4/2/08

Revisited: From Zero to Expert in Your "Spare Time"

In June of 2001, I wrote a column for WatchGuard Technologies called From Zero to Expert in Your "Spare Time", a "Foundations" piece. Recently, editor Scott Pinzon asked me to update the thoughts for a podcast of Radio Free Security. I told him "Sounds like fun," and not being one to waste effort, I'm turning it into this blog entry. (The XML to the newsfeed is Radio Free Security. The direct link to the mp3 is How to Learn Network Security)

Things have changed little in the world of network security support from 2001. (Yes, that is not a "typo"—little.) I still think many of us are transitioned from "network support person" to "security guru" fairly quickly. Sometimes, we seek this ourselves, wanting something more "interesting to do." And sometimes we seek glory and honor. At the end of the day, people will still hate you. What people? It depends. Whoever is trying to do something "vital to the mission," and who forgot to talk to you about security until the last minute. This list can include software product developers, sales executives, program managers, product managers, network engineers, etc. But, you did ask for it, now didn't you?

Before I get to updating my old column, a warning: you, dear reader, want to hear new, exciting, interesting, and jazzy things to learn. And, indeed, there is some of that. But, I fear you will be disappointed that I will point to some old books and papers and old things to learn. Take heart. If this was a theology course, we would still look at old texts. As Paul Simon reminds us, in his song "Old," "God is old." (I lost some of you by mentioning Paul Simon, right? "Avolio is old," you thought.) Let me put it another way: If you study and use calculus or Boolean algebra, you don't only look at breakthroughs in those disciplines from the past few years. So, you'll have to trust me. You'll want to jump to the new and jazzy. You will do yourself a great favor by studying some old things, as well as new. You'd do it in physics or mathematics. You should also do so here.

One more warning: if your employer will send you to "CISSP school," in which you get trained to pass the CISSP exam, take them up on it. But, you will still need to do more. I know CISSPs who, by definition, passed the exam, but also clearly have no practical knowledge or experience.

First Steps.

As I said a few years back, "first off, you will have to exert some effort. You'll have to work. My idea is to give you work you can do in a reasonable amount of time, while still employed. ... You need to do some basic reading. Not all at once, and not in every area. Some excellent books and papers will provide a good start. I am only going to point to a few of these, because you are supposed to be able to do this without taking six months off."

You'll need to learn terminology around security, but that will come as you peruse the Internet, making use of Google and Wikipedia. Start with learning the technology in your current area of responsibility.

For security basics, let's start with WatchGuard, and not just because they asked me to do this. Their education page is easy to navigate and has information for Jedi masters as well as the padawan learner. Bookmark their "Network Security Glossary." Spend some time reading their White Papers. (They are free with a registration. They will not spam you. Scott promises.) Most of what they have--papers, podcasts, and videos--are 99% unbiased with 1% advertising. (Scott has to eat, too, you know.) Their "IT Managers' Security Resources" are for anyone wanting to come learn more about network and computer security, not just for IT folks and certainly not just for managers. These provide practical advice for securing the corporate network from user to servers, along with an occasional technical "deep dive" piece. As you move towards Master from Learner, you will want to try your skills in "The Dustin Barnes Mystery Series," also found on their web page. Check out their instructional videos (fun but no fluff, I promise), and, of course, subscribe to their Radio Free Security podcasts. (You might find their case studies of interest, but these do seem to have the look and feel of marketing communication glossies.)

Next stop, Techtarget's SearchSecurity site. They also have excellent whitepapers and reports. Their main page is a "security portal" of sorts, gathering infosec news as well as security papers grouped topically. (Most of these papers are produced or sponsored by vendors and require registering.) While there, you should also subscribe to some of their RSS newsfeeds, such as Security Wire Daily News (or Weekly) and Network Security Tactics. Also, there, you can subscribe to Information Security Magazine. You can also read some of the articles in the latest issue here.

Next steps.

In addition to the "portals" mentioned above, we can drill down a bit into these particular areas.

Malware
This includes antivirus and spyware. Really, there aren't many books to recommend to come up to speed on Spyware. For antivirus I recommend Hacking Exposed 5th Edition (Hacking Exposed), though it covers a great deal more than that. Otherwise, peruse the malware topic area in the Searchsecurity papers (with the warning of vendor sponsorship I previously made). Actually, I'd go to WatchGuard's education area and watch the "Malware Analysis Video: Drive-by Downloads"

As for other things, the National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database

Oh, and for goodness sake, read about the Morris Worm..

Firewalls
For firewalls, I believe the early papers are still the best, and the technology has not changed substantially since their authors wrote them. Three of the first and best papers are:

The best books on the subject are also the earliest ones: Intrusion Detection Systems
If you need to come up to speed on "intrusion detection," start with An Introduction to IDS. If you need something more in-depth, see Rebecca Bace's whitepaper, "An Introduction to Intrusion Detection and Assessment." She also wrote the book Intrusion Detection (MTP). Another excellent book is Terry Escamilla's Intrusion Detection: Network Security Beyond the Firewall.

Crypto
This list has not changed since 2001. The best books on the subject of cryptography for computers and the Internet are: VPNS
You need to learn about virtual private networks, and, again, one of the best introductions is an "old" book, from 2001, Virtual Private Networks: Technologies and Solutions, by Ruixi Yuan and W. Timothy Strayer.

Secure E-mail
If you need to learn about e-mail security:

And just for fun, check out some famous attacks.

Ongoing

How in the world will you keep up to date on changing technologies and events while still keeping your job (and maybe even having a life)? The answer is "automate." Sign up to an RSS news service (mentioned earlier). Spend a half hour of each day checking news items and bulletins.

Start poking around NIST's Computer Security Division's Computer Security Resource Center. There are some useful papers and guidelines here. There are also things that look surprisingly like they were written by someone getting paid by the word. (They were not. But, one of the mottos of big government agencies seems to be, "Never say in 10 words what you can say in 100.") Their "Guide to NIST Information Security Documents" is 36 pages.

There are security-related magazines to read, and my favorites both have electronic and print versions:

Even without having six months to take off, you might be able to get some outside training for on-going growth and development. My favorite security-related conferences are:

Are We There Yet?

In this column, I briefly suggested and pointed to resources to help you move from beginner, towards "expert." This has not been exhaustive; undoubtedly, I have left out some excellent resources. Treat these suggestions as a starting point. Most of these resources will lead to others. With some reading and some trying this and sampling that, you will start down a path that can, eventually, lead you from novice to expert.

No comments: