Make SOPs and Runbooks a Top Priority in 2017
By Raj Goel
“When I say that the company’s prosperity rests on such things as our sixty-six-steps-to-clean-a-room manual, I’m not exaggerating.”
-- J.W. Marriott Jr.
As I look into my crystal ball, 2017 looks a lot like 2016. We’ll still be short-staffed, and making new hires will be a challenge in spite of, or because of, information security’s near 100 percent employment. Breaches will get bigger and attack vectors will expand. On a more positive note, we’ll still have jobs: an unending queue of tickets, upgrades, projects and meetings.
So, how do you deliver better quality of service, reduce response times, and make your users, management and board happier next year? By increasing staff productivity.
First, let’s consider the cost when there’s a lack or loss of productivity in the workplace, based on my own experiences and research:
1) If performing a task costs you X hours and Y dollars, fixing mistakes and having to re-do that work adds 150 to 300 percent more hours and dollars to the original costs.
2) Those mistakes and do-overs also cost you user trust, client trust, sleepless nights, and make life miserable for everyone involved.
3) Removing productivity loss by standardizing staff training, ticket-handling procedures and customer service processes (yes, we’re all in the customer service business!) has increased our team productivity by 40 percent over the past three years.
Increasing Productivity without Working More Hours
The secret to increasing productivity, good service, and making staff, users, management and stakeholders happy is delivering consistent service. What does consistent service mean? Things are done using standards, processes and checklists so that you, your staff and your clients get the same or similar results every time.
Once you look at your existing tickets or open issues, you’ll realize that approximately 70 to 90 percent of what we do is a repeatable, reproducible process:
• Checking firewall logs for anomalies? Systematize it.
• Checking backups? Systematize.
• Setting up desktops, phones, servers, networks, widgets? Systematize.
• Training new hires? Give them runbooks.
Most of us are familiar, at least in theory, with standard operating procedures, or SOPs. A runbook is a collection of organized SOPs. As business expert T. Harv Eker once said, “How you do anything is how you do everything.”
In our world, consistently creating and, importantly, using SOPs and runbooks shows how to do something repeatedly, without deviation or failure. It also means any changes or updates are reflected in these “living documents” that are routinely reviewed instead of gathering dust on a shelf or in a shared folder.
Need another reason? How about this: No great brand thrives without building SOPs.
Another way to think of it is to consider an SOP as a recipe:
• It shows how to configure tools.
• It shows how to respond to alerts.
• It provides specific steps to investigate an event.
• It outlines how to set up that desktop.
A runbook is more like a cookbook, a collection of all the recipes organized thematically.
Proof of Concept for a Stronger SOP Culture
My company is a managed services provider and managed security service provider for New York City-based hedge fund, private equity and construction companies. These are highly regulated, highly process-driven industries with exceptionally high demands for uptime, reliability and service excellence.
Here are several ways that adopting a formal SOP culture has led to major productivity gains, which also translates into cost savings that make our clients happy.
Before: It used to take us 20 hours per server to onboard a client. If a client had, say, six servers, that translated to 120 hours or three to four weeks of onboarding time, with frequent errors, dropped balls and delays.
After: Soon after we began developing SOPs, project plans and checklists, we reduced the per-server onboarding time to six hours per server, which translated to two people working together for 18 hours each, or two calendar days.
Before: Firewall installations used to take 60 hours, including time spent on errors, missed configuration items, unasked questions, etc.
After: Firewall deployments were reduced to 20 hours without any “dropped balls.”
Synology SAN Setup
Before: Synology SAN setups with ISCSI and round-robin ISCSI setups used to take 12 hours of our senior systems administrator’s time.
After: The same setup now takes four hours, and we are using newer, lower-cost staff to implement them.
Daily Backups and Security Reviews
Before: Checking backups daily was reserved for “backups technicians,” while daily security reviews were reserved for the security staff.
After: By systematizing the Daily Backups Review (DBR) and the Daily Security Review (DSR) processes, we are able to train our entire technical team in performing DBRs and DSRs. If the primary DBR/DSR person is unavailable, anyone else on the team can complete these mission-critical processes daily. It also means we get a fresh pair of eyes on the processes on a regular basis as we rotate the responsibility, and that has made our DBR and DSR processes significantly stronger.
Semi-annual Disaster Recovery Tests
Before: Until four years ago, we couldn’t fathom performing annual, much less semi-annual, disaster recovery tests for every one of our clients. The amount of planning, time, manpower and vendors involved seemed insurmountable. If we were lucky, we got one or two of these tests done each year.
After: After adopting an SOP Culture, we mandated semi-annual DR tests for all clients. We have performed 68 DR tests in the past three years, with 66 being completely error-free, and two exposing gaps in documentation, processes and systemic issues that were subsequently resolved.
So, as you can see, since adopting a culture of standardization that’s developed documents and been deployed throughout our organization, we’ve lowered our internal expenses, delivered better, more consistent service, and/or increased staff training by implementing cross-training.
How We Became Better at our Jobs
As a 22-year-old IT services company, I thought we had processes and documentation nailed. After all, we do this stuff for a living, so we must be good, right?
Despite our best efforts, most of our documentation was scattered. It was held in Word docs, Excel files, project plans, emails, Post-it notes, and critical information buried in people’s heads. Scattered or inconsistent documentation and processes is no way to run a business or department, and it causes an incredible amount of stress. It also leads to working long days, staff burnout and high turnover.
How did we go from working 80-hour, thankless weeks to 50-hour, highly productive ones? (Yeah, I wish I could say we work 40-hour weeks or four-hour weeks like that Tim Ferriss guy, but that’s just not our reality.) By embedding SOPs and runbooks into what we call SOPCULTURE, we reduced staff turnover, reduced staff burnout, and increased revenues and profits.
Today, we are a much healthier company with a happier workforce because:
• We create SOPs for everything, from the simplest task (setting up signatures in Outlook) to the most complex.
• We live by the SOPCULTURE mantra in which you are either:
a. using a SOP unmodified
b. updating an existing SOP
c. creating a brand new SOP
d. working for some other firm (yeah, we fire people for not following/using SOPs)
• After we had developed 1,000 SOPs, we identified the 70 most critical SOPs that our technical team needs to be competent in the field. We compiled that into our “New Hire Technical Training Runbook,” which clocks in at 1,672 legal pages, outlining detailed, step-by-step recipes on what we expect everyone on the technical team to be able to accomplish.
• We identified the 15 SOPs our marketing teams need to execute on a regular basis.
• We bake our SOP Culture into our hiring process. Once we identify promising candidates, we interview them, check their qualifications, and require them to submit sample or existing SOPs.
Like any culture shift, creating a SOP mentality takes time and enormous effort. But I can tell you from personal experience, it is worth it — for you, your company and your clients.
