For those of you who did make it to the show, I concluded the video by showing where you can go to find Anue Systems in Booth #329. If you are planning to be here today or tomorrow, please stop by and introduce yourself to me or one of my esteemed colleagues.

With that said, enjoy our video:

SPoT: Andy Willingham / @andywillingham

Real Name: Andy Willingham
Twitter Handle: @andywillingham
Top 3 Social Media/Networking Sites:
Linkedin, Twitter, Facebook

1. In which area(s) of security are you most involved?
I started out in Network Security but have focused mostly on program development, regulatory compliance, and architecture for the last few years.

2. What security topics will be the most important in the next 18 months? Why?
I think we really need to focus on user education, reclaiming the desktop, social media and “The Cloud”. The first two will give us the biggest bang for our buck, and the last two have to be tamed before they get too far out of hand. They are coming fast and furious, and we can’t stop them, so we’d better learn how to secure them.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
We have got to start involving security in the beginning stages of projects. I can’t tell you how many times I have found out about something in a Change Control meeting when the business was trying to get approval to go live with something. They had been working on it for months, and no one ever said “Hey, I wonder if Security would have any concerns about what we’re doing?”. It only hurts them in the long run, because they end up getting delayed on launch, or if someone with enough clout “insists” that it still go live, they end up spending lots of time and money fixing things that could have been prevented. It looks bad to their customers because of all the down time and bad features.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I’ve spent much of my career in smaller companies with limited tech staff, and there have been lots of times when I needed someone to bounce an idea or question off of, but the only option that I had was an online forum. Not that there is anything wrong with that, but you are taking a chance that 1) someone will know the answer and 2) that person will actually check the forums and see your question, which can often take several days. With Twitter and other social media sites, I’ve got experts in all fields right there willing to help out. It also keeps me informed on up to the minute happenings in security, and it is lots of fun to banter with and trade ideas with others in near real-time.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Michael Santarcangello, The Security Catalyst, @catalyst on Twitter. Santa thinks like no other security pro that I know. He is on to something that has the potential to set the security industry, and by default the companies we protect, on it’s ear. He not only realizes that we need a shift in how we think and how we practice security, but he has a plan and is actively getting the word out.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
First off, as I said earlier, they are here to stay, and we had better do something about it. We can’t just sit back and wait until our company adopts them, and then try to figure out how to secure them. Chances are there are people in your company who are already using them, and you just don’t know about it yet. As security pros, we have to know the issues, concerns, and threats to fix them before they become problems.  My first concern is that [this movement] is happening too fast and the industry is not keeping up. Businesses are adopting them without taking proper measures to ensure that they are being used in a secure manner. As for overstated issues, there are a few, but what makes them overstated is that lots of “experts” are talking about them and complaining about them withoutt offering any real solutions. It’s okay to talk about problems so that others become aware of them, but then you need to either quit talking or start offering something of value.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
Picking a specific three is hard because what you choose (especially if it costs money) needs to be based on what your area of focus is. RSA is a safe bet for most any aspect of security, but beyond that, it gets foggy. If you have the budget, I’d say do something like this: Go to RSA and one conference that is specific to your area of expertise. Then I’d say find local chapters such as NAISG, ISSA, InfraGard, DC 404, etc., and attend their meetings and events. If you can do those three things, then you will be able to build a network that will serve you well in solving problems, answering questions, and finding new positions when the time comes to move on.

SPoT: Jack Daniel / @Jack_Daniel

Welcome to this week’s installment of Security Pros on Twitter. Today’s SP is a very well known security expert, and one who brings an intriguing dose of personality to the table, Jack Daniel. Self-described on Twitter as “Sporadic blogger, Tech Community Activist, InfoSec Curmudgeon, Reluctant CISSP, Amateur Blacksmith, and stuff”, Mr Daniel is truly a man of many “hats.” In addition to serving as the Director of the National Information Security Group (NAISG), Jack shares his musings on Twitter and his blog, Uncommon Sense Security.

Real Name: Jack Daniel
Twitter Handle: @jack_daniel
Top 3 Social Media/Networking Sites:
Twitter, Linkedin, and Facebook as a distant third

1. In which area(s) of security are you most involved?
I live and work in the UTM space, covering all the fundamentals of network security, firewall/content filtering/proxies/VPNs, etc.

2. What security topics will be the most important in the next 18 months? Why?
It kills me to admit it, but “cloud” computing (whatever that means) will be very important.  Not because of the hype, but because, like virtualization, it will let us make old mistakes in new and creative ways while also offering exciting and original ways to get security wrong.

