Monday, March 24, 2008

Interviewing infosec positions

The last time I went through the interviewing phase I did some googling and certainly stole some of the better ideas out there.

I've began building on top of my "top ten" list of interview questions to try and get at a more fundamental comprehension level understanding. I'm doing this by applying Bloom's taxonomy. This is what is typically used to reinforce certain levels of knowledge in the learning process. For instance, asking a candidate "What is DNS?" is a 'knowledge' level question while "Describe the functions of DNS and point out security flaws or implications to poor implementations of it that could exist" is a question that challenges the candidates knowledge and analyzing capability. My layman's understanding of this taxonomy is that the above question would fall under the Evaluate classification. I took the time to write down the taxonomy breakdowns in my moleskin as a future reference.

Can you tell my wife is a teacher?

Monday, March 17, 2008

Security Vs Productivity

After reading this blog post about security being "creative" I remembered something I jotted down in my moleskin back in October.


A disadvantage [security teams] face is the fact that we do not lead architecture changes that improve both security and enable individuals or the company.


To further explain that: security likes to tighten things down rather than put controls in place that can give perception of a more open environment. I suspect the entire "Security versus Productivity" argument is inaccurate; it's just the easy way out. We can make both a productive and secure environment if we're more clever.

Friday, March 14, 2008

Decentralizing the world

Let's weave a (completely speculative) web. From a society standpoint we've evolved from nation-states -> feudal systems -> empires -> nation states.
From a technology standpoint we've evolved -> microcomputers -> mainframes -> server/workstation -> upcoming virtualization and web2.0 platforms.
From a communications standpoint we've evolved from military comms -> POTS -> PBX -> Internet Protocol -> Cell networks.
From a newsfeed standpoint we've grown from word of mouth -> printing press -> television -> www.

So if you accept the idea that in the grand scheme of things the trend over time is to become more decentralized then how does that play on security? If "power" is decentralized, whether from king to federalistic systems or centralized switch-based telco hubs to diverse IP based routers, then "power" is also gained by each individual component.

Power is therefore being trusted and redistributed amongst all the systems individual components which allows for larger scaling in what that particular system is designed for. Let's apply this to a corporation. The corporation is designed to make money; and certainly power redistribution to the employees and away from a regimented command structure is happening internally to companies. This is based largely on the technologies the companies use (email,voip,ipods,blackberries,wikis,IM,salesforce,you name it) but also on leadership mindset changes and market forces such as globalization. These are all good things, as the corporation is now more nimble, and quicker at making money.

But it makes security really hard.

What's important? Acknowledging that the network perimeter is a security blanket and not much more than that. Figuring out a way to trust your data and not your infrastructure or necessarily even your data manglers (eg, your employees and partners).

I suspect the walls will eventually come down. Corporate networks will not exist, there will be simply a public (wireless) network cloud with a reliance on private channels and heavy focus on abstraction and virtualization.