SPoT: Michael R. Farnum / @m1a1vet

Welcome to today’s entry in the ongoing SPoT series. Today, we are covering someone who serves a different role in security, Michael R. Farnum, who is a Pre-Sales Security Engineer for a VAR / Consulting company. Most of our SPoTs to date have been client-side practitioners, but that is most certainly not a requirement to be considered a “Security Pro”. Mr. Farnum is also known for his role in An Information Security Place, a blog which offers insightful security podcasts a minimum of once each month. The podcast discusses a range of topics, including hacking, security breaches, PCI, vulnerabilities, security/compliance audits, and cybersecurity.

Real Name: Michael Farnum
Twitter Handle: @m1a1vet
Top 3 Social Media/Networking Sites:
Twitter, LinkedIn, YouTube

1. In which area(s) of security are you most involved?
Because I am a pre-sales security engineer for a security consultant / VAR, I tend to have my fingers in a lot of pies.  I talk to clients about risk, compliance, and security assessments.  I also talk to them about security technologies to fill the gaps found when doing a gap analysis or assessment.  I have to keep pretty current in those areas as best I can [to] find opportunities to help my clients.  I also podcast about security quite a bit (since Twitter and work has pushed down my blogging volume).

2. What security topics will be the most important in the next 18 months? Why?
I think more and more disillusionment with PCI will really begin to cause the PCI Security Standards Council headaches.  I believe you are going to see some big push back on PCI DSS by companies of all sizes, as more and more money has to be spent on keeping “compliant”.  Though I have had major issues with Robert Carr, CEO of Heartland Payment Systems, in his recent interviews, I believe the auditing process has really come under fire lately and will continue to do so.  It is a broken model.

Of course, cloud computing will continue to move up and up in everyone’s mind, in both infrastructure and, necessarily, security.  Even if the economy improves, I believe this is a train [on which] more and more companies will jump, to varying degrees.  And specific to compliance, if cloud providers can start showing that compliance headaches can at least be eased by the Cloud, then it will grow even more.  I know that is a huge question, but if they can at least make CEOs and CIOs believe it, the Cloud will grow.  I don’t like it, but there it is.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Let me change the focus of this question.  I think the failure to secure one’s business infrastructure is a failure of basic responsibility.  This is not just a business stakeholder issue, because security is not just about the ability of the business to turn a profit.  Of course, security is a driver for profit if done right and applied correctly.  But if the economy as a whole has major issues, then that business and every other business will begin to feel pain.

Here is what I mean.  Good security measures contribute to the whole economy.  Just like businesses often become a part of their neighborhood or the community as a whole by contributing money and resources for good causes, those businesses should also contribute resources to the security of the Internet as good Internet citizens.  They must look at how their security posture affects the whole of the Internet.  The Internet is, obviously, a huge part of the economy.  When a company becomes a cesspool of malware, they become a hindrance and a detriment to that economy.  Business over the Internet is not going to stop, but I wonder how much better it could be if even one third of businesses would clean themselves up.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter started out simply an outlet for my way of thinking.  I am a “snippet” thinker.  I am a quipper, if that is a word.  I used to blog a lot, and I felt that I always needed to expand on my thoughts when I blogged.  But I often simply wanted to kick out a thought and just forget about it, or at least save it for later.  Twitter gave me a way to do that without feeling “guilty” for not expounding.  I sometimes get into trouble via Twitter, but that is because I sometimes quip without thinking first.  There are a lot of people doing research on various subjects and products via Twitter, so I have to be careful.

That same dimension of Twitter is what makes it so valuable.  So many people are giving their “two-cent’s worth,” that I can literally come up with ideas on security which would never have naturally occurred to me without the inspiration from some Infosec Twit.  It gives me options to take to clients.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Without a doubt, Chris Hoff (@beaker) is on of the top on my list.  His insights into security continue to astound me.  He is always on the forefront of security ideas, and his spectacular imagination makes his method of dispersal of those ideas entertaining.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.

The Cloud: A Modern-day Jabba the Hut?

As stated above, cloud services make me nervous.  I used to trust that “blob” out there where all my lines seem to terminate in the Visio drawing.  But now that cloud providers want to get all my data floating out there, that trust has diminished quite a bit.  I just don’t see the same enterprise that is buying DLP letting all their data go into this mass that looks more and more like Jabba the Hutt everyday.

Social media is going to grow and grow and grow.  I can’t go a day without hearing about another social network.  I don’t think it is a fad.  But it will continue to cause great security fears for me.  I no longer have a Facebook account, because I just got sucked into it so quickly that I was not guarding my content very well.  Yes, I only allowed certain people to see my page,  but the temptation to let more and more people see it was getting out of control.  That is why it never ceases to amaze me how so many security folks have Facebook pages and are on other social media sites.  I don’t fault them.  if they weigh the risk and deem it appropriate, then more power to ‘em.  But I know my propensities, so I had to stop myself.  If you are an infosec professional, then you have to look very closely to see if those types of sites are good for you [or not].

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?

• I am more and more into local user groups and conferences.  I have attended TRISC here in Texas, and I attend local ISSA meetings.  I am also looking to start up a local Houston NAISG chapter.  That kind of event appeals to me.
• The RSA Conference is something I attend more for the socializing aspect (security bloggers gathering).
• BlackHat/Defcon are a must if you want to rub elbows with the geekier group.

SPoT: Andy Willingham / @andywillingham

Real Name: Andy Willingham
Twitter Handle: @andywillingham
Top 3 Social Media/Networking Sites:
Linkedin, Twitter, Facebook

1. In which area(s) of security are you most involved?
I started out in Network Security but have focused mostly on program development, regulatory compliance, and architecture for the last few years.

2. What security topics will be the most important in the next 18 months? Why?
I think we really need to focus on user education, reclaiming the desktop, social media and “The Cloud”. The first two will give us the biggest bang for our buck, and the last two have to be tamed before they get too far out of hand. They are coming fast and furious, and we can’t stop them, so we’d better learn how to secure them.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
We have got to start involving security in the beginning stages of projects. I can’t tell you how many times I have found out about something in a Change Control meeting when the business was trying to get approval to go live with something. They had been working on it for months, and no one ever said “Hey, I wonder if Security would have any concerns about what we’re doing?”. It only hurts them in the long run, because they end up getting delayed on launch, or if someone with enough clout “insists” that it still go live, they end up spending lots of time and money fixing things that could have been prevented. It looks bad to their customers because of all the down time and bad features.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I’ve spent much of my career in smaller companies with limited tech staff, and there have been lots of times when I needed someone to bounce an idea or question off of, but the only option that I had was an online forum. Not that there is anything wrong with that, but you are taking a chance that 1) someone will know the answer and 2) that person will actually check the forums and see your question, which can often take several days. With Twitter and other social media sites, I’ve got experts in all fields right there willing to help out. It also keeps me informed on up to the minute happenings in security, and it is lots of fun to banter with and trade ideas with others in near real-time.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Michael Santarcangello, The Security Catalyst, @catalyst on Twitter. Santa thinks like no other security pro that I know. He is on to something that has the potential to set the security industry, and by default the companies we protect, on it’s ear. He not only realizes that we need a shift in how we think and how we practice security, but he has a plan and is actively getting the word out.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
First off, as I said earlier, they are here to stay, and we had better do something about it. We can’t just sit back and wait until our company adopts them, and then try to figure out how to secure them. Chances are there are people in your company who are already using them, and you just don’t know about it yet. As security pros, we have to know the issues, concerns, and threats to fix them before they become problems.  My first concern is that [this movement] is happening too fast and the industry is not keeping up. Businesses are adopting them without taking proper measures to ensure that they are being used in a secure manner. As for overstated issues, there are a few, but what makes them overstated is that lots of “experts” are talking about them and complaining about them withoutt offering any real solutions. It’s okay to talk about problems so that others become aware of them, but then you need to either quit talking or start offering something of value.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
Picking a specific three is hard because what you choose (especially if it costs money) needs to be based on what your area of focus is. RSA is a safe bet for most any aspect of security, but beyond that, it gets foggy. If you have the budget, I’d say do something like this: Go to RSA and one conference that is specific to your area of expertise. Then I’d say find local chapters such as NAISG, ISSA, InfraGard, DC 404, etc., and attend their meetings and events. If you can do those three things, then you will be able to build a network that will serve you well in solving problems, answering questions, and finding new positions when the time comes to move on.

SPoT: Jack Daniel / @Jack_Daniel

Welcome to this week’s installment of Security Pros on Twitter. Today’s SP is a very well known security expert, and one who brings an intriguing dose of personality to the table, Jack Daniel. Self-described on Twitter as “Sporadic blogger, Tech Community Activist, InfoSec Curmudgeon, Reluctant CISSP, Amateur Blacksmith, and stuff”, Mr Daniel is truly a man of many “hats.” In addition to serving as the Director of the National Information Security Group (NAISG), Jack shares his musings on Twitter and his blog, Uncommon Sense Security.

Real Name: Jack Daniel
Twitter Handle: @jack_daniel
Top 3 Social Media/Networking Sites:
Twitter, Linkedin, and Facebook as a distant third

1. In which area(s) of security are you most involved?
I live and work in the UTM space, covering all the fundamentals of network security, firewall/content filtering/proxies/VPNs, etc.

2. What security topics will be the most important in the next 18 months? Why?
It kills me to admit it, but “cloud” computing (whatever that means) will be very important.  Not because of the hype, but because, like virtualization, it will let us make old mistakes in new and creative ways while also offering exciting and original ways to get security wrong.

I also think that “antivirus” is of renewed importance.  Microsoft’s venture into free antivirus and the impact that will have on the AV industry, combined with the increasing irrelevance of traditional AV in defending against many modern attacks, means that it is time to step back and challenge what works, what doesn’t, and what to do about it.  We may not have many conversations about this, but we should.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
A failure to grasp and act on the fundamentals.  In network security, this often manifests itself as an unhealthy push for needless complexity, which dramatically increases the likelihood of misconfiguration and failure.  (I’m not blaming anyone, but if I did, I would look toward San Jose, CA)  All the blinky-light boxes in the world will not overcome basic misconfiguration issues.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
My adoption of Twitter was pretty slow, and has grown gradually over time.  It started as a way to stay in touch with friends and has expanded into a powerful (and still wonderfully inane) way to communicate.  I have gotten more out of Twitter than I can list in a short space, from friendships and information to Twitter being the starting point for the Security B-Sides events.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
That’s hard; I follow too many people for too many different reasons to pick one or two.  I’ll cop out and recommend following @SecurityTwits, that is a good way to find out who is saying or asking what, which leads to finding good people to follow.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
The fundamental insecurity of social media is also why people use it.  Platforms designed for openness and sharing of content are perfect for exploitation, but if you lock them down, you lose their value.  User education is the only solution, and that will only reach a limited number of people (and they don’t have to listen).  I have more hope for the security of cloud services in general; I think it will eventually be possible to do an acceptable job of securing the infrastructure, but as with everything else, the client implementation is where I see ongoing insecurity.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA and BlackHat are giant events with many opportunities for socializing and networking.  SOURCE Boston is a much smaller event – you could almost call it intimate – and it really encourages the feel of community.  I’ll cheat and add a fourth – Shmoocon is a great and affordable event.