I also think that “antivirus” is of renewed importance.  Microsoft’s venture into free antivirus and the impact that will have on the AV industry, combined with the increasing irrelevance of traditional AV in defending against many modern attacks, means that it is time to step back and challenge what works, what doesn’t, and what to do about it.  We may not have many conversations about this, but we should.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
A failure to grasp and act on the fundamentals.  In network security, this often manifests itself as an unhealthy push for needless complexity, which dramatically increases the likelihood of misconfiguration and failure.  (I’m not blaming anyone, but if I did, I would look toward San Jose, CA)  All the blinky-light boxes in the world will not overcome basic misconfiguration issues.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
My adoption of Twitter was pretty slow, and has grown gradually over time.  It started as a way to stay in touch with friends and has expanded into a powerful (and still wonderfully inane) way to communicate.  I have gotten more out of Twitter than I can list in a short space, from friendships and information to Twitter being the starting point for the Security B-Sides events.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
That’s hard; I follow too many people for too many different reasons to pick one or two.  I’ll cop out and recommend following @SecurityTwits, that is a good way to find out who is saying or asking what, which leads to finding good people to follow.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
The fundamental insecurity of social media is also why people use it.  Platforms designed for openness and sharing of content are perfect for exploitation, but if you lock them down, you lose their value.  User education is the only solution, and that will only reach a limited number of people (and they don’t have to listen).  I have more hope for the security of cloud services in general; I think it will eventually be possible to do an acceptable job of securing the infrastructure, but as with everything else, the client implementation is where I see ongoing insecurity.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA and BlackHat are giant events with many opportunities for socializing and networking.  SOURCE Boston is a much smaller event – you could almost call it intimate – and it really encourages the feel of community.  I’ll cheat and add a fourth – Shmoocon is a great and affordable event.

SPoT: Justin Foster (@justin_foster)

As the second installment of our SPoT series, The Network View turns our attention to another Canadian Security Pro, Justin Foster (@justin_foster). Mr. Foster is employed by Trend Micro during working hours, and he also maintains his own independent blog, Developing Security. Go check out his Top 10 signs you are a Security Twit post from June 2009 for a quick chuckle. On that note…

Real Name: Justin Foster
Twitter Handle: @justin_foster
Top 3 Social Media/Networking Sites:
Twitter / LinkedIn / Security Bloggers Network

1. In which area(s) of security are you most involved?
I’m an Architect for Trend Micro focusing on IDS/IPS, Firewall, Integrity Monitoring, and Log Inspection. At work, I generally concentrate on network and endpoint security management. Personally, I’m interested in a wide spectrum of information security disciplines.

2. What security topics will be the most important in the next 18 months? Why?
Over the next 18 months, we will see the promises made in virtualized security become reality. Third party vSwitches and VMsafe-based appliances have the potential to dramatically change how compensating controls are deployed and what security vendors will be capable of. I also believe Security as a Service will introduce new products and product architectures.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
I think perimeter security is becoming increasingly irrelevant. We all know the perimeter is porous and the demands of mobile and Cloud computing require security applied much closer to the endpoint. What we sometimes fail to understand is how important it is to take advantage of that proximity and tailor the security policy to each individual endpoint.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I initially joined Twitter to keep pace with the news from the security community, but I quickly found it has so many uses. With Twitter I have had engaging open-ended debates, aided my research efforts, discovered new topics I wouldn’t have even known to look for, and found a wealth of security blogs to read. I use ongoing searches in TweetDeck to stay tuned to specific security and development topics; a technique that has paid off by saving me substantial time more than once.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
Two people I would highly recommend are @andrewsmhay and @falconsview. Both live and breathe security and can always be counted on for a considered opinion or lively debate. Each is a prolific blogger and author, and it doesn’t hurt that they are both good people in real life as well.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
Fundamentally, securing a highly interactive web application like Facebook or Twitter is extremely challenging. While we have seen significant exploitation of weaknesses in these applications, the fact that they are centrally deployed has resulted in extremely rapid remediation of the issues (sometimes within hours). Compare that to traditional software, and the benefits and drawbacks tend to balance out. When it comes to leakage of personal information, we all have to remember that anything we put into the Cloud is ultimately out of our control.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
For sure RSA and BlackHat/DEFCON top the list, but it’s important to network with other security-minded people in your local community as well. Twitter is a great tool to carry on the conversation long after the convention or meeting has passed.

SPoT: James Arlen (@myrcurial)

Beginning this week, we are kicking off our new SPoT (Security Pros on Twitter) series, profiling security professionals who are present and active on Twitter. We will profile one SP each week through the rest of the summer.

Since Anue Systems  (@AnueSystems) first joined in on the Twitter fun, we have followed and interacted with a variety of folks, and these are the thought leaders who we’d turn to first with a specific, hands-on question regarding security of the internal network, the cloud, or even virtualized environments.

