SPoT: Michael R. Farnum / @m1a1vet

Welcome to today’s entry in the ongoing SPoT series. Today, we are covering someone who serves a different role in security, Michael R. Farnum, who is a Pre-Sales Security Engineer for a VAR / Consulting company. Most of our SPoTs to date have been client-side practitioners, but that is most certainly not a requirement to be considered a “Security Pro”. Mr. Farnum is also known for his role in An Information Security Place, a blog which offers insightful security podcasts a minimum of once each month. The podcast discusses a range of topics, including hacking, security breaches, PCI, vulnerabilities, security/compliance audits, and cybersecurity.

Real Name: Michael Farnum
Twitter Handle: @m1a1vet
Top 3 Social Media/Networking Sites:
Twitter, LinkedIn, YouTube

1. In which area(s) of security are you most involved?
Because I am a pre-sales security engineer for a security consultant / VAR, I tend to have my fingers in a lot of pies.  I talk to clients about risk, compliance, and security assessments.  I also talk to them about security technologies to fill the gaps found when doing a gap analysis or assessment.  I have to keep pretty current in those areas as best I can [to] find opportunities to help my clients.  I also podcast about security quite a bit (since Twitter and work has pushed down my blogging volume).

2. What security topics will be the most important in the next 18 months? Why?
I think more and more disillusionment with PCI will really begin to cause the PCI Security Standards Council headaches.  I believe you are going to see some big push back on PCI DSS by companies of all sizes, as more and more money has to be spent on keeping “compliant”.  Though I have had major issues with Robert Carr, CEO of Heartland Payment Systems, in his recent interviews, I believe the auditing process has really come under fire lately and will continue to do so.  It is a broken model.

Of course, cloud computing will continue to move up and up in everyone’s mind, in both infrastructure and, necessarily, security.  Even if the economy improves, I believe this is a train [on which] more and more companies will jump, to varying degrees.  And specific to compliance, if cloud providers can start showing that compliance headaches can at least be eased by the Cloud, then it will grow even more.  I know that is a huge question, but if they can at least make CEOs and CIOs believe it, the Cloud will grow.  I don’t like it, but there it is.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Let me change the focus of this question.  I think the failure to secure one’s business infrastructure is a failure of basic responsibility.  This is not just a business stakeholder issue, because security is not just about the ability of the business to turn a profit.  Of course, security is a driver for profit if done right and applied correctly.  But if the economy as a whole has major issues, then that business and every other business will begin to feel pain.

Here is what I mean.  Good security measures contribute to the whole economy.  Just like businesses often become a part of their neighborhood or the community as a whole by contributing money and resources for good causes, those businesses should also contribute resources to the security of the Internet as good Internet citizens.  They must look at how their security posture affects the whole of the Internet.  The Internet is, obviously, a huge part of the economy.  When a company becomes a cesspool of malware, they become a hindrance and a detriment to that economy.  Business over the Internet is not going to stop, but I wonder how much better it could be if even one third of businesses would clean themselves up.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter started out simply an outlet for my way of thinking.  I am a “snippet” thinker.  I am a quipper, if that is a word.  I used to blog a lot, and I felt that I always needed to expand on my thoughts when I blogged.  But I often simply wanted to kick out a thought and just forget about it, or at least save it for later.  Twitter gave me a way to do that without feeling “guilty” for not expounding.  I sometimes get into trouble via Twitter, but that is because I sometimes quip without thinking first.  There are a lot of people doing research on various subjects and products via Twitter, so I have to be careful.

That same dimension of Twitter is what makes it so valuable.  So many people are giving their “two-cent’s worth,” that I can literally come up with ideas on security which would never have naturally occurred to me without the inspiration from some Infosec Twit.  It gives me options to take to clients.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Without a doubt, Chris Hoff (@beaker) is on of the top on my list.  His insights into security continue to astound me.  He is always on the forefront of security ideas, and his spectacular imagination makes his method of dispersal of those ideas entertaining.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.

The Cloud: A Modern-day Jabba the Hut?

