PenTest Market Magazine

�

��

��

��

��

��

��

��

��

http://www.id-theftprotect.com/

Page 3 http://pentestmag.com02/2012(2)

EDITOR’S NOTEMarket 02/2012 (02)

Pentesting market is growingThe second issue of PenTest Market is out. We have for you next fresh dose of interviews and articles devoted exclusively to pentesting business. First issue was very popular, so we decided to make PenTest Market a free magazine. Now access to our content will be easier than ever. Let’s look what have we prepared for you in this issue.

On the cover you can see Victor Mehai Chrisiansenn, who is the Director of Sales at SecPoint. Victor told us about pentesting market which, in his opinion, is going to increase more and more in upcoming years. He has also described SecPoint tools for penetration testers.

On the next pages we will „Walk through the penetration testing fundamentals” with Pierluigi Paganini. The author explained why to conduct a penetration test and showed that Penetration Test is a widespread need.

We have talked with two experts in the area of IT security auditing. Michael Brozzetti told us what is the difference between an Internal Auditor and an External auditor. We asked him also about transition from IT security to IT Auditing. Furthermore, Mehmet Cuneyt recommended certifications, trainings and skills for someone who wants to pursue a career in IT Security Auditing.

Another interesting person that we had a pleasure to talk with was Dr. Lukas Ruf. He is a senior security and strategy consultant with Consecom AG. He has shared with us his experience from security consulting business and told about strict cyber privacy in EU.

Ian Moyse, a leader in Cloud Computing, has prepared for us a combination of pieces focusing on adopting Cloud in a secure manner. He provided you exemplary things to check before signing up with a cloud service provider.

„Have you M.E.T?” – a really intriguing title. Amarendra in his article writes about what it takes to be a successful pen-tester. You just have to have M.E.T: Mindset, Experience, Tools, techniques, and training.

Our next guests are Joe Hillis and Jay McBain. Joe is leading an initiative to engage the technology community to help Small Businesses and Communities with continuity and recovery of information systems following a disaster. Jay is an accomplished speaker, author and innovator in the IT industry. They both have much experience in IT security and you can learn from them a lot.

Our last but not least interview in this issue features Raj Goel. He is an IT and information security expert with over 20 years of experience developing security solutions for the banking, financial services, health care, and pharmaceutical industries.

Finally we can present you the article by our great contributor, Aby Rao. He provides you „10 ways to enhance your career in Information Security” based on his personal experience. This article is primarily targeted towards people who are at entry-level positions or are making a switch to IT Security from a different field of work.

We hope you will find this issue of PenTest Market absorbing and uncommon. Thank you all for your great support and invaluable help.

Enjoy reading!Krzysztof Marczyk

& Pentest Team

Page 4 http://pentestmag.com02/2012(2) Page 5 http://pentestmag.com02/2012(2)

CONTENTSCONTENTS

PENTESTING MARKETInterview with Victor Mehai Christiansennby Aby Rao

Pen test market has grown a lot during the last few years and the good news is that this increase is not going to stop as there will always be a new vulnerability and and the remmedy for it is required instantly. So we always to keep finding new possible loopholes and the customers and end users do understand the need Pen-Testing as it’s a proactive way of finding what might be coming to them in the future and they do want stay prepared and prevent it on it. There is nothing better than Pen Testing and it just going to increase more and more in the coming time.

PENTESTING FUNDAMENTALS

Walk Trough the Penetration Testing Fundamentalsby Pierluigi Paganini

The figure of the pen tester is a critical figure, he must think like an hacker paid to break our infrastructures and access to the sensible information we possess, for this reason the choice of reliable and professional experts is crucial. The risk to engaging the wrong professionals is high and it is also happened in the history that companies have wrongly hires hackers revealed in the time cyber criminals. The information is power, is money and the concept of „trust” is a fundamental for this kind of analysis.

IT SECURITY AUDITINGInterview with Michael Brozzettiby Aby Rao

IT security professionals can make excellent candidates for IT auditors because it’s like looking through the other end of the lends. IT Auditors are independent of operations, so an IT security professional transitioning has the practical experience to know where vulnerabilities might exist or where operations personnel might be prone to taking “short-cuts.” This operational experience can certainly help them make sound recommendations for organizational improvement if they decide a transition into IT Auditing.

Interview with Mehmet Cuneyt Uveyby Jeff Weaver

The profession of Auditing is one of the oldest ones in human history. There are many different types (Financial, Quality, Operational, Health and Safety, etc.) and levels of

06

12

TEAMEditor: Krzysztof [email protected]

Associate Editor: Aby Rao

Betatesters / Proofreaders: Massimo Buso, Daniel Distler, Davide Quarta, Jonathan Ringler, Johan Snyman, Jeff Weaver, Edward Werzyn

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa [email protected]

Art Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski

Production Director: Andrzej Kuca [email protected]

Marketing Director: Ewa [email protected]

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

16

08

Page 4 http://pentestmag.com02/2012(2) Page 5 http://pentestmag.com02/2012(2)

leaders. The “best” method is generally driven by a business’s operational needs and budget, but involves the common underlying process of making systems and data available after a catastrophic event. For some, it simply means having access to data files within 3 days; while others may require continuous access to systems and data, regardless of the event.

SOCIAL MEDIAInterview with Jay McBainby Aby Rao

Building a personal brand is key in today’s „flat” world. Social media is one of the tools that blend with a more physical presence through local communities, charities, industry events, associations and peer groups. Social media can build large, targeted virtual peer networks and has an ability to amplify thought leadership more than any medium in the past.

IT SECURITYInterview with Raj Goelby Aby Rao

At a very high level, CEOs and CFOs are primarily concerned with lowering costs, increasing revenues. IT security doesn’t really matter to them – I’m met very few CEOs or CFOs who actively seek out IT compliance or IT audit services. If they could avoid them, they would – with the exception of Sarbanes-Oxley (SOX) compliance – that’s the only regulation that captured their attention and budgets.

KNOW-HOW10 Ways to Enhance Your Career in Information Securityby Aby Rao

At first glance, this may look like one of those self-help articles promising that your life will turn around 360 degrees if you follow the advice offered. Sadly, I am making no such promises. It could very well be 30 or 50 ways to enhance your career, but I have limited it to 10, based on my personal experiences. This article is primarily targeted towards people who are at entry-level positions, or are making a switch to IT Security from a different field of work. Experienced professionals shouldn’t have a problem running through the list fairly quickly.

auditing. The first requirement for the auditors is to know the business that they are auditing. Risk assessment know-how is a must. Auditors need more Technical skills, understand Project Management and should also spend time for learning the SDLC (Systems Development Life Cycle) for the relevant business processes so that they can look underneath the numbers (business results), but also to the systems and processes that create those numbers.

SECURITY CONSULTING BUSINESS

Interview with Lukas Rufby Aby Rao

As a security consultant supporting customers inter-nationally, EU faces exactly the same problems like any other regions. In general, however, the EU is positioned better to counteract attacks effectively than other due to a good level of education and, hence, awareness of threats and daily mitigation measures.

CLOUD COMPUTINGSecuring Cloudsby Ian Moyse

Cloud computing is a new concept of delivering computing resources, not a new technology. Services ranging from full business applications, security, data storage and processing through to Platforms as a Service (PaaS) are now available instantly in an on-demand commercial model. In this time of belt-tightening, this new economic model for computing is achieving rapid interest and adoption.

SUCCESSFUL PENTESTERHave you M.E.T?by Amarendra

Due to the large gray area in the field of software security, it is very difficult to spot a good penetration tester. Add to it the „ethical” baggage, and things get even more murkier. Based onexperience, the author discusses the elements that make a successful penetration tester. Hopefully, these ideas shall help your organization in making a well-informed choice.

DISASTER RECOVERYInterview with Joe Hillisby Aby Rao

Disaster Recovery is a subjective area; typically viewed differently by technology professionals and business

CONTENTS

20

24

28

30

34

40

44

PENTESTING MARKET


SecPoint is a world-renowned IT company. What is the key to success of your company?Victor Christiansenn: Innovation and Continuous Development. Doing things differently than everybody else and opening up new markets, like with the Portable Penetrator. Also to quickly adapt to new requirements in the market.

You have been on the market since 1998. What was the most challenging at the beginning of your career?VC: Every day is a challenge! Once you love your job you do not see it as as a challenge.

How has the pentesting market has changed during these several years? Do you consider anything as a turning point for the market? VC: It has changed a lot. We have seen sales of the Penetrator and Portable Penetrator increase, especially the last three years. There has been a turning point where customers have realized the need for pentesting. Plus, every other day a new vulnerability is found and as an IT Security company we are always strive find the solution to the vulnerability.

How do you see this market in the future?VC: Growing big time. Pen test market has grown a lot during the last few years and the good news is that

this increase is not going to slow down and there will always be a new vulnerabilities and the need to find a remedy for them is required as fast as possible. So, we always try to keep finding new potential loopholes and the customers and end users do understand the need for Pen-Testing as a proactive way of finding what might be coming to them in the future and they do want stay prepared. There is nothing better than Pen Testing and it just going to increase more and more in the coming time.

What would you advise to people who want to start their own company in the IT field?VC: Go for it! The whole Internet is waiting for you. As I said, the threats are something that will never go away. You will always find some news about the new threats discovered. It requires a lot of manpower and skills to be able to be the one who finds it before anyone else. Then comes the part to find the solution and integrating it into the Pen-Testing Product, so that the scanner can scan for it and find if that vulnerability is indeed present on the network.

