It's not difficult to become the local security expert — the guy to whom others look when they need network resources secured, the guy they point to when they want to source someone in their attempts to reform security policy, and the guy organizations like TechRepublic ask to write about security. In other words, barring perhaps the ability to compose a well-written essay without grammatical and spelling errors, it's not too difficult to be me. There are really only five steps to it.
- Get outside of your comfort zone. Use software that isn't familiar to you. Learn about new technologies. I don't mean you should try a different antivirus solution — I mean you should use something fundamentally different.
If you're an MCSE who's done nothing but manage Active Directory domains professionally, set up a network at home using Linux and FreeBSD systems. If you're a multi-OS geek who has Linux, Windows, and MacOS X desktops at home — and maybe even an old BeOS or Amiga system — take a shot at setting up a backup server and an automated logging server, and then go on to build a firewall and router from scratch.I've done much of that already, but I've got my eye on Plan 9 as a new operating system challenge. Just as I have, if you get out of your comfort zone and learn about different technologies, you'll start to learn things about the technologies you already use when you find your old assumptions about how things work don't hold up to scrutiny.
- Learn some programming. Even just a little bit will help you understand more about how software architecture plays a major role in overall system security. More than a little bit will teach you even more about it. When you learn how to write drivers for a given operating system, for instance, you'll learn something about the security weaknesses of that OS. When you learn how to write code that interacts with the file system, you'll learn something about how file system design and OS privilege separation matters where the rubber meets the road, so to speak.
- Read voraciously. Join some mailing lists, for a start. Good lists to join include open source community lists, programming lists, and the Security-Basics list at SecurityFocus.
That's for learning principles of security. To keep up with what's shaking in the security realm, so you're always on top of the latest security news, almost nothing can beat the BugTraq list. While you're at it, read what other security experts such as Bruce Schneier have to say.Get your hands on some good books about security and read them. Security "cookbooks" are surprisingly useful, and a keen mind can grow to understand quite a lot about security principles from the "recipes" in these books by considering why and how they work.
- Check your assumptions at the door. Secrecy does not equal security, you don't always get what you pay for, and security features don't always make you more secure. I'm not saying you should ignore everything you think you know — just double-check it, triple-check it, and always be open to the idea that what you think you know may be wrong.
- Finally, think for yourself. Don't just take someone's word for it when you're told something about security. Think it through, consider it carefully, and verify it for yourself, if at all possible. Consider what might be missing from what you're told, and consider the source. Everyone has an agenda, so you need to consider the goals of your sources. You also need to be aware of your own agendas, so you can avoid the trap of confirmation bias.
Here's a bonus, a sixth item to add to your list: Stay tuned. I'll be providing a lot more for the would-be security guru to think about right here in the TechRepublic IT Security blog in the near future.