high-rolling hot shot executive (m/f) wanted - a perspective

Ok, no, I'm not looking to hire someone. This blogpost is triggered by a question asked by @hackerhuntress earlier today :

"if you're passed over for a job, do you mind being notified via voicemail or email?"

My answer is plain and simple : "neither, call them!"

My opinion on this one is very strong and for several (I think) very good reasons. Allow me to explain :

You are the hiring manager. you're the person who the new hire will report to. You're probably also the one who will lean back, balancing your chair and sipping from your nice glass of Shiraz while you say, I quote, "I'm the one that hires and fires." (blank stare goes here).

By delegating bringing bad news to a direct report or, worse, someone in HR you have showed that you are only willing to be responsible for your hiring decisions and not your firing decisions. At the same time you have passed on the chance to take ownership of this decision. You have reduced your candidates to resumes that you pick from and not the actual humans that will bring value to your team. By not committing to stand behind your choice, you actually do yourself, your team and your organisation a disservice.

Now, I do understand you are a busy person so the first argument I will hear when discussing the practice is "I don't have the time to call everyone". I call bullshit.

If you're THAT busy you will have your hiring process geared to your agenda. You will be choosing from 2 to 5 candidates that you will have personally seen.  Those persons that didn't make it will take less than a minute. The chance that they are willing to strike a lengthy conversation is zero. Even though they won't realize it, they will appreciate this gesture in the long run.  To the extent that, if a similar position opens up they may even be enthusiastic enough to consider working for you after all.

In the end you're looking at less than 10 minutes of your time to call ALL candidates (including the one you do chose to hire).

Note that I've been on both the dealing and the receiving end of this practice. I know that it's not easy to tell someone they're not hired. I also know there is no good way to receive that information, especially if you've thrown yourself passionately at a job opportunity. It fucking hurts.

As a manager, telling someone they're not hired is peanuts. You just gather yourself and tell it. Look at it this way : at least it prepares you for the really hard decisions. If you can't even tell someone they're not hired, how are you ever going to handle firing someone?

Now grow some cojones and stand behind your decisions. That or don't call yourself a leader while I'm near you ;-)

Hire great infosec people (and keep them) !

Earlier this week I had an interesting exchange with several people on Twitter after a statement by Mary Ann Davidson (Oracle CSO) gave at the -apparently awesome- ISSA Conference. It was paraphrased by George Hulme :

"entry level people have to work to convince orgs they are worth giving a break for a position."

 Roughly translated this would mean that if you are planning on joining an organisation to make a living from the skills you have built in college, university and/or through diligent selfstudy, you shouldn't expect any favors (or even a wage?) from that organisation. They will evaluate you against their set of values to see if you're 'a match' and, maybe, then you could expect being respected and could look forward to making progress.

The problems I see here are legion. I'll try to address the most important ones as I see them and specifically for information security profiles.

1. I admit that there is a certain professional etiquette but I'm also convinced that this is covered by a decent upbringing provided by parents. You don't want a potty-mouth cursing at your users through the telephone and you want somebody that behaves normally. A smart person knows when he has to dress up and when he can wear a t-shirt. I think we're way past the era where 3 piece suits were mandatory uniform. Dreadlocks or long hair? Facial hair? tattoos? If you still care about that, don't expect to find the creative, intelligent, driven individuals you are looking for. If you open your mind, your ass will follow. (thanks En Vogue...)
2. You will indeed need to 'test' people beyond your initial HR filter way after you hired them if you are convinced that a conventional hiring process still works. 'Way back when' job ads were used because normal ads were way more expensive and all that we wanted was to have our brand in the papers. Now that Google ads is even cheaper than job ads, what is the use for them? Imagine that you are fishing at sea: you can throw in a line to catch a random fish that you may or may not be able to eat. Another choice is to tune your lines, depth and bait to the particular species you want to serve your friends tonight. Job ads are your average bait, luring in ALL THE PEOPLE and thus requiring a very coarse filter to keep the edible. For infosec, you want very specific people so you're going to have to adapt your hiring process. In short I would advise to get 'out there'. Visit (local) conferences, hackerspaces, linux groups meetups, DEFCON chapter meetups, ISSA|ISC2|OWASP meetings, etc. etc. etc. You'll get to meet the exact kind of people you are looking for and you didn't even need your HR person to filter resumes by degree or certificate letter soup. You are winning! Throw in a CTF (Capture The Flag) style skills assessment maybe sprinkled with business-specific challenges and I don't doubt you'll fill in the empty spots on your team.
3. "People have to prove themselves..." Lord please .... The exact people that you are looking for (driven, intelligent, skillful, ...) already have proven themselves and they probably have a job that is paying their bread and butter. Assuming we're still stuck in 'classic' hiring practices the solution would be to throw more money at them. You'd be in for an interesting experience :-) I would call it the axiom of infosec hiring :
   
   "For each org acquiring or retaining talent solely by pay raises, there's at least two orgs with more money to spend."
   