Please, tell us more about your products (SecPoint Protector, SecPoint Penetrator, SecPoint Portable Penetrator).VC: Protector is an advanced UTM (Unified Threat Management), which ensures Real-Time all round protection for users connected on your Wired Network.

Victor Christiansenn is the Director of Sales at SecPoint. He established the SecPoint security firm in 1998, at the tender age of 16, in the basement of his parent’s house. Since then, the young entrepreneur has been working with in IT security industry full-time for more than 11 years. His passions are Wifi Security, Vulnerability Scanning, UTM Appliance. He is interested in Freemason.

Interview with

Victor Mehai Christiansenn


Protector comes with Advanced IT Security features like Firewall, Real-Time Intrusion Prevention IPS, Anti-Spam, Multiple Anti-Virus suites, Web Filter, Web Proxy, Anti Phishing, Content Filter, Full Mail Archiver, DLP (Data Leak Prevention), Incoming and Outgoing Mail Backup, and more. Protector is available as an Appliance, as well as in VMWare. Protector is easy to install and comes with a fully-customizable easy to use Interface.

Penetrator is a complete Penetration Testing, Vulnerability Scanning Suite. Portable Penetrator can scan any IP over a Wired Network for vulnerabilities. The system scans and searches for over 50,000 types of vulnerabilities on any IP address. Further you can Launch Real Exploits in order to check how secure your network is. Penetrator is available as an Appliance as well as a VMWare version.

Cloud Penetrator is an online Vulnerability assessment utility that is used to check Vulnerabilities on Public IP addresses. It has an advanced Crawler that crawls through each and every page of the Website/Websites present on a Public IP Address and looks for over 50,000 types of vulnerabilities. It is a complete vulnerability assessment tool for a Public IP address. For example – SQL Injection, XSS Cross Site Scripting, Command Execution, etc. For more information you can visit our FAQ section on our web site: http://shop.secpoint.com/shop/cms-faq.html.

Are SecPoint Penetrator and SecPoint Portable Penetrator intended for all pentesters regardless of their skill level?VC: Yes. Penetrator and Portable Penetrator comes with an easy to use interface and scanning can be initiated with just three clicks. So, it is quite easy to use. The reports have Executive Summary and in-depth Technical details for the Technical Team. Customers can also host our Products as a Cloud SAAS Service. It is a new trend that is quite rewarding and is getting more and more famous everyday around the globe.

8. Which companies would benefit the most from your services? In which part of the world do you the most business contacts?VC: Apart from the enterprise level products, we also have entry level products for Small and Medium Businesses. So, we try to serve all sectors. We have the biggest customer base in Europe and USA.

With SecPoint’s ‘No Hidden Cost Policy,’ customers get the convenience of obtaining the solution they need at no extra cost. Products come with many features and upgrades, but they do not need to pay for them separately.

How can you become a SecPoint employee? What traits and skills are highly appreciated? What may discourage you in hiring a potential employee?VC: We ONLY working with the best. If you have the skills, we have the right place for you. The IT Security Industry always welcomes talented people. „Skills” and „Results on time” is highly appreciated everywhere. It is nothing but the game of speed, where you need to be able to find a possible loophole, then find the solution, and then integrate it into the scanner. It is a game of Speed and Skills. The better the skill, the faster and more accurate your output will be.

How will SecPoint surprise us in the future? What are the long-term plans of the company?VC: Watch out for 2012 and 2013! Many new things are coming. We are working around the clock in order to get more and more features built. By mid-2012 we are planning to add some exciting new features to our products and the development phase is a never ending process.

ABY RAOAby Rao has several years experience in IT industry and has working knowledge in applying various security controls and implementing countermeasures related to Web Applications and Database. He is skilled at planning and leading all phases of Software Development Life Cycle, Project Management and Agile Software Development. Aby has a Bachelor Engineering in Computer Science, Master of Science in Information Science, Master of Science in Television Management and various IT certi�cations including CISSP, CISA< Security+, ITIL, ISO/IEC 20000 etc. He is also an independent �lmmaker and currently resides with his wife in Durham, North Carolina, USA.

http://shop.secpoint.com/shop/cms-faq.html

http://shop.secpoint.com/shop/cms-faq.html



The level of security and confidence requested by the market requires a meticulous approach in the testing phase of the architectures, the methods

introduced in recent years have become an integral part of the production cycle of each solution.

Why conduct a penetration test?The penetration testing is a fundamental method for the evaluation of the security level of a computer architecture or network that consists in the simulation of an attack to resources of the system under analysis.

Of course the investigation can be conduced by experts to audit the security level of the target but also by cyber criminals that desire to exploit the system.

The penetration testing process is conducted over the target searching for any kind of vulnerabilities that could be exploited like software bugs, improper configurations, hardware flaws.

The expertize provided by professional penetration testers is an irreplaceable component for the evaluation of the security of systems deployed in private and military sectors. In many sector for the validation of any systems or component these kind of test are requested.

The testing approach has radically changed over the years, similar tests were originally conducted mainly on systems already in production or operation in order to demonstrate their vulnerabilities, today’s test sessions

are planned as the part of the design phase and assigned to internal or external staff in relation to the type of checks that are to be conducted.

A first classification of penetration tests is made on the knowledge of the technical details regarding of the final target distinguishing Black box testing from White box testing. Black box testing assumes no prior knowledge of the system to test. The attacker has to first locate the target identifying its surface before starting the analysis. Whit the term of white box testing we identify an attacker with complete knowledge of the infrastructure to be tested.

The figure of the pen tester is a critical figure, he must think like an hacker paid to break our infrastructures and access to the sensible information we possess, for this reason the choice of reliable and professional experts is crucial. The risk to engaging the wrong professionals is high and it is also happened in the history that companies have wrongly hires hackers revealed in the time cyber criminals. The information is power, is money and the concept of “trust” is a fundamental for this kind of analysis.

Over the years it has fortunately increased awareness of the risks attributable to vulnerabilities exploitable in systems and related economic impact, this aspect is not negligible because it has enabled a more robust commitment by management of companies that has requested more and more often penetration testing activities.

Walk trough the penetration testing fundamentals

Talking about penetration testing fundamentals and their introduction in private and military sectors. The growing request for experienced IT professionals is demonstration of the awareness in the matter, it’s expression of the need to deep analyze every aspect of technology solutions.


An effective penetration tests provides to the company a useful report on the status of their services and its exposure to the main threat known. Don’t forget that many incidents registered last year were related to unknown vulnerabilities of the victims systems and misconfiguration of any kind of appliance.

While the main objective of penetration testing is to determine security level of the company, and in particular of its infrastructures, it can have number of further objectives, including testing the organization’s security incidents identification and response capability, testing security policy compliance and testing employee security awareness.

Main benefits of a well done penetration testing are:

• Identifying and classification of the vulnerabilities of the systems. The aspect of the classification is essential to give right priority to activities needed to improve security and securing infrastructure.

• Identification of those critical components in the surface of attack of a system that while not vulnerable have characteristics that make them susceptible to attacks over time.

• Determining the feasibility of a particular set of attack vectors.

• Helping organizations meet regulatory compliance.• Identification of the vulnerabilities is the starting

point for a deeper analysis made to assess the potential impact on the business of the company.

• Providing evidence of real status of the systems providing a detailed report to the management of

a company. It’s the starting point because starting from the report the company must proceed to secure its infrastructures evaluating corrective actions and their impact on actual business. A well-documented penetration test results, helps management to identify the right actions to secure the structures and to size the budget for them.

According the principal methodologies the whole process of a penetration test, from initial requirements analysis to report generation, could be applied to the following areas:

• Information security• Process security• Internet technology security• Communications security• Wireless security• Physical security

Standard & RegulationsActivities of penetration testing are being object of regulation also by several standards, for example the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing penetration testing. The PCI DSS Requirement 11.3 (https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf) addresses penetration testing like the attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.

Figure 1. How safe is your computer?

https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf



The standard also include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.

The most important factor for a successfully penetration test is the adopted methodology that’s the reason why the discipline is evolved starting its origin in 1970’s.

Professionals during the years have proposed and developed efficient frameworks for conducting a complete and accurate penetration test.

The Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog has become a de-facto methodology for performing penetration testing and obtaining security metrics.

Pete Herzog, OSSTMM creator said: The primary goal of the OSSTMM is to provide transparency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their prey’s already meager security budget; those who would side-step business values with over-hyped threats of legal compliance, cyber-terrorism, and hackers.

In main opinion transparency and an efficient methodology are essential for the study and the assessment of every system.

Just to give a complete view on the standards and methodologies in penetration testing we can remind the others guidelines available worldwide recognized:

• Standards for Information Systems Auditing (ISACA), introduced in 1967. This ISACA organization provides the basic and the most important among the audit certifications useful to demonstrate to the market mastering the concepts of security, control and audit of information systems.

• OWASP: The Open Web Application Security Project (OWASP) is an open source community project developing software tools and knowledge based documentation that helps people secure Web applications and Web services.

• NSA Infrastructure Evaluation Methodology (IEM)

How effective are our system, how efficient are our processes? We never going to know until we run drills and exercises that stress out the platforms and perform the analysis. Simulate the possible attacks, measuring the level of response of our architecture is fundamental, we have learned by the events how dangerous an unpredicted incident could be.

