Internet thieves make big money stealing corporate info

Sometimes I'm asked what keeps me up at night as an IT security professional... my answer is almost always "what I don't know." After I allow the confused look on their faces to pass I explain that in the realm of security we put very elaborate and expensive controls in place and then hope they never really get used. More quizzed looks ensue (you can probably tell I have fun with this) before I begin explaining myself.

Antivirus, NIDPS, WAF, NAC, DLP, IP Firewalls, Web Proxies, etc. are all great controls and protect against most known and some unknown attack vectors and for the most part they work. What scares me and keeps me up at night are the -1 day attacks (less than zero) that will pass by all controls. This story in USA Today got me thinking about how easy it is for determined attackers to slip right by all my controls and begin pumping data out of my network. From the article:

The virus swiftly located — and infected — some 300 other workstation PCs, silently copying the contents of each computer's MyDocuments folder. It transmitted the data across the Internet to a gang of thieves operating out of Turkey.

They infected system zero by posting an innocent-looking link on a trusted employee-only message board. Reading articles and hearing horror stories from colleagues about the threats they didn't know about until after the damage was done is what keeps me up at night. The stuff I know about? I have lots of toys for that stuff. :)

Related Articles

• 11 charged with massive ID theft
• Auto Parts Retailer Notifies Customers of Network Breach
• University of Florida discloses patient-record data breach
• The most insidious IT security risk
• A Huge Cache of Stolen Financial Data
• Express Scripts Clients Receive Threats To Release Data
• 5 ways insiders exploit your network

SANS lists the "coolest" infosec jobs

I caught this article over at Government Computer News that reported on a SANS Institute survey of the "coolest" information security jobs. Although the article is about the coolest ten public sector information security jobs it does also list the top ten coolest private sector infosec jobs.

With further ado, for your reading pleasure, the ten coolest private sector infosec jobs:

1. (tie) System, Network, and/or Web penetration tester
1. (tie) Information security crime investigator/forensics expert
3. Forensics analyst
4. Vulnerability researcher
5. Application penetration tester
6. Security architect
7. CISO/ISO or director of security
8. (tie) Incident response, incident handler
8. (tie) Sworn law enforcement officer specializing in information security crime
10. Security evangelist

Since I didn't participate in the survey, and you didn't ask I thought I'd give you my top ten coolest infosec jobs:

1. Security architect
2. Penetration tester (I don't differentiate between applications, networks, and systems)
3. (tie) Security analyst
3. (tie) Security evangelist
5. CISO or director of security
6. (tie) Vulnerability researcher
6. (tie) Forensic expert
8. Network security engineer
9. Vulnerability assessment analyst
10. Security auditor

As you can tell I am at the crossroads between management and technology. It is my opinion that technical security controls without enterprise architecture and governance is a really good way to throw good money after bad... a topic that I will be visiting in a post in the near view.

PING?

PONG!

I've been gone for a little while... over two months to be exact. TO say that I have been incredibly busy and distracted over the past two months would be an understatement. I've been busy with my HOA duties, building a nursery, and a work schedule that had me busy from dawn to dusk and completely wiped out by the time I would normally start writing. I have had to mark about 2,500 emails as read (sorry if your email got caught in the wash) and pretty much have disappeared from my digital life.

I am going to attempt to dip my toe back into the tidal pool of infosec blogging (and the rest of my digital life) over the next few weeks. The past two months has placed me elbow-deep in project management, enterprise architecture & strategy, as well as the day-to-day tactical obligations of my job. I will try to start writing some original posts regarding my thoughts and lessons learned in the areas of enterprise security architecture, security project management, budgeting for security, the difficulty in designing NAC and DLP solutions in an enormous and diverse environment... but for now I will say "welcome back" to myself and I look forward to writing again.