   The people you need obviously expect to make a decent living. They have spent hours and hours honing their skills and while, in many cases, their professional activities overlap with their hobbies they are not to be exploited. From personal experience however I can tell you that money is rarely the primary motivator. These individuals are to be challenged and to some extent allowed to roam free. It can be as easy as organizing regular internal hackatons focused on business problems but don't expect them to get tied to a chair performing repetitive tasks. Depending on the market circumstances it will take between 3 and 24 months before you've lost them.

I was actually not going to spend the time on writing down my opinion on the whole 'finding the right people' discussion were it not for Rafal Los coming with another article on the subject. The article is kind of all over the place and most could be answered with what I've written here, I want to specifically counter some of the four recommendations that he offers.

• Partner with a good recruiting agency that can weed out the talent from the talent.(sic)
• WRONG! Get out there yourself. Get a mandate from HR to play a more active role in the hiring process. Send out your team members to cons and local meets. They will learn at the same time as they are meeting their future colleagues. That's full of win. Recruiting agencies are awesome to find people to 'fill' your organisations, your 'foundation' type of people you generally don't find through recruiting agencies.
• Offload as much of the non-business criticical work to a partner organization allowing you to keep your business-smart security folks for critical LOB tasks.
• WRONG! Note that I'm not saying not to outsource stuff that's not critical. But there is some gross negligence in this recommendation. Firstly, outsourcing at first means an increased workload for your internal people. Processes that are 'informal' currently need to be fleshed out and formalized. What your internal people take for granted isn't so obvious for the third party. As your organization evolves, outsourcing may even be more high-maintainance than insourcing. I would never recommend it as a blanket solution. Secondly, this recommendation is made to specifically focus your business-savvy security folks on critical LOB tasks. The problem is that while performing LOB tasks they will need data to support the points they're making to the business. By outsourcing (for instance) SIEM and IDS, perimeter device management, IAM management, etc. etc. you are further removed from the data you actually need and especially the business context melts away at a rapid pace (getting locked in PDF's containing service reports and such). Remember that the primary concern of that third party is their business, not yours.
• Offer incentives to keep people in working for you
• If incentives are considered to be solely of the monetary kind, please consider what I've written under point 3.
• Train existing human resources as you may already have the 'right' people working for you in roles where they're under-utilized.
• I would add some perspective here. Just training resources because someone right may surface that you could internally hire for your team is a giant waste of money. You are looking for people with a very specific skillset that you could 'test' for. One could, as an example, run Incident Response exercises involving staff from different departments. Apart from just looking how well your processes work, keep an eye out for individuals that perform extremely well.  Those are the raw gems you want to polish through training and mentoring, not *everybody*.

I think I could write a book about infosec hiring but I don't think there is a big market for it and I don't seem to have a problem finding the right people for the job myself ;-) For some of you it could sound like I'm talking from my butthole and I accept your criticism, YMMV ;-)

***UPDATE***
A reader anonymously sent me the following message :

"I turned down an offer that was twice the offer I took because I felt I was more understood as an auto-didact at the organisation of which I accepted the offer."

Money matters but only up to a certain degree. If a person can eat, sleep under a fixed roof and maintain his drinking habit (j/k) other things start to count. Be very much aware of that.

so ... you want to support an (ISC)2 board petitioner?

Hiya ... now that election season at (ISC)2 has started again, some of you may ask the very valid question "I voted for this Belgian guy and I didn't see much happening ... why should I vote for this or that new petitioner. It won't make a difference anyway."

While I do understand that the members that supported me in my succesful bid for a board petition deserve at least a status report, I'm caught between a rock and a hard place here.  As a board member you do sign an NDA (Non Disclosure Agreement) that doesn't allow you to specifically discuss board matters outside the board room.  With 13 different people on the board, trust is a basic component to get things done.  I can personally subscribe to this NDA and that's why I signed it. It's very similar to maintaining a relationship with my customers. If we don't have that basic sense of confidentiality, we won't get much done.