Raj Goel is CEO of Brainlink and can be reached at email@example.com to learn more about SOPs.
Some additional resources to get you on the way to developing your SOP Culture:
RECOMMENDED READING & VIEWING:
SOP Word template:
Member Q&A: 5 Minutes with … Tushar Gokhale
An excerpt of this Q&A appears in the November-December issue of InfoSecurity Professional magazine.
Tushar Gokhale lives in Dallas, Texas, but grew up in Mumbai, India. The cybersecurity specialist has been part of (ISC)2 for more than two years and is the newest member of our Editorial Advisory Board.
When did you know you wanted a career in information security?
After I completed my bachelor studies in electronics and telecommunication engineering, I started working as a network and communications engineer. I worked on several network design and technology projects, such as implementation of routers, firewalls, intrusion detection and prevention systems, etc. At that junction, I decided to start learning more about information technology security and eventually pursued a career in information security.
After realizing that was your chosen path, how easy or difficult was it to gain entry?
I must say, it was a little difficult. Specifically in India, I remember information security was considered a branch of IT and a potential candidate for information security was expected to be best at information technology most times. An entry-level career as an information security professional was a little difficult, as in most industries and sectors, security concepts and security implementations were considered child projects of IT implementations.
What have been the biggest hurdles in your current career?
Transitioning my career from a network and communications engineer to an information security specialist was the biggest hurdle. It was more difficult than I thought it would be. Further, elevating my career path by focusing on being a technology security professional to business security professional was another challenge.
You're originally from India. What part of the nation are you from, and how has living in India, and still visiting, impacted your career?
I am from Mumbai (often termed the financial capital of India), which is located in western India's State of Maharashtra. There is always huge demand for great talent across all sectors and industries in Mumbai. I started my professional career in Mumbai and later moved to the United States to pursue a formal education in the field of information security. My information security professional contributions to the financial and insurance sector in Mumbai provided the groundwork for my current work in the United States and internationally. I believe the more diverse and international your experience is, the more rewarded you are.
What are you most proud of accomplishing with the group to date?
Every achievement and contribution I make to the information security community makes me feel satisfied. That includes doing my small part to help nurture others in the information security profession. I'm proud to have earned a master's degree in information security, continue to advance in my professional career, and volunteer as a peer reviewer for academic and professional security journals and magazines. I've also been an instructor for security courses, judged cybersecurity contests, and held other roles that I believe contribute to making our community and industry better.
What do you believe are some misconceptions about the cybersecurity workforce in India?
Not only India, but a majority of developing nations still consider cybersecurity as only a technology challenge. Also, another misconception is that only those with a technology background and significant amount of technical experience can advance to a career in cybersecurity. This may not always be true. While cybersecurity could still be technical at its core, in a wider context it is a business challenge and overlaps with governance, risk, compliance and business in addition to technology.
What advice do you have for someone in your industry who is just starting a career in IT security?
Listen, read, learn and digest everything you can about IT security through magazines, newsletters, conferences, etc. Focus on a specific area of IT security where you believe you can excel. You should not only be aware of multiple domains of information security, but you should also become an expert in one or more specific domains when it comes to your IT security career goals.
What about someone who is already in the field, but wants to raise their professional profile?
First and foremost, identify your strengths and have your professional goals streamlined in your mind. Additionally, look for learning opportunities in the field of IT security through certifications, courses, or even a formal education in cybersecurity. Specialized learning in IT security, in line with your professional experience and contribution, can help you go farther in the field.
If a member was to vacation in the part of India where you grew up, what is at least one "must see" event or tourist thing to do?
I am from Mumbai, which is often called "the city that never sleeps" and has a lot to offer. Be it rainy season, festival, or sports (cricket), I think one should experience and feel the spirit of the city and its crowd. Enjoy Mumbai rains if you are in Mumbai during rainy season. Enjoy local food and festivals like Holi, Ganapati and Diwali if you are in Mumbai during festival season. If you happen to watch and experience a cricket match during your stay, you will enjoy it, too, since the sport is celebrated much like a festival, with a lot of joy and enthusiasm.
2016 Volume 6, Issue 5
Biometrics: An Idea Whose Time May Never Come
By Michael Wegner
Biometrics has fascinated me since I was a youngster reading works by Isaac Asimov and Robert Heinlein, and watching Gene Roddenberry's Star Trek. Imagine, a building or a spaceship that opened doors because it knew who you were and that you were authorized to enter an area.
Then, near the turn of the century, this biometric business was no longer science fiction - it was here and we could see it and touch it! (Pardon the pun.) Retina and fingerprint scans were being used by machines to recognize people, although sometimes with mixed results.
The accuracy, or inaccuracy, of these systems related to the number of data points the scanner could read, quantify, and compare to the stored data. In a typical fingerprint scan, the system checks for a digit's loops, whorls, ridges, etc.(1) The features found are turned into numbers and then stored away to use as the "password."
Next time through, the system reads the digit using the same method, computing the numerical representation of what it finds and comparing it to the database of scanned information. If it finds a match, that must be you. Or him. Or maybe her. Fingerprints may be unique, but a small scanned portion of a print might be common to many prints.
The systems were limited by how many points they could scan, store and compare in a reasonable amount of time. Let's face it, no one is going to sit around for 45 minutes waiting to enter a door or log on to a computer. But those shortcomings were just a bit of computing power away from being quashed, and Moore's Law would certainly take care of any problems. It was only a matter of time.
Sure enough, today retina, iris and fingerprint scanners are fairly reliable. Fingerprint scanning typically uses 60 to 70 different points of data, while iris scans use upward of 200 points.(2) Facial recognition is the next frontier, and that's moving along at an astonishing rate. We now have robots that can identify a person using a library of facial scans.(3) Some newer laptops use the built-in camera to scan your face and authenticate you as a valid user.
But in the meantime, black-hat hackers also have made great advances. They now almost routinely collect information on thousands of people at one time, then either utilize the data or sell it. That information often consists of passwords (or password hashes) people used on a hacked network or website. Many - probably most - websites and businesses are very good about advising you if your password was stolen or if their systems were compromised in a way that enabled password theft. When you get a notice like that, your first action should be to change your password.
But what if instead of a password you were using a fingerprint? You could change the digit you're using, I guess. Most of us have nine others to use, and if you're wearing easily removable shoes and are really flexible, you can add another 10 digits to the cause.
Your options are much more limited with retina and iris scans, not to mention facial recognition scans. Simply making a new scan of the finger or retina won't work unless the scan pattern or something else changes, and that isn't going to happen with most software systems. Why? While some researchers write their own scan routines, most everyone uses a commercial library of software routines to perform the scan, compute and store the results, and authenticate later. So until the libraries change, the scanning tools remain unchanged and a scan of the same finger will yield the same results. You will need to supply a different finger, eye or face.
