Friday, March 29, 2013

Hello IT Person, Welcome to the Security Organization

This is a post that is long overdue.   The IT industry went through a revolution and most people in IT missed it and are still missing it. 

If you are in any form of IT related job, you are in the information security field.

You may say, “No, I’m just an IT Project Manager (analyst, whatever), security is another team”.  You are wrong and your career is heading towards a cliff.

It only takes a tiny bit of Googling to realize that everyone is getting hacked.  Even the biggies, RSA, Microsoft, Facebook, Symantec, and Apple aren’t immune. There are too many actors with too many motivations.  If it is connected to the web, there is either money in hacking it, or it can be used as a foothold to hack for money.  If it’s connected to the web, there is probably someone with a social or political agenda that makes it a target and if not, it is a platform for the hacktivists to leverage.  On top of the myriad of highly skilled and motivated attackers, there are thousands off wannabe hackers simply looking for low hanging fruit to test their skills or to get a thrill.  Even if you don’t have a penny to your name, your computing power is a commodity if it can be added to a botnet. Hopefully, you already know that it’s a given that everyone is a target.  If you still need persuading on this point--don’t worry, there are plenty of Wal-Marts that need greeters.  Get your app in early.  (That’s “app” as in “application”, which is a paper form you will fill out with a pen. You won’t need LinkedIn for this.—The Editor)

So, why is security your job?  Every day (week if you are a slacker?) you make decisions that impact security.  It doesn’t matter if you specialize in a niche, like UI or UX; or something broad, like program or project management.  If you are working with data in any way, that data has value to your organization.  There will certainly be negative impact if the data is compromised or corrupted.  Even if you run or maintain a static website in which the content is public and can easily be restored if lost, you don’t want your system to be a foothold into your important systems or take part in a DDoS attack.

Your Role

Backup Operators – Don’t lose the data and don’t lose those unencrypted backup files.  This role should be a no brainer.  This role has Confidentiality, Integrity, and Availability components.

Systems Administrators – Once again, this is a no brainer.  SAs have all the access themselves and they configure access to ALL of your data.  Remember, all of your applications sit on a host that an SA “owns”.

DBAs and DBOs – Please, for the love of all that is good, you guys MUST know you have to protect that data. Do you??

Project and Program Managers – I know lumping you guys onto one line will get me all sorts of hate mail.  You guys decide things like what use cases exist, for what users, accessing what data. You decide whether to engage formal security teams for assistance. You decide to cut product or project scope, and everyone knows security is the first to get cut.      

Developers – You guys are the worst.  Yeah, I’m saying it. Inventing your own “cryptography”, passwords in log files, backdoors, assuming users will use your apps the way you want them to, and on and on.  Seriously devs, get your acts together.    

Network Engineers – I think this is the only role that most folks actually think of as a security role.  In fact, this role is the least interesting in terms of security roles. Read those manuals and change those default passwords.  And stop using self-signed certs.  Can you really not remember how a MITM attack works long enough to say to a manager: “Wait, we need a real cert on that appliance admin portal page”?  You know what, if you can’t explain to a manager what a MITM attack is and why your choice of cert matters, you’re part of the problem.


Your day to day job may be focused on something else, but it is only a matter of time until IT folks start getting fired for massively bad security lapses.  If it is on the OWASP Top 10 or the SANS Top 25 and you don’t know a bit about it, you may want to pick up that Wal-Mart job app.  No one is asking you to figure everything out about security, but you need to at least understand some basics and keep your eyes out.  If you do run a system, you’d better become a security expert in the context of that system.



Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).