Conducting a pen test is a good opportunity to test the level of security of an environment but also to evaluate the response of the company to an intrusion or to an incident. Using this methodology it is possible to stress and analyze a system or an application discovering

Figure 2. Chinese Army computer hacking class


its vulnerabilities and the impact of every possible attacks or malfunctions on the overall architecture and on related systems. It’s happened that during a penetration test discovered mutual vulnerabilities between components, for example the exploit of a first Web service could cause the block or better an exploit in a related system that use the services provide.

Several years ago, during the period I conducted penetration testing for a major company I observed during a test session that some components were intentionally excluded because the administrators of the platforms were informed regarding the vulnerabilities. That behavior it’s really dangerous, excluding weak systems during a penetration test it’s a common wrong practice that prevent an efficient analysis of the system.

In this way we will never be able to measure the impact of the vulnerabilities on the overall security despite how the risks are addressed and recognize by the management of a firm. In a past experience I have had the opportunity to audit a company ISO 27001 compliant, its management was perfectly aware regarding some known vulnerabilities accepting the related risks. Few months later, an external attack damaged the company due a vulnerability not known correlated to a well non problem not tested.

Penetration Test, a widespread needIf the practice to carry out a penetration test is recognized and requested by the major standards that we examined in a private environment, it becomes crucial in critical environments such as military and government.

In these areas information management are extremely sensitive and it is essential for the environments to be tamper-resistant. For this reason, every device, component and infrastructure must be subjected to rigorous testing in time for the purpose of assessing the level of overall security. Particularly critical are all those heterogeneous environments where components are provided by different providers and whose iteration enables the delivery of services. It is this type of environment, together with those characterized by openness to the outside, are a real thorn in the side of management bodies as these architectures are more exposed to external threats.

In recent years there has been a dramatic growth of the attacks perpetrated against successful private companies and government agencies, a phenomenon in constant and growing concern.

Demonstration projects conducted by groups of hacktivist like Anonymous, warfare operations conducted by foreign governments for purposes of offense and cyber espionage and an unprecedented

increase of cyber criminal activities have attracted the attention to the security requirements of any IT solutions. The verification of the effectiveness of the solutions mentioned in defense has become a significant activity that has led to an increased demand of figures such as the penetration tester, which is multidisciplinary and multifaceted professional with the ability to analyze and study a system identifying its vulnerabilities.

Of course in critical environment, like a military one, the governments due the secrecy of the solution analyzed have preferred to promote internal born group of expert trained to execute penetration test. In these sector nations such as China, Russia and the US are at the forefront.

Also bring as example such systems within critical infrastructures, related vulnerabilities are alerting the security world community. The case of Stuxnet virus has taught the world how dangerous a cyber weapon capable of exploiting vulnerability in a system might be. The only possibility we have facing these cyber threats is to thoroughly test each individual component of the systems we are going to deploy. The method of soliciting such infrastructure through penetration tests is essential, unique opportunity to identify critical vulnerabilities that if exploited could affect their security posture.

Penetration tests are a precious opportunity to protect our infrastructures that must be integrated in more articulated testing policiesy, a good example has been provided by the Special Publication 800-42, Guideline on Network Security Testing published by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce.

Let me conclude with phrase that I’ve read several time on the Web that resume the purpose of penetration test methodology:

“Protecting your enterprise by breaking it”

PIERLUIGI PAGANINIPierluigi Paganini has a Bachelor in Computer Science Engineering IT, majoring in Computer Security and Hacking techniques. Security expert with over 20 years experience in the �eld. Certi�ed Ethical Hacker at EC Council in London. Actually he is Company Operation Director for Bit4Id, Researcher, Security Evangelist, Security Analyst and Freelance Writer. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to found the security blog „Security Affairs”.Security Affairs (http://securityaffairs.co/wordpress)Email: [email protected]

http://securityaffairs.co/wordpress

mailto:[email protected]

IT SECURITY AUDITING


It’s not very common for us to interview professionals with extensive audit experience. Please tell us about your background and professional experience.Michael Brozzetti: I started my auditing career with PricewaterhouseCoopers LLP (PwC) as an intern where I gained a lot of experience in the IT Auditing, IT Governance, and Business Process Reengineering domains. In 2002, I moved into working full-time as an IT Auditor at Charming Shoppes, which is a publically traded specialty retail company. As of that time, the company was going through transition and had decided to bolster its Internal Audit department by hiring lots of fresh talent so I had an excellent opportunity to work with a lot of great people to help build a new Internal Audit department from the ground up. It was a unique and valuable experience to help such a large company design and implement internal audit processes and systems to support all of the auditing and consulting engagements performed by

the department. In 2005, I decided to take that “leap of faith” and focused my energy into Boundless LLC, which later became recognized as a Philadelphia 100 “Fasting Growing Company” in 2010.

Can you tell us a little bit about your company Boundless LLC and the services you offer?MB: Boundless LLC helps safeguard reputation and fiduciary integrity by helping organizations manage the risk of internal control failure, respond to critical risk events, and improve the quality of internal audit activities. We accomplish this by helping organizations integrate and improve their organizational ARCs – Audit, Risk, and Compliance – through our training, speaking, and consulting service offerings. “One-size” does not fit all anymore so Boundless remains flexible in supporting our clients’ needs and when we are engaged in a consulting capacity we work on a retainer basis pledging to uphold the Institute of Internal Auditors (IIA) Code of Ethics principles for

Interview with

Michael BrozzettiMichael Brozzetti (CIA, CISA, CGEIT) is President of Boundless LLC, an expert internal auditing and governance firm and is Chairman of the Business Integrity Alliance™ which is a joint venture between zEthics, Inc. and Boundless LLC missioned to advocate and advance the practices supporting the principles of integrity, transparency, accountability, and risk oversight. Michael has a passion for helping organizations strategically manage the risk of internal control failure, respond to critical risk events, and improve the quality of internal audit activities. Michael Brozzetti is a Certified Internal Auditor® Learning System training partner with the Institute of Internal Auditors, Villanova University, and the Holmes Corporation.


integrity, objectivity, competence, and confidentiality. This is what differentiates us from the other consulting firms. Training and speaking is where I like to spend the majority of my time because I find it rewarding to help people improve what they do and how they do it.

You teach at a university, what courses do you teach and how has it helped you as a professional?MB: I teach a Certified Internal Auditor (CIA) review course in partnership with Villanova University and the Institute of Internal Auditors (IIA). The CIA is the only globally accepted designation for internal auditors. It is the standard by which internal audit professionals demonstrate their knowledge and competence in the areas of governance, risk and control. I think what has helped me most as a professional is the interaction with so many talented Internal Auditors that come to take the course. The course design promotes experiential learning so when an audit topic is discussed it is often anchored to the real world experiences of the group. This learning style really makes the course topics resonate with participants and it also fosters an excellent 360 degree learning environment for participants, as well as myself.

This may sound quite rudimentary but can you tell us what the difference is between an Internal Auditor and an External auditor?MB: External auditors are primarily responsible for providing opinions about financial statements within the scope of accounting standards and rules. The external auditors approach is historical in nature usually looking at the previous fiscal year or quarter and typically put their greatest focus on financial reporting risk. On the other hand, Internal auditors have a much broader responsibility for assessing operational risk, fraud risk, strategic risk, technology risk, and financial risk beyond just that of financial reporting. Internal Auditors often take a more forward looking approach and ultimately make recommendations to improve the governance, risk, and control processes of their organizations. Reference (http://www.youtube.com/watch?v=4-ko4n-Hyjs).

In the past you have spoken about values, morals and ethics? Why would these terms be important to any organization?MB: These terms are particularly important to how an organization governs itself and behaves to its internal and external stakeholders. Professional standards say that internal auditors are responsible for promoting appropriate ethics and values within the organization. I have come to the belief that values do, in fact, motivate while morals and ethics constrain behavior, which was a notion written on by Paul Chippendale. A simple way to discern between the difference between morals and ethics is that morals are related to a single persons belief of what is acceptable and ethics are related to a group belief of what is acceptable. Does a company want to make a profit? YES, of course, but at what cost and what constrains the company from using overly aggressive captive pricing practices, misleading sales practices, or cheap foreign labor where work safety and employee health is of little concern. I would say ethics in this case should be the constraint, however some would argue as long as it is legal it is okay. I disagree with this mentality and believe that most law and regulation should be viewed as the bare minimum. When making significant business decisions I encourage companies to routinely

ask three questions. 1) Is it legal? 2) Is it ethical? 3) Is it sustainable? If you can’t say YES, to questions 1 and 2 it is really difficult to say Yes to number 3 which more than likely proves it to be a bad business decision from a long-term governance perspective. Reference (http://www.youtube.com/watch?v=3yt1gzFqe0M).

If an IT security professional notices illegal practices within their organization (inner threats), what approach should they take to report such activities?MB: First, it is important to get the facts straight and validate the documentation supports the findings before raising the issue to trusted management or through a trusted ethics/fraud hotline. I am emphasizing the word “trusted” because if the IT security professional does not have sufficient reason to trust management or an ethics/fraud hotline to address the problem

��

��

http://www.youtube.com/watch?v=4-ko4n-Hyjs

http://www.youtube.com/watch?v=4-ko4n-Hyjs

http://www.youtube.com/watch?v=3yt1gzFqe0M

http://www.youtube.com/watch?v=3yt1gzFqe0M



the reporting of these activities can become more challenging.

