Gibson is controversial in security circles due to what some see is a "sky is falling" alertism stance. I believe too many drop all his packets when he goes into this mode. Steve has some good content, tools, and some great podcasts for beginners.

Furthermore, he has the best podcast format and is the most consistent producer among the podcasters, and he doesn't do any of those ridculous "cool hacker" skits, whizbang sound effects, and burping/farting/beer jokes.

However, like most things on the Internet, you have to read and listen with a critical mind and check the facts. But overall, I think he's worth the time.

I enjoy people who aren't afraid to ask "stupid" questions! Then we all learn. It also encourages those more timid folks out there to ask their questions.

Refreshing!

Several managers I know see cons as a perk to be given out, but don't expect much from them. They know their people often don't have time to put the skills to use regularly, but they still see value in broadening their knowledge.

If they don't pay for cons, they will lose their more valuable staff. I think they should expect more, but that would mean that they ensure they provide some time for their people to practice and implement what they learned. It's easy for them to just send their people and leave it at that.

Another way to do it is to get a job working in PC break/fix department or helpdesk. You'll learn a lot there. Then move to sys admin/network admin job (while you doing break/fix, study for admin job).

All the while, keep your eyes open for security problems (don't scan or hack w/o permission) and alway volunteer to test new SW/HW/processes -- that's permission to test security and poke at what's being tested...just make sure you ask the team what's okay to do. Usually, you can test in an isolated environment or take it home and test it there.

Little by little you learn more while gaining respect. Then maybe you can be sent to some security training or move over to the security team.

The other thing I did early on was volunteer. I was the go-to guy on the church's network, helped all my friends, helped at the Lion's club, etc. Of course you have to be REALLY careful that you know what you're doing, but it's a great way to gain experience for your resume.

Tell everyone you know you're willing to help...and study like mad.

If you buy such mags at a bookstore, be careful to pay in cash. You don't want to get on anyone's list...

Nice. Some interesting points I haven't considered. Keep writing!

The real question is WHEN are admins going to stop running with admin rights? That's a huge risk seldom considered...

How about the questions from my article, Is your company sick or secure? See http://www.certifiedsecuritypro.com/content/view/180/1/


Do your senior executives use strong passwords that expire automatically on a regular basis?

Do your administrators and help desk staff ALWAYS give out strong passwords on all new accounts and reset accounts, even for applications that “don’t matter”?

Do your users send internal emails to each other addressed to <user>@<companyname>.com?

Do more than a handful of employees regularly encrypt outgoing email, FTP, and other data?

Do you have a patching strategy that actually works, even for remote users?

Do all your contracts undergo a security review before they are executed?

Does your help desk use secret answers or another method to determine who’s on the other end of the phone when it resets a password or provides sensitive data to callers?

Do you provide all new employees with a basic introduction to your security policies and procedures at orientation?

Do you have your Internet-facing devices checked for vulnerabilities at least once a year?

If a major security incident occurred, do you have a written plan to follow that contains contact information of executives, security staff, etc.?

I went to the event in Milw. Interesting, but nothing earth-shattering. Getting the Office 2007 CD for free (a registered version) was worth it.

When I think of external fraud, I think of customers trying to cheat the company with false claims and the like; in my mind, it doesn't include system access.

When I think of internal fraud, I think of internal folks accessing and manipulating systems in ways they should not be able to.

It depends on your industry.

Any more thoughts, Ole?

Absolutely NOT! To whom more is given (in this case, earned), more is required.

Internal controls do get the shaft. But assuming that you have the basic external defenses against outsiders, the internals are the bigger threat because they generally have some knowledge of where the goodies are at and how poorly protected they are. They are also, of course, inside your external defenses already, and when their activity shows up in some logs, they are sometimes passed over as legit.

Think about fraud, which is basically all internal. Much of it occurs due to poor security, whether it be controls or lack of log and system review. I think too many pros focus on stopping the real cool "hacks" and ignore the fraud, which costs companies serious money and go undetected, on average, for 18 months.

In my last company, I assisted with 2 fraud cases that went 9+ years. That's bad controls and review practices.

Then many businesses are dead wrong. Some systems won't run on upgraded OSes. NT will be around for at least another 5 years. Until the systems go down due to an attack.

I have been here since the beginning and can assure you that Don won't spam you or sell you off.

I also encourage lurkers to go for it, take a risk. Or even ask about an issue that you're having at work. That can start some good discussion.

However, I have to disagree with the statement that “please don’t forget this is the internet and it doesn’t matter!” Yes, it's okay to look foolish now and then, but the internet is forever, and you don't want anything coming back to haunt you. So keep company names and identifying details out of your posts and questions.

No risk, no reward...

Nice article. I love the play-by-play and the honesty of how you felt throughout the week.