Security·4,733 discussions

Security Professional’s Achilles’ Heel?

Locked

If you’re a security professional, you need to read this posting – and you need to leave a comment. Why? Because the enemy knows your weakness, and they are unsheathing their daggers as you read this.

An Information security professional’s greatest asset isn’t their laptop, their software, their m@d haX0r sk1llz, or their seemingly endless credits on Starbuck’s gift cards.

It’s their integrity.

Let’s talk about you for a second.

You are hired as a trusted associate, officer, partner, investigator, or perhaps an employee of your company or for your client. You are being paid to perform a service – a service that few can do properly. You have a substantial background in your field, you have endless letters of recommendation that you happily show to everyone that will look up from this month’s issue of “Big ‘uns” and pay attention. You have been trusted with information that could ruin careers, personal lives, even a company’s existence! Why?

You have integrity.

You can be trusted, and your word is supposed to be final on all matters pertaining to your work. That’s why you’re getting paid, right? Right.

You’re going to make a lot of people angry during your career. Why? Maybe you have pointed out weaknesses that need correcting, processes that need improving, or maybe … just maybe … your work and testimony land some evil soul in a PMITA prison (for those of you that don’t know the acronym – watch the movie ‘Office Space’ sometime.)

You’re untouchable, right? Nobody would dare desecrate the glorious security professional, right?

You are SO wrong.

The evil ones know about your secret strength, and like poor Samson who lost his incredible strength when his hair was cut, you too can be cut down by a simple cut of a dagger … to your integrity.

It is not as uncommon as you think for a security professional to be the target of character assassination (and I’m not referring to World of Warcraft here) as retribution for a good deed, to further along a project that you are stalling, or to complete a sordid political plot.

It happens.

What do we, as security professionals do to protect our integrity?

1) Document everything that you do. I mean EVERYTHING.
2) Every single action that you perform should be explained in a clear and concise policy or procedure that you can hand to anyone that asks. (Make sure you’re following them to the letter!)
3) Don’t ever accept kick-backs. EVER.
4) You have the right to turn down a job, or leave a job on the spot for that matter, if you believe that working or completing the job may impact your integrity. Don’t risk it, no matter how many zeros are on the end of that check.
5) Don’t ever lie to a client, law enforcement officer, or the person behind the Starbuck’s counter. You never know what you’ll find in your latte.
6) Stick to your word. Do what you say. Lead by example. Period.
7) Stick together – bond with your security team – become a family. It becomes much easier to detect incoming daggers.

The length and future of your career rests with every decision you make (and sometimes it could be personal decisions, not just business!).

Follow my advice, learn from my experiences, and keep your integrity intact.

One morning you may wake up to find your hair, and your integrity, laying next to you.

Topic

Yes!

In reply to Security Professional’s Achilles’ Heel?

I’ll be handing this out to my students as a, “see, it isn’t just me saying this,” kind of thing.

Integrity will get you far, but it is easy to slip to the dark side (as seen by the CIA leak to the Washington Post). You must do what is right and just, but you have to maintain EVERYTHING you have ever done (including changing your socks) because it will come back to you.

More examples for your students

In reply to Yes!

(shameless plug)
Have them read some of the actual cases that I’ve worked on at http://blogs.ittoolbox.com/security/investigator

I have changed names, events, even combined cases – but the message and lessons are the same.

I would love to hear feedback.

SM

Sony rootkit

In reply to More examples for your students

I’m glad to see this on your blog. What really baffles me is that it is far worse than that:

http://www.cnn.com/SPECIALS/2005/online.security/

A snippet from the article:
Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down a computer’s firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden — the software would have been installed on a computer when consumers played Sony’s copy-protected music CDs.

The other day

In reply to Security Professional’s Achilles’ Heel?

my boss got really pissed off when he realised that I know the passwords to his emails and admin.

I had to talk to him and tell him that I am interested in his or anyone’s passwords purely to keep everything in working order and not to snoop !!! :o)

My point …. even if you have a pot full of integrity, people tend to suspect you.

I will say that go with everything securitymonkey has in his list…add some of these to it too..

1. Keep your immediate boss (techie or not) informed of how much you know and to what use you intend to put your knowledge.

2. Check what you say and what information you give out. No matter how trusted you think a person is, that information will always end up in the wrong hands and then you will be blamed.

Speaking of passwords…

In reply to The other day

A couple of years back, my company had a network administration outsourced to another company on the other part of town. One day, while their maintenance guy worked on our routers, his cellphone rang.

Phone: “mumble mumble mumble”
Maintenance guy: “No, I’m sorry, we dont know it.”
P: “mumble mumble mumble!”
M: “Whaaa …!”
P: “mumble mumble MUMBLE!”
M: “Bu bu bu but… I don’t think we are supposed to…”
P: “MUMBLE MUMBLE MUMBLE!!!!”
M: “Yea, yea, OK, that’s an excellent idea. You speak to my supervisor, yes. Goodbye.”

M: “Guess what! They forgot their root administrative password, and they bit my head off because I didn’t knew it. As if I was supposed to know administrative passwords of all of our cliens. We keep the administrative passwords the most clueless customers only, and they are not supposed to be in that lot.”

BTW, a couple of months later we discovered, that our out of house network admins made a backdoor to our system, so that they could administrate it from their offices, and save gasoline. They haven’t told us anything about it. Contract with them was immediately discontinued, and network administration moved in house.

will these people ever learn??

In reply to Speaking of passwords…

I dont believe this…its because of people like these … that all the rest of us suffer !!!

So right on and true, monkey!

In reply to Security Professional’s Achilles’ Heel?

Security = integrity. No matter how many multi-factor autenticaions or ‘M of N’controls, ‘Least privileges’, etc., integrity is one of the more important personal (which translates to professional)character traits of YOU! If no one trusts you… who’s gonna hire you?? Not me!

Thanks for the bullet points. Things I will definitely remember during my career. Great post.

Lando

[Author]

Replies