SPoT: Michael R. Farnum / @m1a1vet
Welcome to today’s entry in the ongoing SPoT series. Today, we are covering someone who serves a different role in security, Michael R. Farnum, who is a Pre-Sales Security Engineer for a VAR / Consulting company. Most of our SPoTs to date have been client-side practitioners, but that is most certainly not a requirement to be considered a “Security Pro”. Mr. Farnum is also known for his role in An Information Security Place, a blog which offers insightful security podcasts a minimum of once each month. The podcast discusses a range of topics, including hacking, security breaches, PCI, vulnerabilities, security/compliance audits, and cybersecurity.
Real Name: Michael Farnum
Twitter Handle: @m1a1vet
Top 3 Social Media/Networking Sites:
Twitter, LinkedIn, YouTube
1. In which area(s) of security are you most involved?
Because I am a pre-sales security engineer for a security consultant / VAR, I tend to have my fingers in a lot of pies. I talk to clients about risk, compliance, and security assessments. I also talk to them about security technologies to fill the gaps found when doing a gap analysis or assessment. I have to keep pretty current in those areas as best I can [to] find opportunities to help my clients. I also podcast about security quite a bit (since Twitter and work has pushed down my blogging volume).
2. What security topics will be the most important in the next 18 months? Why?
I think more and more disillusionment with PCI will really begin to cause the PCI Security Standards Council headaches. I believe you are going to see some big push back on PCI DSS by companies of all sizes, as more and more money has to be spent on keeping “compliant”. Though I have had major issues with Robert Carr, CEO of Heartland Payment Systems, in his recent interviews, I believe the auditing process has really come under fire lately and will continue to do so. It is a broken model.
Of course, cloud computing will continue to move up and up in everyone’s mind, in both infrastructure and, necessarily, security. Even if the economy improves, I believe this is a train [on which] more and more companies will jump, to varying degrees. And specific to compliance, if cloud providers can start showing that compliance headaches can at least be eased by the Cloud, then it will grow even more. I know that is a huge question, but if they can at least make CEOs and CIOs believe it, the Cloud will grow. I don’t like it, but there it is.
3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Let me change the focus of this question. I think the failure to secure one’s business infrastructure is a failure of basic responsibility. This is not just a business stakeholder issue, because security is not just about the ability of the business to turn a profit. Of course, security is a driver for profit if done right and applied correctly. But if the economy as a whole has major issues, then that business and every other business will begin to feel pain.
Here is what I mean. Good security measures contribute to the whole economy. Just like businesses often become a part of their neighborhood or the community as a whole by contributing money and resources for good causes, those businesses should also contribute resources to the security of the Internet as good Internet citizens. They must look at how their security posture affects the whole of the Internet. The Internet is, obviously, a huge part of the economy. When a company becomes a cesspool of malware, they become a hindrance and a detriment to that economy. Business over the Internet is not going to stop, but I wonder how much better it could be if even one third of businesses would clean themselves up.
4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter started out simply an outlet for my way of thinking. I am a “snippet” thinker. I am a quipper, if that is a word. I used to blog a lot, and I felt that I always needed to expand on my thoughts when I blogged. But I often simply wanted to kick out a thought and just forget about it, or at least save it for later. Twitter gave me a way to do that without feeling “guilty” for not expounding. I sometimes get into trouble via Twitter, but that is because I sometimes quip without thinking first. There are a lot of people doing research on various subjects and products via Twitter, so I have to be careful.
That same dimension of Twitter is what makes it so valuable. So many people are giving their “two-cent’s worth,” that I can literally come up with ideas on security which would never have naturally occurred to me without the inspiration from some Infosec Twit. It gives me options to take to clients.
5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Without a doubt, Chris Hoff (@beaker) is on of the top on my list. His insights into security continue to astound me. He is always on the forefront of security ideas, and his spectacular imagination makes his method of dispersal of those ideas entertaining.
6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
The Cloud: A Modern-day Jabba the Hut?
As stated above, cloud services make me nervous. I used to trust that “blob” out there where all my lines seem to terminate in the Visio drawing. But now that cloud providers want to get all my data floating out there, that trust has diminished quite a bit. I just don’t see the same enterprise that is buying DLP letting all their data go into this mass that looks more and more like Jabba the Hutt everyday.
Social media is going to grow and grow and grow. I can’t go a day without hearing about another social network. I don’t think it is a fad. But it will continue to cause great security fears for me. I no longer have a Facebook account, because I just got sucked into it so quickly that I was not guarding my content very well. Yes, I only allowed certain people to see my page, but the temptation to let more and more people see it was getting out of control. That is why it never ceases to amaze me how so many security folks have Facebook pages and are on other social media sites. I don’t fault them. if they weigh the risk and deem it appropriate, then more power to ‘em. But I know my propensities, so I had to stop myself. If you are an infosec professional, then you have to look very closely to see if those types of sites are good for you [or not].
7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
- I am more and more into local user groups and conferences. I have attended TRISC here in Texas, and I attend local ISSA meetings. I am also looking to start up a local Houston NAISG chapter. That kind of event appeals to me.
- The RSA Conference is something I attend more for the socializing aspect (security bloggers gathering).
- BlackHat/Defcon are a must if you want to rub elbows with the geekier group.