Alas, thieves on the network aren't our only concern. Using high-tech cameras, it is now possible to capture a fingerprint from several feet away! Capturing irises using the same or a similar method can't be far off, and who knows what will happen to advance retina scans.
Even if software manages to stay ahead of the game and capture more and more data points, if someone has a library of actual fingerprint photographs and a 3-D printer, in reality they have a finger to use to scan and authenticate. Some advanced fingerprint scanners now check for a pulse(4), so printed plastic fingers will have to get more sophisticated, possibly adding a small bulb pump at the end connected to a few "veins" and "arteries" in the plastic digit.
I'm sure it won't be long before fake irises are created and printed on contact lenses to fool iris scanners. And while it may be quite a while before fake retinas are created, if the retina scan data is stolen, your only choice is the other eye.
All of this leads us back to two-factor authentication using something you have (a card, a finger, an eye) and something you know (a password) to gain access to your website, room, data … or spaceship. It's much easier to lose a card than a finger (amateur teppanyaki chefs an exception), but it's much easier to replace a lost card than it is a finger, at least for now.
Although the idea of using only biometrics for authentication sounds cool and sexy, it doesn't look like it will replace two-factor authentication any time soon, if ever. As the technology allowing us to use biometric authentication gets better and better, so does the technology to defeat it.
Now quick, beam me up before someone steals my transporter image.
Michael Wegner, CISSP, is an IT security administrator for an Alabama medical center. He can be reached at firstname.lastname@example.org .
5 Minutes with Mary N. Chaney
An excerpt of this Q&A appears in the September/October issue of InfoSecurity Professional.
Pennsylvania resident Mary N. Chaney is originally from Cincinnati and has been an (ISC)2 member for eight years. A lawyer and former FBI special agent, she currently is director of worldwide information security for Johnson & Johnson.
What made you want to pursue a career in information security?
Information security was a natural fit for me. As an information systems major with a law degree and as a former federal cyber-crime investigator, I took to the field like a fish to water. I continue to remain excited and thrilled about the industry and look forward to offering my services on how to shape it going forward.
Which was more difficult - passing the bar or passing the CISSP exam?
Sorry, (ISC)2, but the Texas Bar was 2.5 days: one full day of multiple choice, one full day of written essay, and a half day of all Texas Law, essay and multiple choice. No comparison - the Bar exam was harder!
In what way[s] does your legal career help with your cybersecurity one?
My legal career has helped me tremendously in my career in cybersecurity. Being able to articulate how the information security controls put in place help protect (or not) the legal culpability of a company in the aftermath of an incident has proven to be one of the more powerful tools in my arsenal. Sitting in the room and being able to translate between lawyers, technologists, regulators and law enforcement is a wonderful skill to have.
What was it like being a special agent for the FBI?
Being a special agent for the FBI and investigating cybercrime was a great experience. Not only did I investigate cyber, but I was able to do some pretty cool things outside of cyber. But I can't tell you what they were!
Being a federal investigator and determining exactly how a crime is committed is the ultimate root cause analysis. Thinking like a criminal is important in cybersecurity because ultimately, there is a human behind every crime. If you can understand their motivation, you have a good shot at knowing how to protect yourself.
How difficult was it to transition from the public to the private sector?
It was not as difficult as I thought it would be. Large companies like my former employer, GE Capital, and my current employer, Johnson & Johnson, work similarly to the government. The biggest difference I can see is the focus. Data is a top concern of the government. Classifying and treating data based on its classification is the first step in many of the security controls that are put in place. With the popularity of big data, data analytics and cloud computing, it is more and more difficult for private organizations to classify and identify effectively their most important data in order to ensure appropriate controls are put in place.
I read that one of the first things you did after becoming an (ISC)2 member was to become involved in Safe and Secure Online. What has that experience been like?
It has always been great. The materials have only gotten better since the inception of the program, and I strongly recommend getting involved. To be fair, I have not had much time to do as much as I did in the first couple of years as a CISSP. But being able to speak to children about cyber dangers, as well as to parents about what to look out for, is very rewarding.
What do you believe is the biggest cybersecurity issue for children and their parents today?
The biggest issue for parents is not monitoring the content/access kids have to technology from the time they give them a device. My poor kids are 11 and nine and have iPads of their own, but they can't get to anything on those devices without my consent. Plus, they have to listen to mommy lecture them about creating secure passwords, geo tagging, knowing who you are talking to online, never giving out our home address, etc.
Kids are kids, they are curious and believe that they are smarter and more savvy. A healthy bit of fear about the dangers of technology will always help!
You're also involved with the International Consortium of Minority Cybersecurity Professionals (ICMCP). What do you think it's going to take to bring more diversity to the information security workforce?
As with many things, bringing awareness to the issues are important. Acknowledging that there are unconscious biases that exist toward women and minorities in cybersecurity, as well as the broader IT community, is a paramount step. We as professionals must have the courage to challenge those biases when we observe them and to work to change the entire culture of science, technology, engineering and math (STEM) to be more inclusive.
Through my participation and passion about working with ICMCP, I hope to help shed light on the challenges minorities and women face when charting a successful career path in cybersecurity. In addition, I want to help come up with effective and creative solutions for increasing interest in this challenging, demanding and exciting world.
If you had to start all over again, is there anything you'd do differently?
Absolutely not. I have had the pleasure of being and doing some great things while following my dreams, and I would not change a thing.
2016 Volume 6, Issue 4
The Road to a Robust Trust Protection Platform
By William Nana Fabu
For years, security professionals have been looking for ways to keep information out of reach of unauthorized users. Encryption is an ideal way to do this. Within the encryption domain, the public key infrastructure (PKI) certificate has become the foundation of what I call the Trust Protection Platform.
A robust Trust Protection Platform is now a must, regardless of your industry. Your certificates and keys are of paramount importance to the security of your environment and must be under your control all the time.
As information security professionals, we continually ask ourselves, "What does it take to have a functional and efficient Trust Protection Platform?" The answer, I believe, is closely linked to a well-managed certificate base.
Where are the certificates and keys?
Today, in most industries where data is found both at rest and in transit, a certificate is involved. Let's say all governing bodies and the security protocols require that the security team encrypts data all the time and only makes it available in clear text to the designated recipient. This implies that you must install at least a certificate on most, if not all, of your systems to build a secure connection with any other connected system or end user. This translates into a large amount of keys and certificates (digital entities) you have to manage across your infrastructure. A comprehensive, accurate inventory of these digital entities is the foundation of a strong management program.
You cannot rely on all your system and application owners to give you the list of all the certificates they have in their system. Rather, you can use a discovery tool that queries all your nodes and builds a comprehensive list of certificates and keys. It is the beginning of a long journey toward an efficient Trust Protection Platform.
What did I just do?!