For example, if an IT security professional finds that their company is holding CVV codes for credit card customers and that this information was recently breached the IT security professional might find it peculiar as to why they are not getting a positive response from the CISO or CIO. The IT security professional might know that the laws and regulations requires the company to notify the customers of the possibility of a breach, but is now concerned the CIO/CISO is down playing the incident because they recently learned that they were responsible for implementing the security program and developing the data privacy policies. As you can see, it is important that the reporting takes place to a trusted party that is independent enough from the event so that the best decisions can be made for the organization. I know this is easier said than done and often involves lots of moral courage when no one is listening to significant concerns. To prepare for such an incident, I would suggest that the IT security professional establish trusted relationships with other professionals in the organizations audit, compliance, risk, legal, ethics, and other departments so that they have multiple experts to raise concerns to in the best interest of the organization. I wish I could say reporting was as easy as filing through the hotline or reporting to the senior most security officer, but the reality is that while this might work in some cases, don’t assume it always will.

Why would someone attain the CIA certification and would you recommend that certification to anyone in the IT Security profession?MB: IT Security professionals play an important role in assuring their organization maintains strong governance, risk, and control practices. There is nothing wrong with IT security professionals maintaining a career path as a technical security expert, however professionals wanting to get involved in more of the broader business risk issues might want to think about becoming a Certified Internal Auditor. My first certification was as a Certified Information Systems Auditor (CISA) which helped me learn a lot about the technology and security risks that IT security professionals face every day, however my decision to pursue the CIA certification was to gain a broader perspective into the business risk of operating an enterprise. In my experience, when you can frame the technology and security risks within a broader business risk perspective it helps communicating

issues to senior-level management to get their attention and take action.

If an IT security professional would like to make a transition to IT Auditing, what path (certification, formal education, work experience etc) would you recommend and what are some of challenges they have to be aware of?MB: IT security professionals can make excellent candidates for IT auditors because it’s like looking through the other end of the lends. IT Auditors are independent of operations, so an IT security professional transitioning has the practical experience to know where vulnerabilities might exist or where operations personnel might be prone to taking “short-cuts.” This operational experience can certainly help them make sound recommendations for organizational improvement if they decide a transition into IT Auditing. In terms of IT audit certifications, I often recommend the CISA because it is considered by many to be the most recognized and referenced by companies looking to hire IT Audit professionals. I know IT Auditors that come from a variety of educational backgrounds including, business, accounting, and IT. In my experience, companies love to hire CISA’s with “Big 4” experience so if you have an opportunity to make the transition by getting hired by a Big 4 firm you should certainly consider this even if it is just for the short-term. These firms typically offer lots of great hands-on experience and a lot of education which have a lot of value even if you decide not to try and make a partner at the firm.

From your consulting experience, can you share with us some of the common IT Governance issues you have noticed?MB: I would have to say one of the most common IT Governance issues is understanding that IT Governance is not only limited to just IT, it’s a team sport that involves all aspects of the business operations. IT governance comes down to aligning IT with the business strategies, goals, and objectives so that reliable information is at the right place, at the right time, and in the right hands to support sound decision making. While this might seem like a simplistic view it truly is the essence of IT governance. There are many excellent IT governance frameworks that can be used to support the business, however it is a common mistake to try and use the framework to run the business rather than using the frameworks and applying them to support the operations of the business.


How critical are IT Governance frameworks such as COBIT, ISO 17799 in building a strong organizational foundation? What frameworks have you recommended in the past few years?MB: The speed and reliability of information flow is critical in today globalized marketplace and IT Governance frameworks can certainly serve as a strong organizational foundation. There are many frameworks, including COBIT, ISO 27001, 27002, and 38500. While the IT governance space is mature with frameworks I believe that the practical implementations are harder cases to find due to some of the issues I noted above. ISACA had drawn up a nice paper that aligned COBIT with ITIL (Information Technology Infrastructure Library) which I thought which was very helpful in a compliance project I was involved in. I found it very useful to consider frameworks and align them within the process-driven context understood by most IT professionals (ITIL) and the control objective-driven context understood by IT Auditors (COBIT.) Again, it comes down to recognizing that everyone has stake in IT governance and that it really needs to approached from an enterprise viewpoint and that the frameworks adopted can satisfy all stakeholders.

You have a very strong profile as a speaker, how did you attain that and how do you continuous hone your speaking skills?MB: There is certainly an art and science to professional speaking. Storytelling is an excellent way to help people view things in a different light to help them make the best possible chooses in their personal and professional endeavors. As professionals we are all, to some degree, speakers whether it is in an auditorium of hundreds or a conference room of just a few. I grew a real passion for speaking once I started instructing the CIA review course in partnership with the IIA and Villanova University in 2008. One of the course participants that had attended my class thought I would make a good speaker so she invited me into a local chapter as a speaker. From that point, I learned that speaking is an excellent way to help people make a difference so I joined my local National Speakers Association (NSA) chapter and, at this time, sit on the NSA Philadelphia Chapter Board. I have an opportunity to work and learn from some of the best speakers in the business whom all have various disciplines of expertise. The NSA four pillars of professional speaking include ethics, expertise, eloquence, and entrepreneurship which are also driving principles I use to continually hone my speaking skills.

You are also an entrepreneur, how did you go about building your personal brand?MB: Far too often, we find people just doing what they’re told to do rather than believing in what must be done. In my view, this is problematic within the auditing industry because you can always pay someone to tell you what you want to hear and unfortunately this happens. While it is important to maintain an open mind, it is equally important to make business judgments based on sound principles. A reputation built on consistent action and sound principles endure so that is the motto I like to associate with to build my personal brand. Mean what you say, and say what you mean!

What book are you reading currently and any recommendations for our readers?MB: I love to read and right now I have two books on my plate. “It is Dangerous to be Right when the Government is Wrong” by Judge Andrew P. Napolitano and “The Original Argument: The Federalists’ Case for the Constitution.” I have a grown an great deal of interest in how the government and business communities interact with each other, which you can probably tell from my current reading list. Two good books I have read and also recommend is “Tribes” by Seth Godin and “No One Would Listen” by Harry Markopoulos.




What motivated you to get into the IT Security field? Mehmet Cuneyt Uvey: I am of internal audit and finance origin. Back in the 80’s and early 90’s, the bank I worked for was in a huge transition into automation. The bank had 600 branches, the systems developed first were aimed at branch automation. Use of mainframe and manual procedures were consolidated to batch processing, which was the first precedent. Later on high volume of investment into ATMs, credit card business and POS machines were new additions to the network. Self-service banking channels and Internet banking became all integrated. During this transition, I thought of auditing the systems and IT processes instead of the financial transactions. I had the chance to establish the IT Audit in the bank I worked and understood that

information security is one of the most important parts in IT audit. That’s how I got into IT Security.

How did you get your start in IT Security? MCU: After establishing the IT Audit department and performing process & systems audits, we recognized that there was an information security standard published by BSI (British Standards Institute) named BS-7799 (now ISO27001). We had the chance to get the standard and we thought of using the standard for our audits for information security. This was the first time.

As an internal auditor what are some of your day to day tasks? MCU: I work in one of the largest tractor companies/factories in the world. The Internal Audit Department

Interview with

Mehmet Cuneyt UveyMehmet Cuneyt Uvey was born in Istanbul, Turkey, in 1967. He graduated from Middle East Technical University, Public Administration Department. He then completed his MBA degree from Bloomsburg University of Pennsylvania, USA. He has 25 years of experience in Internal Audit, IT Audit, IT Risk Management, IT Governance, Information Security and Project Management. He performed audits, managed many projects and rendered consultancy services to public and private institutions. Mehmet has CGEIT, CISM, CISA, BS7799/ISO27001 Lead Auditor, PMP certificates and has worked as one of ISACA’s CobiT Trainers in the past. Currently, he works as an Internal Auditor for Turkish Tractor and Agricultural Machines Company (a CNH – Koc Group partnership). He gives lectures to graduate level classes about the above-mentioned subjects at various universities. He speaks Turkish, English and German.

02/2012(21)

started here eight months ago. My daily tasks are of different dimensions. On one side, I try to perform planned audits for the most critical processes (for example, Supply Chain Management) and relevant systems, on the other side, I try to follow-up previous internal and/or external audit findings to ensure compliance. Another additional dimension is the coordination of corporate projects or become involved in compliance related projects (mostly IT related) to insurer auditability and accountability. In need, one of my tasks is to perform special audits, ad hoc assignments from the top management.

What certifications, training, or skills would you recommend for someone who wants to pursue a career in IT Security Auditing? MCU: My first security related certification was BS 7799 Lead Auditor designation. This certification gives you the chance to look at Information Security with a broad perspective and a systematic approach. Moreover, you can become an external auditor with this certificate, to assess companies which want to acquire the ISO27001 Certification. I highly recommend CISSP certification, especially for technical background professionals. CISSP is like a passport valid in all countries. Last, but not least, ISACA’s globally recognized CISM (Certified Information Security Manager) and to some extent CISA (Certified Information Systems Auditor) and CRISC (Certified in Risk and Information Systems Control) certifications are also helpful to get into IT Security and Audit. If you want to go further, Certified Ethical Hacker (CEH) designation is more towards penetration testing, attacks and resembles more of technical perspective of Information Security.

Are there any skills that you believe the auditors today lack, or should improve on? MCU: The profession of Auditing is one of the oldest ones in human history. There are many different types (Financial, Quality, Operational, Health and Safety, etc.) and levels of auditing. The first requirement for the auditors is to know the business that they are auditing. Risk assessment know-how is a must. Auditors need more Technical skills, understand Project Management and should also spend time learning the SDLC (Systems Development Life Cycle) for the relevant business processes, so that they can look underneath the numbers (business results), but also to the systems and processes that create those numbers.