First off, I'm one person among thirteen. Anybody that has googled the term "representative democracy" understands that in such a system, which (ISC)2 clearly is, a single person can not make a change. Assuming that the current composition of the board represents the membership, there is always at least a majority required to make a decision.  That means that if I would submit a motion (read Robert's Rules of Order if you want the details on how making a decision actually works ...) I will need to convince at least 6 others to support that motion (depending on what kind of motion it is and when it is submitted, it can require a 2/3rd majority and sometimes even an unanimous vote).

So, what did I do in the past year?  

While I've been a member for quite some time, I (like most of you) didn't get closer to the organisation than submitting AMFs and CPEs before I decided to run a petition.  My first task (as I interpreted it) was to learn to understand the organisation. There is a clear difference between a board (member) and management. As a board member I am not responsible to run the organisation. The board (as representing the members) own the certifications and does set out the strategy for the organisation. Management is responsible to execute that strategy. I build relationships with my fellow board members, members of the management team and members of staff. This included learning from board members with more seniority than me, spending time with members of the management team to understand their challenges and listening to members of staff to learn how they interact with you, the members.

So, now that I 'understand' the organisation, I can start functioning as a board member, right? Not really :-) A board votes on issues presented to it.  Issues are presented as motions by ... committees.  In short, committees is where most of the work is done.  There are standing committees and ad hoc committees. As a board member you can volunteer to be part of a committee. I personally volunteered for the nominations committee and the ethics committee as I understood both were important to execute on the platform I presented in my petition.  I later joined that strategy committee and the foundation committee.

Now, here comes the tricky part.  I don't see myself as a critical cog in any system. I may have my low self-esteem to blame for that but you see, everything will work perfectly without me.  I'm not one to tout my own horn and take credit for anything that a system I'm part of has achieved. Another part is that whatever decision was made, it's not my task to implement and/or communicate it.

Based on my involvement in those committees mentioned above I think we have developed a well-balanced slate for this yeas elections, I stand behind every decision the ethics committee has made in cases presented to it, I'm happy with the new strategy we have developed (and that's in the process of being implemented, remember not by the board but by management) and I totally love the (ISC)2 Foundation and the difference it will make. In that regard I feel I made a difference in my first year, but I'm also conscious that this is not my work alone.

If today I'm writing this blog post, it is to support all members that have decided to run a petition to be included in the ballot for this years elections.  Every member has a right to do this and if the member wants to make a difference, what holds them back?  I think, if you are a member and one of the petitioners represents your thoughts with his or her platform, this person deserves your vote regardless of what you think of me or any other board member.

Again : this is MY story and doesn't represent the view of the board as a whole, any other board member or (ISC)2 as an organisation.

I would love to name the people within or outside the organisation that I've worked with to make change happen. This has included people with personal questions, organisational questions (e.g. how can non-profit orgs automatically submit CPE's for attendees?) and building bridges across different parts of our industry and organisations. Those people know who they are and what little or big difference my efforts have made. I'm not one to claim victory but I am one that won't stay in a role where I believe I can't make a difference. If I'm no longer a board member at (ISC)2 it will be because either my term has ended or because I have decided that my presence does not yield value for the membership anymore.

Job offers from hell

Everybody gets them once in a while : job offers that make you cringe.

While processing my personal inbox this evening, I ran into this little gem :

Hi Wim

A global IT service provider are recruiting for a senior project manager who has experience around IT Security / Network Infrastructure project delivery, $location based role. Permanent. Very strong package

Do you happen to have Prince2 or PMP?

Are you open to exploring new opportunities?

 Now, I'm not necessarily looking and normally I hit delete on this kind of messages with the quickness but something set me off on this one so I graced the sender with a nice response :

Hi (redacted),
you said :
"Do you happen to have Prince2 or PMP"
I'm having a tough time taking this question seriously.  You are looking for a senior project manager and immediately equal that level to the possession of a specific certificate that proves nothing but the fact that a person was able to pass an exam.  I've seen my share of Prince2 and PMP certified 'senior' project manager trying to lead IT Security projects and will vehemently disagree to any assertion that the cert would've helped them to succeed in the projects they were involved in. On the contrary, understanding (information security) risk, advanced people skills and technical prowess set apart the men from the boys (or the women from the girls). I would never ever consider a job offer from an organisation that isn't even remotely in touch with reality (understanding you're the middle man here, don't hesitate to forward this email to your client as a matter of education).
Cheers,
Wim

The sense or nonsense of changing your password

By now everybody has caught on to the (presumed) LinkedIN breach, except the people at LinkedIN themselves but they're probably digging through their treasure trove of social big data in the cloud. However, the most heard comment today must've come from several people saying that it doesn't make sense to change your password because the attackers could just get it again. While not an invalid point, I believe it's the worst advice to give.