Now that you've taken that initial step to determine which certificates reside in your system and where, you need to look more closely at the nature of these certificates. Ask yourself:
- Where are all these certificates coming from?
- Are these good certificates?
- Do they comply with industry and security standards?
- Who owns these certificates?
- When do they expire?
- What do I report to management?
Let's tackle each of these questions in a little more depth.
Where are these certificates coming from?
When getting ready for your discovery, make sure you select a good tool that will gather as much information as possible on the certificates and keys, as well as information on the host where they reside (see section on tools below).
Some tools provide information on third-party certificates and keys shared with your institution. This intel is handy when it is time to rotate the certificates and keys, as it's always good to be the first to send an email to a B2B partner regarding the expiration of a mutually shared certificate.
Make sure you scan your entire environment. You may be surprised to find certificates and keys in the least expected zones of your network. This also gives you an idea as to the pervasiveness of private keys that employees are storing on their desktops, which could trigger an emergency cleanup of your environment.
Are these good certificates?
To define a clear and simple policy for certificates and key management, you must work with your information security team that owns the policies. Be sure to incorporate both industry standards and the realities of your own institution into those policies. Once you define the policy, classify the certificates you discovered based upon their compliance with the policy. It is crucial you do this before you contact any potential certificate owners so you can avoid provoking justification for all the noncompliant certificates and keys. You need to know the exact compliance state of your Trust Protection Platform in order to evaluate the workload and build a comprehensive action plan with a well-defined priority.
As you do this, pay attention to the following criteria:
- Signing algorithm - note that SHA-1 is out of the question
- Private key length
- Expiration date
- Certificate authority
- Wildcard certificates
- Orphan keys
- Shared keys
- Self-signed certificates
- Unknown certificate authority
These criteria take us to the next question.
Do they comply with industry and security standards?
Take the time to sort your discovery based on the criteria listed above and get some figures that tell the story of your digital entities. Do not be overwhelmed by a dark situation. Instead, use it as a selling point to garner management's support and engage everyone in the "cleansing" process. The reality is that you need to turn this situation into a good one using all the tools and the participation of all the IT teams and system owners. There are reporting templates online that can help you build a convincing case.
Always make sure you do not try to lower the prescribed standards. Only provide exceptions to cases that are not remediable (but make a note to follow up on them). Remember that auditors can access your reports and need to see the compliance increase gradually.
Who owns these certificates?
By default, no one wants to be the owner of a certificate. This is why, when you get the discovery data, you must look at the certificate's associations and start contacting the asset owners. A good CMDB (configuration management database) helps associate assets with owners. Note that valuable information on the certificates or keys generally comes from the system owner. This is one of the most difficult tasks in certificate and key management, but if you spend enough time and you have the right support from management and your IT partners, you end up with a solid Trust Protection Platform. Be prepared to send multiple emails and initiate multiple calls.
Also use the expiration dates to your advantage. No one wants to see his or her system go down because of a certificate or key that was not renewed in time. Employees surely will contact you, most likely when the policy dictates that a designated system should generate all the certificates, and a designated certificate authority (CA) should sign them.
When do they expire?
This question is a blessing and a challenge.
It is a blessing because, as stated above, when a certificate is getting close to its expiration, everyone, and particularly system owners, wants to make sure it is renewed to avoid any outage. Therefore, by sending out an expiration report, the "real" owners shall contact you to take action on the certificate. Do not forget to update the certificate with the owner's information and move the certificate to the appropriate group and policy.
The challenge is the short window before the expiration and the fact that not everyone will be familiar with these certificates (as a result of employee rotation, old systems, unsupported applications, etc.). Do not hesitate to escalate the expiration notification to the highest level to get some traction on the rotation of the certificate or key.
What do I report to management?
The success of your project relies heavily on management support. Therefore, report on all aspects of the project. Send emails to management with details on the cleaning process. After some time, with the information you gathered on the certificate and key owners (targeted audience), you can start reducing your distribution list. Use the tool you are working with to generate all the reports possible and distribute these reports to management with a short and to-the-point summary.
Always make sure you report on the progress. Going from 1,000 unknown certificates to 100 is a very big deal, and you need to share this information with management to let them know you are on the right path, and how they can continue to assist you.
Divide your project into multiple phases that are easily accomplished. Start from the perimeter and get deeper into your infrastructure. Build a priority list and start working on the tier 1 systems.
Remember that you were once blind, and now you can see. That is, you were able to clean the environment with the help of your IT partners and the support of management. Therefore, escalate any item that is out of your authority and follow up until you close the item.
The right tool to use
Generally, most CAs have a portal to generate and manage the certificates they issue. In most cases, though, you will have more than one CA. Also, be sure to take into account all the self-signed certificates and those certificates that unknown and untrusted CAs signed.
You therefore need a tool that builds a layer above your existing infrastructure and works with all the CAs and types of certificates and keys existing in your digital universe. There are many solutions on the market, but I strongly suggest you go with one of those located in the top right of Gartner's Magic Quadrant. Why? Because it likely means many security professionals use one of those solutions, and more CAs and other digital authorities will build APIs to work with them.
Take some time, go through your normal due diligence, and make sure you get the solution that permits you to manage at least 70 percent of your digital universe. Remember that after you discover a certificate, it has nowhere to hide anymore. Also remember that any rogue certificate is an open door to your network and valuable data. Keep your systems environment clean.
An ideal solution will help automate the full life cycle of a digital entity:
- Certificate and key discovery (inventory)
- Certificate, key request and generation (provisioning)
- Certificate and key installation
- Certificate and key monitoring (expiration and compliance)
- Certificate and key revocation
Managing your certificates and keys cannot be done manually. You need to look for a good solution and evaluate all the functionalities it provides. You also need to involve others in this process. Your IT partners and management are essential to helping you negotiate all the sharp turns and bumps on the road to a robust Trust Protection Platform.
William Nana Fabu, CISSP, is an (ISC)2 member based in the Atlanta area and who works in financial services. He originally is from Cameroon and is a past contributor to InfoSecurity Professional magazine.
5 Minutes with Jason Sachowski
An abbreviated version of this Q&A appears in the July-August issue of InfoSecurity Professional magazine.
Jason Sachowski lives in Toronto, Ontario, Canada and is originally from Dryden in Ontario. He is the director of Security Forensics and Civil Investigations at Scotiabank and has been an (ISC)2 member for nine years.
When you were 10, what did you want to be when you grew up?
So I went back into the "School Day Treasures" book my mother kept and found that I really wanted to be Spider-Man. Appears that when I found out superhero training was not part of the elementary school curriculum, I gave up on that dream. The following year, I set my sights on becoming a police officer.
When did you realize you wanted to pursue a career in information security?