Without further ado, let’s get to it…

Real Name: James Arlen
Twitter Handle: @myrcurial
Top 3 Social Media/Networking Sites:
Twitter / LinkedIn / Liquidmatrix Security Digest!

1. In which area(s) of security are you most involved?
I used to be technical/tactical – IT Security. These days, I’m spending most of my time working on Organizational Security and Risk Management.

2. What security topics will be the most important in the next 18 months? Why?
Of key importance (of course) is going to be the increasingly porous “perimeter” which will surpass database flaws as the primary source of data breaches. Unfortunately, the vendors are not on our side and are not going to help solve the problem. It needs to be fixed at the employee/user level through increased awareness of the problem and active cooperation on solutions.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
The thing that is the hardest to explain is that the presence of a firewall isn’t going to save you (the business user) from your own foolish actions – the best preventative technological controls available can be bypassed by (a) 14 year old kids and (b) users doing what they feel is the best thing at the time. [Once more for effect] A firewall won’t save you from sending your customer list to 100 sales people and 1 ex-sales person’s Hotmail account.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
The primary reason that I became active on Twitter is to have access to a peer group. The Canadian security space is fairly compact, and sometimes, having an international opinion is a great thing. And of course, [I'm there for] the fooling about and goofing off – Twitter is an outlet for stress as much as it is an inlet for knowledge.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
Wow – it’s #FollowFriday! If you’re focused on Network Security, you should really be following @jack_daniel and @jjx. He’s a curmudgeon who generally cuts to the core of the issue FAST. She’s about as unlikely a security expert as you can imagine – short, blonde, southern accent – but if you’re mature enough to value people for their skill rather than the package, she’ll teach you a thing or two that you never expected. [The Network View has engaged with both of these security experts for inclusion in SPoT series as well.]

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
Security – for social media? I’m pretty sure there isn’t much of that. My simplest response is that you shouldn’t depend on social media to provide you with any security – if you’re not comfortable putting it on a postcard or wearing it on a t-shirt, you shouldn’t be posting it to a social media site. With regard to cloud security – ask @Beaker, I get all of my opinions from him.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
The number one thing is to remember that for any event – from a local SIG all the way up to Blackhat or RSA - the most important thing to do is cruise the “Hallway Track”, get involved in conversations, and have an opinion. If you were coming to me and asking me where to spend your money – considering value for dollar – DEFCON, Shmoocon/SourceBoston/SecTor, and your local SIG. The big names (RSA and Blackhat) are awesome, but unless someone is covering the tab, they’re crazy expensive and you can get the same content at the second tier conferences for less money with better access to the speakers.

This week, let’s move back from lists of monitoring tools to Security-focused blogs. Today we’ll cover another very useful and insightful security resource named (coincidentally enough):

Network Security Blog

Network Security Blog Screenshot

The Network Security Blog dubs itself “The views of one man on security, privacy and anything else that catches his attention.”

The “one man” in here is Martin McKeay, who is a Senior Consultant focusing on PCI assesssments for TrustWave. Again, in his own words, “I took up blogging as a means to extend my knowledge and test my ideas about security by putting them up for peer review.” That objective is true to the very idea of blogging, and this particular resource has been available since 2003, so we thought we’d dig into it in detail to see what value you might derive from it for your own use.

With a professional focus on PCI, you’d initially guess that Mr. McKeay blogs primarily on security of payments, but that would be short-sighted. One nice feature that this blog incorporates is a lefthand navigation listing of topic categories, full with counts of the number of blog entries you can find in each category. And surprisingly, PCI is the tenth most popular category listed, following General (349 entries), Podcast (263), Hacking (223), Security Advisories (147), Blogging (132), Government (124), Simple Security (123), Privacy (92), and Site Configuration (88). [all numbers current as of February 24, 2009.] Obviously, those categories are not mutually exclusive, but still, his materials are fairly well-rounded with security topics.

Although he covers the following less frequently, his list of categories is also peppered with things such as Encryption, Firewall, Risk, Social Networking, Microsoft, Linux, IDS, and Phishing/Scams/etc.

However, key topics aside, what jumped out at me during my review of the blog is the fact that Martin is firmly entrenched in the world of Security. He works with several other bloggers and thought leaders on a weekly podcast, links to a nice list of blogs that I intend to dig into in the coming days, and actively participates in Security Blogging events (e.g. Security Bloggers meetup at the upcoming RSA Conference 2009).

What all of this tells me is that he is truly in tune with the needs, frustrations, and successes that are currently of importance in this space. And that’s the sort of guy you want to exchange ideas with, so we recommend you take a look around the site, post some comments, and generally enjoy his work. While you are there, tell him we sent you!

You can also find Martin on Twitter: @mckeay. While you are at it, why don’t you go ahead and follow @AnueSystems too?