can also be exciting. Like many other aspects of this blog, the specifics of your ongoing learning will depend on the specific circumstances of your career. Nevertheless, you can be sure that some level of ongoing education will be a necessity.

Work/Life Balance

Finally, there is the issue of work/life balance. I’ve seen information security jobs that provide great flexibility: time to spend with family, friends or hobbies. I’ve also seen information security jobs that require the professional to be on call 24/7, travel extensively, and work extra hours and with crunch time around major projects. Your mileage will vary. Work/life balance for security professionals depends on many things, such as your industry, area of responsibility and corporate culture. The good news is that information security expertise provides enough flexibility that you can change positions or jobs as your needs change.

Choosing the Path

Is information security the right path for you? This field is not for everyone, but if it sounds like a good fit, I hope that you will seriously consider it. The world needs more good people to protect our information and computer systems.

 

I have edited this blog from the original on January 6, 2013. The original version of this blog referred to “Global Payments” as “Global Crossing.” This error has been corrected.