Going through high school in the mid-1990s, there weren't a great deal of technology-based courses being offered. As graduation approached, I applied for both journalism/communication and film studies at a variety of university and college programs. After several rejections, I decided to go back for one more year of high school to focus on law and policing. From there, I went on to study physical security management at Fleming College in Peterborough, Ontario, Canada.
In my graduating year, I was speaking with the program coordinator about career options, where I learned about a new program being offered by Fleming College called Computer Security and Investigation. After doing some research, I came to learn what information security and digital forensics were all about, so I decided to give the program a try. It was probably well into my second year of the Computer Security and Investigation program when I started to think that this could really turn into a career, but I was still hesitant because there really weren't a lot of jobs in the market for digital forensics. It wasn't until my last semester when I was placed on my "work term" when I came to realize that this is what I wanted to do as a career. And, well, the rest is history.
How did you become an (ISC)2 member?
I had just started in the first role of my information security career where I was doing a lot of hands-on technical work. I was looking around for ways I could start making a name for myself and showing my peers what I know. While speaking with a colleague, I was told to look at the Systems Security Certified Practitioner (SSCP) accreditation. In 2008, I passed the exam and became an official (ISC)2 member, which I feel was the milestone that catapulted me to where I am today.
The financial industry is a prime target for cyber attacks and therefore a bellwether for both problems and solutions. What do you see happening within the banking industry in terms of preventing emerging and existing threats?
There are really a few sides of the spectrum when it comes to emerging and existing threats. The first is centered on the global changes happening in the way we conduct business. The digital transformation most organizations are experiencing is driving them to re-evaluate their business models and become more agile in finding new ways to meet customer demands that don't tie them down to the traditional "brick-and-mortar" approach.
The second is how we - as security professionals and everyday users - go about making sure we protect our personal and otherwise confidential information in an always connected and technology-driven society. With demand growing for organizations to provide their increasingly mobile customer bases with products that are accessible at any time and from anywhere, the lines once separating the different types of information (e.g., banking, social media) are getting blurred as devices become "smarter" and provide users with greater functionality.
Lastly, at the CEIC 2015 conference, I attended a keynote by Brian Krebs, where he was discussing his perspectives and insights into cyber crime and cybercriminals. During the Q&A session, I was able to ask him, from everything he has seen to date, what he thought the future held for cyber crime. He responded by describing how today's cybercriminals execute attacks independent of each other and with little knowledge of their victims. Soon, we'll see cybercriminals become much more coordinated in their efforts and have heightened contextual awareness of their victims, which means that cyber attacks will be better planned, executed, and specific data targeted for exfiltration.
Why did you decide to become involved in Safe and Secure Online?
When I was growing up, technology was not as prevalent as it is with today's youth. We used physical interactions to communicate, which meant that all of our actions, behaviors and words were done in real time and had a much more immediate impact. As a father, I'm watching my kids grow up with the infinite knowledge of the internet at their fingertips but not truly understanding the inherent risks of how, through technology, we are becoming more dissociated from the traditional interactions of a society. When I was approached about bringing the Safe and Secure Online program into Canada, I jumped at the opportunity to educate children about cyberbullying and cybersecurity. In 2011, I had the honor of presenting the very first Safe and Secure Online program in Canada, which has not only helped to educate our youth but has also given me an appreciation of how important it is to include this type of curriculum in our school systems.
And what have you done to help promote internet safety among children?
As part of bringing the Safe and Secure Online program into Canada, we partnered with the Toronto school board to bring this education and awareness to thousands of elementary school children right from kindergarten on up. We focus on the importance of knowing what activity, information and content are appropriate for the internet. We also discuss some elements of computer security so children understand what they can do to make sure when they or anybody else using technology are protected from computer or online threats. Aside from these, I think the most important topic we discuss is cyberbullying: what is it, how it affects everybody involved, and what can be done to prevent it from happening. Even though cyberbullying is one of the many topics being taught, it has been the most rewarding experience because of how we are able to bring such heightened awareness to the problem and make such a positive impact.
Given all the ways children can now access the internet at school and at home, what is the most important tip you have for teachers, parents or guardians in keeping children safe?
With the Safe and Secure Online program, not only have we targeted children but we've taken opportunities to educate teachers, parents and guardians about internet/computer safety and cyberbullying. The most important thing we communicate during these sessions is the importance for teachers, parents and guardians to properly educate themselves so that they can continue reinforcing the need for children to be safe and secure. One tip for parents and guardians is to establish a set of rules or guidelines for their children when it comes to using the internet or any technology. A sample rule would be to have children write down all of their passwords (e.g., social media, email, devices) on a piece of paper, seal the paper in an envelope, write their name and label as "password," and hang it on the fridge door. By doing this, parents and guardians will have access to the children's profiles if needed, and the children will know that they are helping to protect themselves but also that the privacy of their profiles is maintained in the sealed envelope.
What else are you actively involved in at (ISC)2?
After I became an (ISC)2 member, I was looking for ways to further establish myself as an information security professional and also to network with other professionals around the world. In speaking with a colleague, I learned about an opportunity to get involved with (ISC)2 as a subject-matter expert for the ongoing development of the Systems Security Certified Practitioner (SSCP) exam. From there, I branched out and over the years became involved in exam development for the Certified Information Systems Security Professional (CISSP), Information Systems Security Architecture (ISSAP), Certified Secure Software Lifecycle Professional (CSSLP) and Certified Cyber Forensic Professional (CCFP) certifications. While participating in these forums, I got to network with other professionals, which eventually led to me getting involved with Safe and Secure Online and becoming a contributing author in the former North American Advisory Board Executive Writers Bureau (NAAB-EWB).
I hear you released a book. What's it about, and how difficult was it to find the time to write it?
Yes! I'm pretty excited about it. The book is titled Implementing Digital Forensic Readiness: From Reactive to Proactive Process, which was released in February 2016 through Syngress/Elsevier. At a high level, the book details how to proactively maximize the use of electronically stored information to reduce the cost of digital forensic investigations. The book was written from a non-technical, business perspective and is intended as an implementation guide for organizations to enhance their readiness capabilities with regard to managing business risks, such as validating or reducing the impact of cyber crime, supporting litigation matters or demonstrating regulatory compliance.
Prior to this book, I was writing articles and blogs for both the NAAB-EWB as well as DarkReading (http://www.darkreading.com), where the style of writing is very non-academic and can be drafted in a matter of hours.
When it came time to sit down and write this book, I found that following a similar approach did not work because of the how the book content needed to be planned out, researched, and much more academically structured. Even though I had figured out my strategy to getting the book written, it still required a significant amount of time and dedication to finishing it on schedule. Essentially, any free time I had was spent on the keyboard typing out 100, 200 or 300 or more words.
So you're from Canada. How do you deal with the long winters?