As stated above, cloud services make me nervous.  I used to trust that “blob” out there where all my lines seem to terminate in the Visio drawing.  But now that cloud providers want to get all my data floating out there, that trust has diminished quite a bit.  I just don’t see the same enterprise that is buying DLP letting all their data go into this mass that looks more and more like Jabba the Hutt everyday.

Social media is going to grow and grow and grow.  I can’t go a day without hearing about another social network.  I don’t think it is a fad.  But it will continue to cause great security fears for me.  I no longer have a Facebook account, because I just got sucked into it so quickly that I was not guarding my content very well.  Yes, I only allowed certain people to see my page,  but the temptation to let more and more people see it was getting out of control.  That is why it never ceases to amaze me how so many security folks have Facebook pages and are on other social media sites.  I don’t fault them.  if they weigh the risk and deem it appropriate, then more power to ‘em.  But I know my propensities, so I had to stop myself.  If you are an infosec professional, then you have to look very closely to see if those types of sites are good for you [or not].

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?

• I am more and more into local user groups and conferences.  I have attended TRISC here in Texas, and I attend local ISSA meetings.  I am also looking to start up a local Houston NAISG chapter.  That kind of event appeals to me.
• The RSA Conference is something I attend more for the socializing aspect (security bloggers gathering).
• BlackHat/Defcon are a must if you want to rub elbows with the geekier group.

SPoT: Jeff Kirsch / @ghostnomad

Jeff describes himself as “Infosec geek, IT risk (yes I am a risk), CISA, husband and father“. As you can tell from his bio, he offers a a nice blend of professional and personal information, with a little fun thrown in, which is precisely what you’ll find in his tweets. Jeff personifies what many of us hope to find on Twitter: “real, interesting, and engaging people.”

Real Name: Jeff Kirsch
Twitter Handle: ghostnomad
Top 3 Social Media/Networking Sites:
Twitter, Linkedin, SecurityCatalyst.com

1. In which area(s) of security are you most involved?
I have been an IT Auditor for the last 8 years. I get to work with many aspects of security, but I find myself always drawn to the core infrastructure. If I am digging into operating systems, databases, or network security, then I am happy.

2. What security topics will be the most important in the next 18 months? Why?
Protecting what provides value has always been and will always be the most important challenge in security. I know that is a broad statement, but the technologies are always changing, thus provide a wide array of potential to the threat landscape. Ultimately, systems that provide a service have value and are targets. Being able to adapt to those trends will be most important.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Business requirements should be built into systems, instead of designing a system for security and then creating exceptions to the controls. Exceptions to security are typically not intended to create security holes; they result from a failure to design all needed business requirements into the security structure. Having good communication between security and business design are important early in a project to close any gaps that may arise.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I originally joined LinkedIn on advice from the Pauldotcom Security Weekly podcast when they discussed protecting your digital identity. It made sense; even if I had limited information available on my own profiles, that is better than having inaccurate information freely available. I jumped on Twitter later because it seemed the place to be. I thought I would just lurk around and drink from the Infosec knowledge tap, but I never expected to participate. Being on Twitter has allowed me to interact with people I probably would have been afraid to talk with otherwise.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name 2 if you can’t decide on only one)
I find Jack Daniel (@jack_daniel) is a great source of information for all the is network infrastructure [Editor's Note: Jeff submitted this answer before the Jack Daniel profile went live]. He has a no nonsense approach to dealing with issues that he sees arise. Christofer Hoff (@beaker) is certainly someone I recommend when it comes to the cloud. To say he spends a lot of time with his head in the clouds is not a negative thing in the least, and he gets down to business as well. There are many people out there that bring unique perspectives, and I enjoy the banter.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
I think social media and cloud services face similar threats that “traditional” technology faces. When you put information someone wants in a place they perceive they can get it, you usually see a lot of determination and effort put into gaining access. It is important to focus on educating people about how we can use these technologies while protecting the information that drives their usefulness.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
I don’t get out all that often, but when I do I stick with local events. I still engage a broad range of security professional at local events. I like the Northeast Ohio Information Security Summit, and always find great value in the people I meet. From my social network, I would say Defcon and Shmoocon sound like really great places to get together with security people from all around. Those are on my wish list for the near future.