What do you feel are some of the largest risks that companies face today, or ones in which you have seen? MCU: The world is changing and the way of doing business is very different today. Information systems and

http://www.fortinet.com/



its added-value is also changing shape and going up to the cloud. High dependency of Information Technology is an advantage, as well as a disadvantage. At the end of the day, Information Security becomes one of the largest risks for a company’s reputation. There are many legal arrangements regarding intellectual property, protection of information and privacy, but there are also activist groups that defend free access to all information and transparency. There are digital wars between countries, systems are destroyed or compromised with cyber-terror and organized collective attacks. Of course, companies take their shares from such attacks too.

What do you feel is the one of the biggest mistakes that companies make trying to meet a compliance standard? MCU: Trying to meet a standard is a very good effort. But companies think getting the standard done and being certified is the end of the road. Definitely it is just the beginning. A standard is defined as “minimum requirement” to be able to get qualified. It needs to improve, get updated and surely become one of the main components of daily routine to live and grow.

There are many frameworks for auditors today, which one to you see as being the most well rounded? MCU: This is a hard to answer question. There are generally applied frameworks such as CobiT, ISO 27001, ITIL, ISO 25999, ISO 38500 and so on. There are also sector specialized frameworks. The framework you want to use should be relevant with the business line and also the size of your company. PCI-DSS Standard for instance is most important for Payment Card Industry; HIPAA – Health Insurance Portability and Accountability Act is essential for health and insurance sectors, NIST (National Institute of Standards and Technology) standards cover almost all the information security issues technically, and so on. First you need to make sure that you search about the frameworks and standards that are most relevant for your business and fits the size of your organization.

What benefits have you seen being a member of an organization such as ISACA? MCU: I am a member since 2000. During that time, I had the chance to get myself prepared, go through knowledge and experience, have certifications in IT Audit (CISA), Security (CISM), Governance (CGEIT), IT Risk (CRISC). Moreover, we had the chance to establish an ISACA Chapter in Ankara, Turkey, together with colleagues and professionals, (same day with our sister Warsaw Chapter), so that we could promote and share ISACA and its professional know-how and have a good networking

place for IT Audit and Security professionals. I am the founding President. Up to now, especially by bringing CobiT into the financial sector and implementing it 12 years ago, had given me the chance to have a good job and to give consultancy and training to many large firms during my consultancy years. I made a Master’s Degree class out of CobiT and other frameworks and gave my “IT Governance” class in four best universities in my country. I had the chance to add value to many young colleagues to help them and/or lecture them for certifications. These all came from the know-how, frameworks, certifications and networking inside and around ISACA.

Beside ISACA are there other organizations that you would recommend being a part of (for Security Auditors), why? MCU: For security auditors with more technical background, I highly recommend (ISC)2 – International Information Systems Security Certification Consortium, Inc., which is another path to follow. (ISC)2 is the main organization behind sound security certifications and designations like SSCP – Systems Security Certified Practitioner; CAP – Certified Authorization Professional; CSSLP Certified Secure Software Life-cycle Professional; and the most common of all, CISSP – Certified Information Systems security Professional.

What would you say to someone who is looking to get into IT security and Auditing? MCU: It will be an uncommon answer to this question but first, after the relevant education, they need to learn the business. What business are they in, what kind of transactions take place, what kind of tools and techniques are used, what systems are involved and what are their interaction and connections (interfaces) and what could be the risks and vulnerabilities of the business process and so on... And among those risks, what could be the information security risks. On one hand, business knowledge is necessary, on the other hand relevant technical skills and understanding of its risks is essential.


��

��

��

��

��

��

��

http://boundlessllc.com/



Dr. Ruf, you are a very distinguished professional with experience in academia and industry. Please tell us more about yourself leading to how you got into Security consulting business.Lukas Ruf: Back in 1988, I started my first part-time job besides highschool as a computer supporter for one of the (then) larger PC resellers. Before enroling for studies at ETH Zurich (ETHZ), I began working as a software engineer for a ten-person consultancy. In 1996, I was asked by my boss to present my reflections on web-security to one of our major customers. This led to my first web-penetration testing in 1998. Business evolved and I started my first one-man security consulting in 2000. That’s it, basically.

While you were studying at ETH Zurich what did you study and what was your research focus.

LR: At ETH, I enrolled for electrical engineering. For personal interest, I concentrated on micro electronics and anything that was possible to study in the field of computer and network engineering. My masters were then focusing on computer and network architectures. For one of my term thesis, I designed and implemented the first port of Topsy v1 to the ia32 PC platform.

To continue research in system and network design and engineering, I started my Ph.D. thesis in the field of Active Networking. Active Networking explored the possibilities of breaking the strict boundaries of network layers already within the network stack – and allowed for dynamic re-configuration and update of functionality provided therein.

This research allowed me to gain an in-detph understanding of networking as well as system security and stability. Insights of which I benefit every day in my job as security consultant.

Interview with

Lukas RufDr. Lukas Ruf is senior security and strategy consultant with Consecom AG, a Swiss-based consultancy specialized in ICT Security and Strategy Consulting. He is one of the experts with application, system and network security of Switzerland. He is specialized in network and system security, risk management, identity and access management, computer network architectures, operating systems, and computer architectures. He is an expert in strategic network/ICT consulting, security audits, and designer of security architectures for distributed platforms. Dr. Lukas Ruf has been gaining experience in Security and Strategy Consulting since early 2000. Since 1988 he has been active with in ICT application development as an architect, lead engineer, apprentice coach, consultant, educator and trainer. His proficiency builds on this long-term experience.

Is there enough innovation taking place in the field of Information Security? Are you involved in any innovative projects yourself?LR: From an academical point of view: there is a lot of room for future research and innovation is taking place heavily. In daily practice, fundamental issues are still obstacles although you cannot gain any fame in academia.

Me as a security consultant serving customers also in the field of their strategic evolution, I am involved in various client side projects that are cutting edge for industry and academia.

You have a strong engineering background, please tell us how that is helping you in your career. LR: My strong engineering background helps me everyday: first, it allows me to understand the issues engineers face daily and to interprete them towards management. Second, it is the foundation for secure designs and architectures. And, foremost, it supports the conception of processes and organizational structures that fit the need of business as well as operation.

When it comes to reviewing solutions it is /the/ crucial point to deliver the required insights as well as the appropriate assessment to our customers.

Tell us more about your consulting firm, it’s size and it’s technical strengths.LR: We are a strong team of experts that, as a team, covers an extremely wide range of technologies. Based on a group of friends that did their PhDs together at ETH, we have been able to grow to, currently, eight consultants and one administrative support person.

Our effective strength consists in the pool of experts that are, first, open for critizism, and second, strong in method. We all benefit from our ETH background that laid the technological foundations on which we built our current offering: we combine organization with technology.

Where does EU stand in terms of preventing cybercrime compared to rest of the world.LR: As a security consultant supporting customers internationally, EU faces exactly the same problems like any other regions. In general, however, the EU is positioned better to counteract attacks effectively than other due to a good level of education and, hence, awareness of threats and daily mitigation measures.

EU is known for it’s strict cyber privacy. What are your thoughts on privacy laws in EU?

https://www.htbridge.com/



LR: Laws are on the right track. From my point of view, the protection of users’ rights should be extended to protect also the unknowning, common user: I have great concerns when it comes to the willingness of people to post any private fluffy triviality that, if combined correctly, provides a very detailed profile of the user. People must be protective of their self dipslay – they do not know what they are currently doing.

Similarly, all kind of user tracking by cookies with ‘like-it’ buttons must be prohibited by law. It must not be possible for any – private or governmental – institution to screen any activity of the people. ‘1984’ is not far from where we are today.

When you are consulting, how do you ensure that your client is educated on various security risks and issues related to their environment?LR: I tell them. :)

What are some of the security threats companies in EU are worried about?LR: Fraud. Based on identity theft, fraud is committed every second. The protection of identities is crucial to ecommerce and egovernment – as well as private life.

Please share with us some of your experiences in Identity and Access Management. LR: Being very active also in IdM and IAM, I came to the conclusion that all business face an endless endeavor if they do not follow a correct and strong method to introduce to IAM. Important is that the concept is sound and meets the requirement of business. If IAM is an initiative carried out by operation only, it rarely meets the effective requirements other than administration.

You have some experience in security architecture, what are some of the challenges in security architecture of large scale web applications?LR: I have had the opportunity to support various customers with developing the security architecture of web-portals based on JSR 168 and JSR 286. There, I had to learn that engineering must not follow basic concepts without reflection of the specific target solution. For large scale web application, performance is always an issue to deal with the huge amount of data such that today’s end-customers do not klick away – while guaranteeing the appropriate level of protection for the company as well as for the end-customer.

Cloud computing is gaining tremendous popularity in US, what is it’s status in EU?LR: Cloud computing is gaining popularity in the EU tremendously as well. A big challenge – for good – is the strict interpretation of laws on privacy when it comes to customer identifying data in health care or similar. The problem there is that users of cloud computing often neglect the laws focusing just on commercial benefit. I hope that EU-wide initiatives strengthen the right of end-users there too.