There are three main components to this attack :
1. finding the vulnerability enabling the attacker to extract the data.
2. extract the data
3. crack the password

Assuming your password was cracked, the attacker has succesfully performed all three steps. If you change your password now, the attacker will have to perform step 2 and step 3 again. Given that this was a wake-up call for you, you probably chose a much more complex password and thus making step 3 much much harder for the attacker. Even though the vulnerability was not fixed (yet), changing your password does make you safer.

A good analogy would be your seatbelt (I know it's old but it works ...). After a minor crash, you may finally make a habit of wearing your seatbelt. There is obviously still a (big) chance that you'd die in a major crash but it will be much less likely.

Update : 
Someone remarked that, if the attacker still has access to LinkedIN, step 1 and 2 become unnecessary. Especially if the attacker has access to the plaintext stage of chpass.  Obviously, we don't know how they got owned so any theory goes. I'm placing my bet on SQLi but in case it is worse than that, I might go back to my rolodex :-)

Rock on,
/W

a few honest questions about Flame ... answer 'em

While I invited some of the most vocal people on the issue of #flame to our humble podcast tonight, nobody actually stepped up to the opportunity to openly discuss the issue. Too bad, so I'll put out the random questions that are floating around my head right now that I can't find a good answer to.  If you have additional questions, I'm happy to add them to the list.

1) Microsoft, WHAT THE F- HAPPENED THERE ??? You're practically the only vendor that I've read sensible documentation on how to build a reasonably secure PKI infra from and now you come telling me that FOR ALL THESE YEARS any customer with a Terminal Services License was able to sign code, create MITM certs, etc.? If this actually was malware created by a "western intelligence agency" (see question 6 ;-)) you were pretty much thrown under the bus at terminal velocity.  Here's a *hug*

2) Infosec community, WHAT THE F- HAPPENED THERE ??? We're there when Google updates the certs blocked by Chrome to cry wolf on a forged gmail.com cert because that kills people but we succeed in missing a flaw that should be blatantly obvious in a product of a vendor that is probably the most scrutinized in the world?  (obviously, part of that blame is mine. I'm ashamed for the lot of us.)

3) AV companies, WHAT THE F- HAPPENED THERE ??? So yeah, samples dating back to 2010 (unsigned, I've learned by now) didn't trigger any of the automated triage systems you employ. If  we had triage systems like that in disaster situations ... WE WOULDN'T NEED TO BE LOOKING FOR SURVIVORS !

4) AV companies, WHAT THE F- HAPPENED THERE ??? Everybody's pushing out Flame-related content front, left and center but it doesn't even sound like you're all speaking the same languages. Is there actually any communication between you guys? Or is it each to their own and everybody trying to outrun eachother?

5) AV companies, WHAT THE F- HAPPENED THERE ???  So, Kaspersky got some major DNS providers to work with them and sinkhole domains identified to be related to the Flame malware.  So, are you guys aware of those actions? Do you guys tip each other off? Wouldn't it make sense TO DO THIS TOGETHER? WTH are y'all spending resources on analyzing that piece of malware and one of you is jokingly redirecting all C&C traffic to their own servers.  Seriously, last time I checked you needed a court order or you needed to be the US government to sinkhole domains.

6) US gov, Israel, WHAT THE F- HAPPENED THERE ??? Nope, I don't believe you guys are actually behind this one.  You're scratching your head in disbelief and are actually happy that people are attributing you with the leet skills needed to pull this one off ;-)

Forensics Training courses

yesterday I posted a question on Twitter to see what other training offerings there are out there in the area of computer forensics, beyond what we know is a quality offering from SANS.  Not because I don't like SANS but because I kinda knew everybody would start sending me SANS links and since I know their offering, I was mostly looking for others.  Here's what people came up with :

- EC-COUNCIL CHFI : http://www.eccouncil.org/Computer-Hacking-Forensic-Investigator/index.html

- Tigerscheme has malware and forensics courses : http://www.tigerscheme.org/qualifications/Tiger_Digital_Forensics_Certified_Incident_Handler.pdf

- CERT CC offers such a course : http://www.sei.cmu.edu/training/P107.cfm

- 7Safe offers such a course : http://7safe.com/forensic_investigation_course-technical_hands-on.html

- CFE is such a course : http://www.digitalintelligence.com/training/cfe.php

- TrustWave Spiderlabs offers personalized forensics training (no link to training curriculum available) : https://www.trustwave.com/spiderLabs-services.php