Growing up in Dryden, which is located about seven hours north of Minneapolis, winters were much longer and colder than here in Toronto. As a kid, I remember my parents having to keep our vehicles plugged in to the electrical outlets so the engine would start. When it came to temperatures below -30ºC (-22ºF), we would tend to hibernate inside and play with our action figures, Legos, etc. Now that I live in the Toronto area, winters are not as cold but are still Canadian winters in the sense that they are long. Since the temperature is milder, we're not so confined indoors all winter and have more chances to get outdoors. There hasn't been a great deal of snow in recent years, so we've been spending our time outdoors by getting exercise walking around the Toronto Zoo.
If members were to visit your country, what are one or two things they need to do or eat to have a truly Canadian experience?
Canada is so multicultural that depending on what region you visit or with whom you talk, you're most likely to get a different response. For me, growing up in a rural part of Canada, having traveled across the country and back and later moving into such a suburban area, I've had so many different experiences and tried all kinds of foods. While I think the staple of Canadian food culture is putting maple syrup on just about everything, I would have to pick the BeaverTail - which is hand-stretched pastry, shaped like a beaver tail, then fried and topped with sweet confections - as the food to try. In fact, BeaverTails are so famous that even U.S. President Barack Obama stopped for one when he visited Canada back in 2009.
In terms of a true Canadian experience, there are always landmarks such as the CN Tower or Niagara Falls that come to mind. But to me, a true Canadian experience doesn't exist within the cities or tourist centres; it's located in the wilderness. Combining fishing across multiple seasons, my summer experience would be a fly-in fishing trip to a remote northern location, and my winter experience would be ice fishing in a wooden hut in the middle of a lake.
2016 Volume 6, Issue 2
Our Machines May Be Outwitting Us
The devices we rely on are getting smarter - but are we? That and other warnings from information security experts at this year's RSA Conference
BY Deborah Johnson
Security. Safety. Trust.
Vulnerabilities. Threats. Attacks.
Those were the recurring themes at this year's RSA Conference in San Francisco's Moscone Center, where 40,000 cybersecurity practitioners and more than 500 tech companies gathered to share ideas and offer potential solutions to the challenges facing the industry.
As a first-time RSA attendee, I was captivated by the wealth of knowledge and experience on hand. With such a vast amount of brain power in one place, surely, one would think, the hackers don't stand a chance. Add to that the hardware and software on display, all aimed at getting at the "bad guys." We (the good guys) have got to be winning!
Actually, no. Not according to some of the industry leaders on hand.
"Our problem is not a technology problem. Our adversaries are not beating us because they have better technology. They are beating us because they are more creative," declared Amit Yoran, RSA's president.
"Devices are becoming smarter, and we're becoming more stupid," warned Hadi Nahari, vice president/security CTO at Brocade Communications, Inc.
Those two assertions were eye-opening for me. I had thought that since "we," the larger society of brains who created (and continue to innovate) our cyber-dominated world, were in control. That "we," I had to remember, included the good guys (most of us) and the bad guys. So, yes, maybe we were in control, mostly, but it depended on which hat was being worn - white or black.
The Conference offered hundreds of panels, presentations, roundtables and forums. I divided my time between the panels on professional development (how to build a strong security team, how to create a strong security culture in an organization) and presentations on threats and solutions and what the future may hold. I listened to (mostly) engaging, intelligent and savvy speakers, the aforementioned Amit Yoran and Hadi Nahari among them.
Armed with the latest information on our cyber vulnerabilities, I ventured out to the exhibition floors, two enormous spaces filled with the latest in programs, applications and equipment to help us protect our cyber lives and information and root out the bad guys. The exhibitors love to talk about their wares, and all it took was a question to get them going. What did I learn? The massive (and lucrative) security software business is finding more niches in which to offer its services. For instance, if your company outsources its HR duties and you want to make sure the vendor you hire is doing what he/she is supposed to from a security standpoint, there's a company to monitor the vendor for you. Or, say your company has a call center, and you want to root out fraudulent callers. There are services that will listen in and track down the fake callers. That's just a tiny sample of what's being sold on the showroom floor.
What it all boils down to is "trust." As consumers, we need to trust that our information, our work products, our very identities are safe. As cyber experts, each of you is trying to make that a reality.
But, and here is the snag - the fly in the ointment - the burr under the saddle: What about "privacy?"
The Apple vs. FBI controversy was definitely top of mind. The issue was batted around in just about every venue. As I expected, most participants that I heard (both on and off stage) believed that Apple should stand firm, that the U.S. government was asking for something what would set a dangerous precedent, one that would imperil all of our privacy rights.
Which led me to ponder the whole issue of just how private our cyber information is anyway. In reality, anything we say online through social media is out there. When it comes to our banking, our taxes, our email, we like to think they are all private unto us (unless you're doing this work on your workplace computer). But, is it really? Who at my bank sees my records? What clerk at the IRS sees my tax return? And, of course, anyone can see my Facebook and Twitter postings. So far, I don't mind.
But, all these tools that are being developed to monitor, to vet, to put controls on who has access to what are only as good as the people using them. And I'm not just worried about invaders absconding with my bank account. I also think about entities that can use the information they collect for their own benefit at my expense, say, an employer who doesn't agree with my political opinions. Or an organization (university, association, etc.) that may not appreciate my religious beliefs. Am I being paranoid? Perhaps, just a little.
What I can do is hope that most of those 40,000 cyber experts and practitioners - and the thousands more worldwide - are indeed working for the "greater good."
For my part, I'm changing all my passwords.
Deborah Johnson is managing editor of InfoSecurity Professional magazine.
5 Minutes with Lt. Col. Husin Jazri (Retired)
A shorter version of this Q&A appeared in the March-April issue of InfoSecurity Professional magazine.
Lt. Col. Husin Jazri (Retired), CISSP, is originally from Kuala Lumpur, Malaysia but now resides in Windhoek, Namibia, where he is an associate professor in computer science and informatics at Namibia University of Science and Technology. He has been an (ISC)2 member since 2002. You can reach him at email@example.com or firstname.lastname@example.org.
How did you first become interested in information security as a career?
I become involved in information security when I started my first job as a commissioned officer in the Royal Signal Corps of the Malaysian Armed Forces in 1987, after completing a bachelor's degree in engineering from the University of Hartford in Connecticut (U.S.A.). I was fortunate the university selected me as one of its Armed Forces scholars. I have to admit that the American education system has shaped strongly my thinking process.
What would you consider your career high point[s] to date?
Briefly, my career has been divided into four areas: military service; government service; business development; and research and academic. Each one has had both high points and challenges. The first period was military service. During this time, I subscribed to the hypothesis that technology is an enabler and game changer to the organization. With this belief, I had been tasked to bring an information and communication technology culture into the military force, and it was a big challenge then, when most of the seniors were seasoned counter-insurgency combatants.
I had to overcome their hesitations and prove that changes can be positive if taken appropriately. The successes came with the formation of appropriate establishments within the military force, and I received a service excellence award and fast promotions as a result. That was roughly a 12-year effort, and from this experience, I learned that every change has its timing, and we must keep on challenging in order to succeed.
My second career area was with government-related companies, i.e., a research institution that lead to the formation of a national cyber security institution. The culture within this realm was different than I experienced in the military arena. Thus, I realized we needed a new form of a cybersecurity agency at the national level - this time not fashioned from regulatory and bureaucratic perspectives, but rather from science and technology perspectives. As such, I focused on research, experimentation and innovation to address the dynamic threats of the cyber world. This was very exciting, since traditional security environments subscribed to an autocratic culture where command and control is fully exercised. We can never address the problems in the cyber world effectively, however, using this model.
Science and technology, R&D and innovation flourish better in a non-autocratic culture. This hypothesis led to the formation of a cybersecurity agency with science, technology and innovation at the forefront. I was privileged to lead this agency for 12 years, from cradle to adulthood. As a result of my efforts, I received the (ISC)2 Harold F. Tipton Lifetime Achievement Award and many other honors. The sweetest memory is being able to visit the White House under the invitation of [board member] Howard Schmidt when he was the cybersecurity advisor to President Barak Obama.
My third career area was working with business enterprises. The challenges were different. I found that no matter how wonderful our ideas were, and how good or secure our solution was, they had to fall back on business fundamentals, namely supply and demand, customers' perceptions, resource limitations and time constraints. I was able to serve at least five cybersecurity companies -- two of them outside Malaysia. By this time, I realized that business success is not entirely due to your own effort; many external factors come into play, such as being at the right place at the right time and knowing the right people. Despite many challenges, I received a prestigious Platinum Award by the Industry Association in Malaysia.
The fourth area is my current career in research and academics. I now have the chance to document key experiences into papers, journals and conference publications. A good part of this experience is to be able to conceptualize real-life experiences and to share them with students. I am a proponent of people-process-technology interactions, and my research focuses on information security in this context. This type of research is needed here, in Africa, as it may not be as big an issue in the developed world.
What prompted you move to Namibia?
Mainly, the opportunity to apply my career experiences in the academic world and to live in a part of the world where information security education is strongly needed intrigued me. In this regard, I must thank Professor Jill Slay [a former (ISC)2 Asia-Pacific Advisory Council member] and the Namibia University of Science and Technology for giving me the chance to be part of this dynamic academic team. I am very grateful and honored to serve this institution and interact with so many friendly people from Africa.
How is it different to teach students in a classroom than entry-level employees in a company?
Students in a classroom environment have different motivations than employees in a company. It takes more effort to convince them of a point of view, as they are free to adopt it or quietly walk away. Their primary motivation is to perform well on exams and to acquire knowledge. I enjoy engaging matured students and working students as they better relate to what is being taught.
As for employees, they are subjected to company policies, rules and regulations. Their motivation is based upon compliance and feasibility to implement.
You've mentioned that more attention needs to be focused on southern African regions and nations. Why is this?
The region is represented by 15 countries with a regional development agreement called Southern African Development Communities (SADC). These countries are developing at a rapid pace, and I cannot overstate the dire need for effective cybersecurity regulations, governance and best practices.
What would you like to do to bring more attention (and resources) to this region?
First, I would like to call upon members of (ISC)2, especially those with influences in their workplaces, to consider Southern Africa as a strategic region to explore. Attention and resources can come in many innovative ways, ranging from academic works, pure and applied research, collaborative and mixed research, volunteerism, experience exploration, commercial expansion and the like.
Secondly, I would urge (ISC)2 as an organization to consider having a presence in this region through collaboration with suitable institutional champions in each of these countries. For instance, (ISC)2 could partner with the local government on collaborative research projects and awareness programs such as Safe and Secure Online, and collaborate with the Namibia University of Science and Technology to conduct online Review Seminars and online certification exams.
What do you like to do to relax outside of work?
At any possible opportunity, I like to get closer to nature and enjoy the beautiful landscapes and wild animals of Namibia, which I would say are a hidden treasure of the world.
I have been to some amazing places in Namibia, including Swakopmund, Etosha National Park, Walvis Bay, Luderitz, just to name a few. I would like to visit Cape Town, Victoria Falls, the beaches of Mauritius and many more places when the opportunity arises.
If you could recommend one place everyone should visit at least once in their lifetime, what would it be, and why?
For nature lovers, Namibia is well-known for its Etosha National Park, a safari park that would enable (ISC)2 members to get closer to nature while spending time with family members. Zambia and Zimbabwe are well known for Victoria Falls, one of the natural wonders of the world. South Africa is home to beautiful Cape Town for relaxing and waka-waka dancing. Mauritius has beautiful beaches and aloha greetings. Each and every one of these SADC countries has a unique feature worth visiting at least once in a lifetime.
Thus, I urge (ISC)2 members to look for every possible opportunity to come to this part of Africa and experience it for yourself. There's no other place in the world like it.
2016 Volume 6, Issue 1
Analog vs. Digital: The Great Divide
By Gordon Merrill
To the horror of everyone working there, the bank on the corner of Main and 32nd streets was just robbed at gunpoint by three men wearing ski masks. Very stereotypical, I know, but work with me here. What follows may surprise you.
To the dismay of the bank personnel, there are no police cars or sirens, no detectives, no request to view camera videos and very little concern by anyone outside the bank. The bank just lost hundreds of thousands of dollars, and now, without any police activity and no one seemingly racing to help, angry customers are asking bank officials, "What do you intend to do about this?" Meantime, news reporters at the door want to know why the bank was "so lax" as to allow these gunmen with automatic weapons to run off with customers' assets.
Sound absurd? Well, it happens almost daily. The reason you don't recognize it is this is the difference in how the world responds to a digital crime versus a regular (analog) crime. Why is that? And, why do we allow it?
When there is a physical robbery, no one questions if the bank should have had better security or if the bank had sufficiently tried to foil the crime. Instead, the bank is viewed as one of the slate of victims, and those responsible for these crimes are sought, found, tried, convicted and punished. If the poor robber had only thought to go home and sit on his couch and hack into the bank to steal the funds, in most cases he would have been able to get away with it; foil the investigators; make it too difficult to investigate; and watch as law enforcement drops the case.
This is in no way intended to disparage our members of law enforcement. It does, however, highlight that they seem to have a growing cybercrime caseload and too few resources. This is especially true if the case crosses countries to international targets where, in some cases, there is little or no cooperation from the other authorities. So why in the digital world is the other victim - the bank - criminalized and bank officials are charged, fined, or even jailed instead of the real criminals?
Somehow, we quit looking at crimes the same way after the introduction of digital. The last great overall federal privacy legislation designed strictly to protect personal privacy was enacted before personal computers were popular or cell phones were even invented. So, let's look at this a little differently, assuming that we had similar protections for all our digital transactions as we do for our analog ones. How much different would the same bank scene look applying analog laws and crime scene investigation principles to a digital robbery?