Consecom AG is involved in SEBPS – The Secure Browsing Platform for Switzerland ? Please tell us more about that initiative.LR: You can download SEBPS from www.sebps.net for free. SEBPS is our contribution to the public to protect their web-activities against fraud while being usable. Our goal has been to provide a drastic increase in web-browsing security for ‘my gand-mother’, i.e. the 99% of users in the world that need not know how to configure a linux kernel such that they can be safe against most of the cyber attacks that affect common users. We have accomplished this goal by providing a VM-based, hardened Firefox on Linux platform that renders the process-persistent installation of malware impossible.

Switzerland is a beautiful country. How do you make the best use of it’s natural beauty? LR: I enjoy spending as much time as possible outdoor with friends and family. In Switzerland, I enjoy hiking as well as skiing. When at the sea, I have been enjoying windsurfing for the past thirty years.

ABY RAOAby Rao has several years experience in IT industry nad has working knowledge in applying various security controls and implementing countermeasures related to Web Applications and Database. He is skilled at planning and leading all phases of Software Development Life Cycle, Project Management and Agile Software Development. Aby has a Bachelor Engineering in Computer Science, Master of Science in Information Science, Master of Science in Television Management and various IT certi�cations including CISSP, Security+, ITIL, ISO/IEC 20000 etc. He is also an independent �lmmaker and currently resides with his wife in Durham, North Carolina, USA.

http://channeleyes.com/

CLOUD COMPUTING


This ‘security’ objection usually stems from the customers’ perspective; they are concerned about the security of their data held outside their

perimeter by the cloud provider.Yet despite these concerns there has been a

thunderstorm of growing noise surrounding cloud computing in the past 24 months. Vendors, analysts, journalists and membership groups have all rushed to cover the cloud medium, although everyone seems to have their own opinion and differing definition of cloud computing. Similar to many new sectors of technology, the key is to separate the truth from the hype before making educated decisions on the right time to participate.

While still evolving and changing, cloud computing is here to stay. It promises a transformation – a move from capital intensive, high-cost, complex IT delivery methods to a simplified, resilient, predictable and a cost-efficient form factor. As an end user organisation of different sizes, you need to consider where and when cloud may offer benefit and a positive edge to your business.

Cloud computing is a new concept of delivering computing resources, not a new technology. Services ranging from full business applications, security, data storage and processing through to Platforms as a Service (PaaS) are now available instantly in an on-demand commercial model. In this time of belt-

tightening, this new economic model for computing is achieving rapid interest and adoption.

Cloud represents an IT service utility that enables organisations to deliver agile services at the right cost and the right service level; cloud computing offers the potential for efficiency, cost savings and innovation gains to governments, businesses and individual users alike. Wide-scale adoption and the full potential of cloud will come by giving users the confidence and by demonstrating the solid information security that it promises to deliver.

Computing is experiencing a powerful transformation across the world. Driven by innovations in software, hardware and network capacity, the traditional model of computing, where users operate software and hardware locally under their ownership, is being replaced by zero local infrastructure. You can leverage a simple browser access point through to powerful applications and large amounts of data and information from anywhere at any time, and in a cost effective manner.

Cloud computing offers substantial benefits including efficiencies, innovation acceleration, cost savings and greater computing power. No more 12-18 month upgrade cycles; as huge IT burden like system or software updates are now delivered automatically with cloud computing and both small and large organisations can now afford to get access to cutting-edge innovative solutions. Cloud computing also brings green benefits

Securing Clouds

The most common objections for holding back SaaS (Software as a Service) adoption as reported from end customers, are named as ‘security’ and ‘reliability’. This is interesting when you consider that SaaS Security is consistently reported as the fastest growth area of SaaS.


such as reducing carbon footprint and promoting sustainability by utilising computing power more efficiently.

Cloud computing can refer to several different service types, including Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). SaaS is generally regarded as well suited to the delivery of standardised software applications and platforms, like email, CRM, accounting and payroll. The development of the SaaS business model has been rapid and it is now being used to provide high performance, resilient and secure applications across a range of company sizes and industries.

However as already mentioned in end user survey, after survey, the top 2 issues that surface to the top are security (data being the typical lead in this) and reliability (being availability and accessibility). A good reference point for this being the Cloud Industry Forums 2011 survey extract below.

Is this so different when you consider the traditional on network form factor? Consider the increasing number of recent and well publicised data breaches and reliability issues from the likes of Sony, Blackberry and TK-maxx. Often these are tarred with the cloud brush, however these are breaches where the company was hosting its own solution as a provider and yet was hacked from outside. These are sizeable targets and with larger IT teams and budgets than the average size business in the market today.

Look at end user surveys on IT challenges in general and managing the complexity of security appears high if not top of those lists, with other contributors around lack of IT expertise or not enough IT staff. Increasingly businesses are concerned about protection of the organisations information assets both from external as

well as internal threats. In a time of financial challenge protecting against the disgruntled employee is also to be taken seriously.

There is no doubt cloud is bringing change. With the Internet and technology, we have a generation of users demanding access to their applications from their iPhone, iPad, BlackBerry or Android devices. We have entered an era where infinite IT power and information is available to a user on the smallest of devices, on the move and at an affordable price. As devices get more powerful, the Internet faster, the demand and supply of cloud applications will skyrocket and the power in the hands of the user will be greater than we have ever delivered before. Expect the marriage between mobility and the cloud to continue to grow.

So as you extend your footprint into utilising an increasing number of cloud based services so you need to consider the security aspects from an access control perspective ie. who can access what, from where and what device and what are the additional risks if any of this. For example can a user store their login details on their personal Ipad and is that device secured enough that if they lost it your cloud systems access would not be breached.

Cloud or SaaS does not provide one-size-fits-all solutions, and not every application in the cloud will be right for your business. You should consider in what areas it makes sense to utilise the cloud. Where can your organisation gain improvement in areas of business efficiency, resilience and cost reduction? Look to others in your sector and what they have done, and look for simplicity and obvious choices in your first cloud solution adoptions.

Review your shortlisted vendors carefully and compare them across multiple areas but not just

Table 1. What are your most signi�cant concerns, if any, about the adoption of cloud your business?

Only asked of respondents who either currently use cloud or will do at some point in the future

Total No. employees Fewer than 20

20-200 More than 200

Data security 64,00% 62,00% 61,00% 68,00%

Data privacy 62,00% 68,00% 61,00% 60,00%

Dependency upon internet access 50,00% 53,00% 58,00% 42,00%

Con�dence in the reliability of the vendors 38,00% 32,00% 38,00% 41,00%

Contract lock-in 35,00% 30,00% 43,00% 30,00%

Cost of change/ migration 32,00% 27,00% 35,00% 33,00%

Contractual liability for services if SLA's are missed 31,00% 16,00% 38,00% 33,00%

Con�dence in knowing who to choose to supply service 28,00% 27,00% 29,00% 28,00%

Con�dence in the vendors business capability 24,00% 16,00% 25,00% 26,00%

Con�dence in the clarity of charges (ie will they be cheap on-prem) 22,00% 16,00% 26,00% 21,00%

Lack of busines case to need cloud service 21,00% 11,00% 27,00% 22,00%

Base 323 73 112 95

CLOUD COMPUTING


price. With cloud computing you need to ensure that you validate who you are dealing with, what their reputation is and the quality of service you will receive.

Example things to check before signing up with a cloud service provider, that a reputable cloud provider will be happy to answer include:

• What are the terms and conditions in the service level agreement (SLA)?

• Are there penalties if a supplier fails to deliver?• What has the provider’s success rate been over a

certain period?• Can they provide customer testimonials? Can you

speak to the customers directly?• Who is going to support the services? Will it be

their own supporting staff or a third party? Where are the support staff ?

• Do they provide out of hours support? If so, what kind of support do you get?

• Where are the suppliers data centres ? Which will you be utilising ?

• Where is your data stored? Is it in the UK, Europe, or the US?

• Who has access to your data?• What security certifications does the vendor hold

for their data centre operations?• How often has the vendor updated its service in the

past 12 months?• Will you be getting ongoing value for money from

the enhancements?• Can you see the service roadmap the vendor

delivered in the past year?

There is nothing to fear inherently about the cloud. Companies simply have to perform their diligence as they would when buying any other solution, as long as they know the right questions to ask.

In addition to considering the security aspects that may change in utilising cloud solutions such as mobility, access control and the security of the chosen vendor itself you should also consider the education of cloud inherent in your own IT staff. Whilst the fundamental technology being utilised is not new the architectures, security methods and mobility aspects do require adoption of new skills and mind-sets and you will likely also be engaging with vendors you may not have dealt with or even have heard of prior.

Cloud offers opportunities for those that embrace the new form factor and self-educate and certify themselves for the needs of employers today and tomorrow. More education is needed in cloud across

all sectors to enable businesses to understand and utilize this important new technology to its advantage.

CompTIA’s Cloud Essentials certification is an example option that enables employees of varying roles to validate their cloud knowledge, take online training and exam condition testing, and differentiate themselves in the competitive job market. John McGlinchey,Vice President, Europe & Middle East, CompTIA commented “We have had a demand from the user market for a training curriculum with testing to support this rapidly growing new form factor. The demand and adoption is outstripping the skill base and it is key that individuals and businesses recognise and address this shortfall, before it becomes a serious issue for all concerned.”

More education is needed in cloud across all sectors to enable businesses to understand and utilize this important new technology option to its advantage and this need for understanding stretches past simply the border of the IT department. Expect to see more cloud courses and exams providing the market with the required validations in this new cloudy world.

The IT department in this form factor may not be deploying the hardware and software any longer, but they will play a key role in ensuring the integrity of your systems and security controls that you have in place for your cloud operations.

Ignoring the cloud or moving everything to it in a race to be ‘all cloud’ are both perilous positions. Taking educated steps to the cloud will ensure you gain the benefits that it can bring in a secure manner and that you don’t end up in a technological storm.

IAN MOYSEIan Moyse is Workbooks.com Sales Director, Eurocloud UK Board Member and Cloud Industry Forum Governance Board Member. He has over 25 years of experience in the IT Sector, with nine of these specialising in security and over 23 years of channel experience Starting as a Systems Programmer at IBM in the mainframe environment, he has held senior positions in both large and smaller organisations including Senior Vice President for EMEA at CA and Managing Director of several UK companies. For the last 7 years he has been focused on Security in Cloud Computing and has become a thought leader in this arena.

http://certification.comptia.org/getCertified/certifications/cloud.aspx

http://workbooks.com/

SUCCESSFUL PENTESTER


Due to the large gray area in the field of software security, it is very difficult to spot a good penetration tester. Add to it the “ethical”

baggage, and things get even more murkier. Based on experience, the author discusses the elements that make a successful penetration tester. Hopefully, these ideas shall help your organization in making a well-informed choice.

Security tools are a primary focus of a penetration tester, and rightly so – these reduce a lot of work, automate things that otherwise would have been very tedious to do manually, as well as provide instant results (who does not like “instant results”?) However, a security tool has limitations – false positives, false negatives (bigger problem), as well as incomplete coverage. What then, in addition to the knowledge of tools, makes a successful penetration tester?

Enter M.E.T.

• Mindset• Experience• Tools, techniques, and training

If you have M.E.T., you can be a successful and knowledgeable penetration tester. And probably no longer dependent on various security certifications to prove your ability.

MindsetAn attacker follows no rules. This is very important to understand – it essentially means an attacker will find a path to break into your software system in a way you never imagined. This frame of mind allows you to think beyond the obvious – think of ways to compromise a system, and more importantly, think of ways to defend the system. Remember, an attacker has to find one weak link to capture the castle (software system), while the defender has to defend every possible weak spot. Unless you have built (or participated in building one) large and complex software systems, you may not completely understand the defense and the offense. Understanding both the attack and defense patterns are very important in the role of a penetration tester.

In order to build this mindset, one must be inherently curious about how things work. This curiosity allows you to look under the hood of large and complex systems – know their inner working, understand the interaction of its sub-components, know how things fail, and know how things can be made better.

As an example, if you find an XSS, these are the questions a curious mind will think of:

• What is the root cause of this XSS?• Are similar vulnerabilities lurking around other places

in the application as well, assuming developers make same mistakes, and copy-paste code?

Have you M.E.T?What it takes to be a successful pen-tester“You see, but you do not observe. The distinction is clear.” Sherlock Holmes uttered the above sentence to Dr. Watson, in A Scandal In Bohemia. This phrase fits perfectly to penetration testers, and it is required to build skills to “observe” things, than merely “seeing” them.


• What type of fix applies in this case? • Is there any framework control that can provide a

more generic solution?• What can be done to prevent re-occurence of

similar issues?

Your contract may only specify finding issues, but you can explore deeper to suggest a fix as well. In turn you start building the right mindset of exploring things deeper, and not merely scratching the surface.

ExperienceTime is the essence of penetration testing. Given infinite time, and infinite resources, anyone can find all possible security flaws of a system. However, experience teaches you how to optimize the available resources to achieve maximum coverage and output. Typical penetration testing assignments are a few weeks – two to six mostly, and with experience will you be able to utilize this time effeciently, and effectively.

Experience also teaches you to “spot” patterns or “chain” of events in a software system – a possible denial-of-service, followed by an inbound network connection to the transaction service, and a system compromise happen in a lock-step fashion. Effectively disabling an attack requires any one even to be neutralized/controlled, which again comes with experience. The more penetration testing assignments you undertake, chances are the more wiser you become.

Experience also teaches you to properly distinguish between a cause of a vulnerability (buffer overflow in the source code), and the effect (arbitrary code execution, privilege escalation, etc.). Combined with right mindset, and proper training and techniques, it is a very powerful skill to have.

Tools, techniques, and trainingSystematic training in the area of software engineering, vulnerability assessment, as well as knowing causes of vulnerabilities are important. Learning to threat model

a system goes a long way into becoming a successful penetration tester.

Several good books are available that prepare you to understand the working of a software system, its failure modes, and ways to address failure. Good blogs, and security sites keep you up-to-date in the security field.

Wireshark, a popular packet capture tool, is used by pen-testers to find network security issues (eg., cleartext transfer of credentials). It is more important to study the analysis of wireshark logs, and understand the protocol involved, than merely looking for individual issues. If you understand the network protocol, you may find more issues with the client-server communication than a cleartext transfer of credentials.

SummaryEven though security tools play an important role in the life of a penetration tester, mindset and experience are very important to succeed at this job. The author encourages pentesters to look beyond the obvious to find real security issues that plauge software systems of today.

AMARENDRAAmarendra has over a decade of experience working with large and complex software systems, especially their security. He loves to build and break things, and learn in the process. He is always striving to make software systems better, and secure.

Good books for a penetration tester• The Art of Software Security Assessment: Identifying

and Preventing Software Vulnerabilities – Dowd, McDo-nald, Schuh

• 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them – Michael Howard

• The Web Application Hacker’s Handbook – Stuttard, Pin-to http://mdsec.net/wahh/

• Browser Security Handbook – Michal Zalewski http://code.google.com/p/browsersec/wiki/Main

• Secure Coding in C and C++ – Robert Seacord• Practical Cryptography – Bruce Schneier• Hunting Security Bugs – Gallagher, Jeffries

Blogs/Groups to follow for up-to-date information on the �eld of security• SecurityFocus http://www.securityfocus.com/• Schneier on Security http://www.schneier.com/• TaoSecurity http://taosecurity.blogspot.in/

http://mdsec.net/wahh/

http://code.google.com/p/browsersec/wiki/Main

http://code.google.com/p/browsersec/wiki/Main

http://www.securityfocus.com/

http://www.schneier.com/

http://taosecurity.blogspot.in/

DISASTER RECOVERY


Mr. Hillis, you come from a paramedical background. We are curious to know how did you end up in Information Technology.Joe Hillis: As a career FireFighter/Paramedic, I worked a 24 hour shift at a local Fire Department every 3rd day. My employer had an IBM System 36 for incident reporting, and I began developing custom reports in an RPG based report writer in my downtime. I began taking programming courses at a local community college and developed several applications to simplify repetitive administrative tasks. My schedule was such that my full time job was only 120 days a year, which left 4-5 days a week to devote to my new passion. I was eventually appointed as the Information Specialist for the city, and began consulting for other municipalities and small businesses. After retiring from municipal government in 2004, I entered the private technology sector full time.

You are the co-founder and Operations Director of the Information Technology Disaster Resource Center which is a non-profit organization. Please tell us about your organizations and what services you offer.JH: The ITDRC is a 501(c)(3) non-profit public charity comprised of volunteer Information Technology Profes-sionals who assist communities, non-profit organi-zations, and small businesses with technology continuity and recovery from disaster.

Volunteer Subject Matter Experts (SMEs) provide Systems, Network, and Infrastructure “best practice”

guidance in advance of a disaster; to help facilitate business continuity and rapid recovery following a catastrophic event.

During the early phase of a disaster response, the ITDRC provides connectivity, communications, technology assets, and mobile workspace to first responders and emergency management officials. As the incident progresses, we assist disaster relief organizations by establishing call centers and database applications to manage commodities, volunteers, and requests for service. Once an incident stabilizes and long term recovery begins, ITDRC volunteers work with affected small businesses and non-profits by providing technical recovery assistance and temporary equipment to ensure they can continue operations.

How did this organization come into being?JH: Following the 9/11 events, Senator Ron Wyden (D-OR) proposed the creation of a National Emergency Technology Guard of volunteers (NETGuard) to assist with public infrastructure recovery. The initiative received overwhelming support from Congress, but never materialized after a pilot program in 2008.

After carefully monitoring the NETGuard initiative for several years, a group of service oriented professionals from the Technology, Emergency Management, and Small Business sectors formally established the ITDRC in January 2009. The 5 member Board co-managed the operation until mid-2011, when an Operations Director was appointed.

Interview with

Joe Hillis

Joe is the co-founder and Operations Director of the Information Technology Disaster Resource Center, a 501(c)(3) public charity. Hillis is leading an initiative to engage the technology community to help Small Businesses and Communities with continuity and recovery of information systems following a disaster.


Our vision was to become a recognized and trusted technology clearinghouse; providing technology guidance and resources, and distributing in-kind donations to communities affected by disaster. After more than a dozen disaster deployments, our mission remains focused on helping communities and small businesses to prepare for, and continue operations following a disaster.

Just so our readers understand the criticality of disaster recovery planning, can you provide us some facts and figures on how much IT-related loss is incurred when disaster strikes?JH: In the past 10 years, several sources including FEMA have published statistics indicating 25-40% of businesses never reopen following a disaster, or fail within 1 year. Unfortunately these studies do not differentiate the percentage of businesses that fail specifically due to an IT related loss.

A study of small business disaster recovery preparedness conducted by Carbonite in 2011 indicates 48% of small businesses have experienced a data loss. Additionally, a 2011 study by the Aberdeen Group indicates 5% of small businesses and 9% of medium businesses reported data losses from natural disaster. However, neither report indicates the net impact on the businesses.