To the horror of everyone working there, the bank on the corner of Main and 32nd streets has just been robbed by several simultaneous hacking techniques that breach the bank's digital defenses. Soon after sounding the alarm, the police arrive, followed shortly by the FBI to investigate the federal crime of bank robbery. The police secure the crime scene and export data from the data center for forensic review. In this scenario, the bank workers and management are still viewed as victims, not criminals, because someone broke in and stole from the bank.
Following the same line of reasoning, I guess in the analog world, if someone broke into your home and stole your new flat-screen TV, the burglars would be found and charged. But, in the digital world, the homeowner would be charged for not having the most up-to-date alarm system.
Or, consider the farmer with a barbed wire electric fence and numerous "No Trespassing" signs. One day, a drunk driver plows through the fence and gets out of his car, where he is injured by a charging bull. Do you want to guess who the criminal in each situation is? In the analog world, the drunk driver would be; in the digital world, it would be the farmer.
So, back to one of the original questions: How did we get to this point, and why do we allow it to continue? Some of the most profitable businesses in this economy are those that gather all kinds of data on you and me and sell it, without our permission to gather it, store it or sell it. Maybe these operations have lobbied to keep the laws as an analog rule of law only. Has the ability to openly buy and sell private citizen data made it too profitable to regulate? And has that lack of regulation of anything above an analog level made us impotent to regulate and prosecute the true criminals in digital or cyber crimes?
Information security professionals have an uphill battle trying to shore up their defenses with only analog regulations behind them. They face not only true cybercrime threats but also civil penalties when they are victimized by criminals we can't pursue and are outnumbered to defend. Maybe the foundation of the whole system of personal privacy laws is upside down, but that sounds like a whole different article.
Gordon Merrill, CISSP, MSIA, is a cybersecurity professional whose career spans more than three decades and has taken him to 48 states and six foreign countries. Gordon's information assurance background has included working for major computer companies, managing IT projects for Fortune 250 companies in the risk management field, owning a business and working as a private consultant. He has chaired the information technology department at a local college and served as primary instructor for the Bachelors Information System Security Department, instructing students in all the CISSP domains. Gordon's experience and research have him most worried about eroding personal privacy and lack of potential for real data integrity.
5 Minutes with Geraldo Fonseca
Geraldo Fonseca is an IT security coordinator who lives and works in Rio de Janeiro and has been an (ISC)2 member for seven years. He currently serves on the (ISC)2 Latin America Advisory Council.
What's it like to live and work in Rio de Janeiro right now, with the Summer Olympics just months away?
The city has been turned upside down. There are countless transit modifications, public transportation reorganization and construction all over the city. There are dozens of improvements underway to the subway and bus systems, and the government is installing a new light rail system that will run through most of downtown Rio and building new tunnels and overpasses. The city's electric grid is also being upgraded in order to increase its reliability during the Summer Games. Finally, the Olympic venues themselves are mostly still under construction, which means that in some areas, the streets are filled with heavy vehicles and machinery.
As a commuter, my typical trip from home to work went from less than 40 minutes to more than an hour.
How have the recent World Cup and upcoming Olympics changed the city and the region?
The interventions I mentioned have turned the city's already complicated traffic situation into a chaotic one. I do think most of the citizens understand that this is a temporary burden, and the projected improvements to the city's infrastructure are well worth the hassle.
The official estimate is that Brazil received around 1 million international tourists during the World Cup, which had venues in 12 different states during a more than month-long period. The city of Rio de Janeiro alone is expected to receive something between 300,000 and 500,000 international tourists during the two weeks of the Olympic Games (this does not even take into account the Paralympic Games). This, of course, means a lot of income for the local economy, and it has stimulated investments in the airports, hotel chains, public areas, etc.
In what ways has all of this international attention impacted information security professionals in Rio de Janeiro?
I wouldn't say the impact is restricted to Rio, since many companies directly involved in the Olympic Games organization are not based in the city. The visibility that the event will bring to the city is quite big, and many organizations have made investments in their teams and infrastructure to reduce the cyber threats that will likely emerge during the games. That, along with the general awareness that the big cybersecurity incidents of the last couple of years have created, has stirred up the market a bit and helped create some interesting opportunities, despite the poor economic performance the country has shown in the same period.
How is working in Brazil different than in other parts of South America?
Unfortunately, my experience working with other South American professionals is somewhat limited, but I would risk saying that South (and Latin) American countries share many cultural aspects, the most noticeable one probably being that we are generally very altruistic in our professional relationships.
How did you become a professional in information security?
I guess I am one of the late '90s cases of being "a sysadmin that deals with firewalls." Since then, I have dedicated my career to information security.
How important is your (ISC)2 credential to your career?
In Brazil, the CISSP bears a lot more "weight" than in the United States. I believe this is because the number of certified professionals is much smaller here than in the U.S. There were even fewer CISSPs in Brazil back in 2008 when I earned my certification. I used to say that being a CISSP does not change who you are as a professional, but it surely does give you an advantage when an employer is comparing your resume to that of someone who is not certified.
What is something people might be surprised to learn about you?
I guess that at first, people might consider me an earnest and maybe even a grave person, but I think it's just the way I deal with my shyness. My wife says that it has nothing to do with shyness; it is just another way I find to be sarcastic. Well… she is probably right.
What do you do to reduce stress from work?
I like to travel with my family as often as possible. We especially love going to the beach. I also learned a few years ago that brewing your own beer, although demanding work, is a pleasant and rewarding hobby that involves a lot of research, experimenting and community interaction.
I've heard Mardi Gras is also big in Rio. What's it like to be working in security when that time of year comes around?
Ahhhhh, Carnival!!! I could mention impressive numbers, like 2.3 million people on the first day of one of the street festivals alone. But that would not do justice to the five-day event that practically halts all the nation's activity. It is said to be the largest popular celebration in the world, and the word "unspeakable" is often and very accurately used to describe it. Of course, it is a thriving period for phishing and general scams involving the theme.
If you could recommend one thing every tourist should do while in Rio, what would it be?
That is a hard one. The Santa Teresa district is the go-to place for local restaurants and pubs. And if after dinner and a few drinks you are still game, take a five-minute taxi ride to the Lapa district and spend the rest of the night in one of many nightclubs.
The obvious touristic destinations in Rio will keep you busy for a few days, including Sugar Loaf, Corcovado, Maracanã Stadium, the central beaches like Ipanema and Copacabana and more. But if you are in for more than a few days, you should definitely explore seaside cities like Buzios to the east and Angra dos Reis to the west.
An abbreviated version of this Q&A appeared in the January/February issue of InfoSecurity Professional.