Another study conducted by the Aberdeen Group in 2010 contrasts the cost of Datacenter downtime for organizations with Best-in-class, Average, and Poor or No disaster recovery plans. Although the business interruption results were somewhat predictable, the financial loss to an unprepared business is a staggering 40-times higher than a Best-in-Class prepared organization.

It is highly commendable to run an organization like ITDRC to help small businesses and communities. Can you share with us some of your stories from recent disasters in US?JH: Following a string of deadly tornadoes in Kentucky last month, the ITDRC was called to provide technology support for a small community of 2,000 residents. Our Mobile Command Center initially provided workspace, computers, and connectivity for the Logistics branch of the Incident Management Team. Technology volunteers were also requested to establish temporary voice and data communications in a makeshift Emergency Operations Center at the County Courthouse.

Virtual Operations Support personnel assisted field teams by establishing a web portal to track service requests and public offers of assistance, as well as virtual telephone numbers for volunteer and donation inquiries. The virtual phone numbers were routed to ATA devices

connected to a PBX and phone bank on the Command Bus, which was manned by local volunteers.

One week prior, ITDRC volunteers were deployed in Branson, MO following a destructive tornado that destroyed dozens of structures including a strip shopping center containing several small businesses. The owner of a resale shop found their point of sale server under the collapsed roof of the building (with no backup). Members of the Disaster Technology Team dried out the system overnight, replaced damaged hardware components, and verified the data integrity before returning the recovered system back to the owner. These are just a few examples of tasks our “Technology Heroes” performed within the last month, and are common on each deployment.

Can our readers volunteer at your organization and what kind of skills are you looking for?JH: The ITDRC welcomes volunteers from all technology disciplines. Individuals with Systems, Network, and Infrastructure skill sets are always in demand during disaster deployments. Those with Technical Support, Programming, Project Management, and Analyst skills are extremely helpful in continuity planning and recovery, and can typically participate virtually around their work schedules.

Can you please share with us some of the industry best practices related to disaster recovery?JH: Disaster Recovery is a subjective area; typically viewed differently by technology professionals and business leaders. The “best” method is generally driven by a business’s operational needs and budget, but involves the common underlying process of making systems and data available after a catastrophic event. For some, it simply means having access to data files within 3 days; while others may require continuous access to systems and data, regardless of the event.

In its simplest form, business critical data must be backed up and stored in a safe place so that it can be retrieved and recovered in the event of a system loss or failure. Systems should be backed up in a manner and frequency acceptable to the business to meet recovery needs.

As a best practice, data files should be backed up to a secure; preferably offsite location one or more times daily. This can be accomplished through manual methods such a nightly backup up to tape or disk, and placing the media in a vault; or automated to replicate block by block changes in real time to a recovery server across the country. Current backup technologies are capable of meeting either of these needs, and can

DISASTER RECOVERY


enable rapid recovery in a virtual environment, or on replacement hardware if necessary.

The most important component of disaster recovery is the usability or recoverability of data from a backup. Testing should be conducted frequently to verify the integrity of the data, and to ensure data will really be accessible when needed.

For organizations with no IT disaster recovery plan, what fundamental steps would you recommend?JH: At the very least, organizations of all sizes need to backup critical data and store it offsite in some way! A local tape drive, external USB disk, or even thumb drive is better than having no backup. However, automated backups to a cloud storage area are the most popular options, and surprisingly affordable.

Next, spend an hour downloading and reading the business continuity templates and resources from the agencies and links below. Once you have a grasp on the concept, spend an hour a week working on a plan for your organization. Engage the resources of your staff and business contacts, and attend free SBA and technology webinars. Take it one step at a time, and delegate tasks to an intern or other staff member when possible.

Test your plan; one component at a time if necessary. Set a goal to have a table top exercise once a quarter, and maybe even a real (simulated) test once a year. Pick common scenarios like losing the secretary’s computer where the accounting files are stored. Escalate the events to include the loss of Internet connectivity or electricity on a Monday afternoon at 2PM; where the utility company tells you it will be down for 4-5 days while they replace a 1 mile stretch of poles. These are very real scenarios that you should be planning for!

Finally, share your plan with key personnel, and store multiple copies in a safe place. Hint: Keep a copy at home and one in an online folder that you can access from a remote computer.

How important is it for senior management to be involved in building an IT Disaster Recovery plan?JH: Senior management is ultimately responsible for the overall business operation and survival, and must provide IT staff with guidance to determine Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), and budget allowances. Once a Disaster Recovery plan is developed, IT staff must be held accountable for maintaining and testing the plan, documenting the results. Management oversight is required to protect the organization; its shareholders, employees, and customers.

What communication channels do you use to offer preparedness information to various organizations?JH: ITDRC conducts live preparedness presentations to non-profit, civic, and disaster response organizations. We feel this forum offers the best opportunity for attendees to network and visit with experts one on one.

Our latest community outreach initiative includes a 26 stop “Spring Disaster Preparedness Road Show”, with preparedness events scheduled in high risk areas for hurricanes and tornadoes. Attendees will learn best practices for protecting critical data and developing functional recovery plans. The tour runs from April 23 through June 9, 2012.

In addition to our web site (itdrc.org), ITDRC currently utilizes Facebook (/ITDRC) and Twitter (@ITDRC) social media channels. We are planning to expand our presence to include Google+ (ITDRC) and LinkedIn later this year.

Have you partnered with other non-profit groups/organizations to provide additional services?JH: ITDRC partners with other non-profit organizations to provide assistance to emergency management and public assistance organizations following a disaster. We forge many of these partnerships through membership in several regional VOADs, or Volunteer Organizations Active in Disaster. These groups allow us to pre-plan with other disaster response organizations to ensure they are aware of our role and available resources in a disaster.

We’re extremely proud of our strategic partnerships with several for-profit organizations as well. These companies support our mission through their Corporate Social Responsibility (CSR) programs and provide products, services, technical expertise, and financial support for our initiatives.

Can you recommend a few free or low-cost tools small businesses can use to help them with IT disaster recovery?JH: Most operating systems include a native backup program which can be configured to backup business critical data to a USB drive, tape, or other file share. Recovery times are often longer with these applications, but they work, and should be used in the absence of a more robust solution. Alternatively, free cloud storage space is available through services such as Microsoft Skydrive, DropBox, and Box.net, as well as dozens of others. They typically don’t include automatic backup software; and require manual intervention to save or copy files to a special folder or through a web interface. There also are a number of low cost, automated backup services for individuals and small businesses offered by vendors

02/2012(21)

such as Carbonite and Mozy. For IT centric businesses, we recommend a centralized backup solution such as StorageCraft Shadow Protect. This type of solution provides complete management of backup jobs, storage locations, status reporting, and rapid recovery in the event of a disaster or server failure. Additional software features allow for granular recovery of a single file or mail message, and can be used to migrate a complete system from old hardware to new.

What resources are available in US for businesses to be better prepared when disaster strikes?JH: There are a number of good (and free) resources available to help small businesses prepare for a disaster. We’ve listed a few of our favorites below:

• Contingency Now www.contingencynow.com • Agility Recovery & SBA www.preparemybusiness.org• Small Business Administration (SBA) www.sba.gov• Federal Emergency Management Agency (FEMA)

www.ready.gov/business

Medium and large businesses should consider consulting an IT Disaster Recovery Expert or Business Continuity Planner for assistance. Although the upfront cost can be a little intimidating, chances are the fees are much less than lost revenue from a single day of lost productivity.

Are you current using or plan to use Cloud computing as a disaster recovery resource?JH: We strongly believe in the benefits of Cloud computing, and recommend the platform for businesses with larger technology budgets, high availability requirements, or rapid scalability needs. Unfortunately, the ROI for this technology is often >2 years, which can be difficult for many small businesses.

ITDRC is currently seeking a strategic partner to help us test and evaluate the benefits of utilizing a cloud computing platform for our disaster recovery operations.


http://www.contingencynow.com

http://www.preparemybusiness.org

http://www.sba.gov

http://www.ready.gov/business

http://www.coliseumlab.com/

SOCIAL MEDIA


Please tell us about yourself. Jay McBain: I am an accomplished speaker, author and innovator in the IT industry. Named to the Top 40 Under Forty list by the Business Review, Top 25 Newsmaker by CDN Magazine, Top 100 Most Respected Thought Leader by Vertical Systems Reseller Magazine, member of Global Power 150 by SMB Magazine, as well as Top 250 Global Managed Services Executives by MSPmentor. I am often sought out for keynotes, industry guidance, as well as business development opportunities.

I currently serve as Co-Chair of the CompTIA Vendor Advisory Council and Vice Chair of MSP Partners Community. I am also a board member of the Channel Vanguard Council, Ziff Davis Leadership Council, CRN Channel Intelligence Council and STEP – Sustainable Technology Environments Program with InfoComm.

I spent this 18 year career in various Executive sales, marketing and strategy roles within IBM, Lenovo and Autotask. I am currently the co-founder of a new software company called ChannelEyes. It is the first free and secure social network for Suppliers and their Channel Partners to use every day.

As a futurist, and long standing member of the World Future Society, I am an expert in Pervasive Computing which is the study of future computing models and the resulting impact on society, as well as Managed

Services, Healthcare IT, Voice over IP and Cloud Computing.

I have lived in Calgary, Winnipeg, Toronto, Raleigh, and now in Albany, New York. I actively give back to the community and have been on the board of the United Way, Models for Charity and Junior Achievement.

You own a company called ChannelEyes. Tell us more about your company. JM: ChannelEyes is the first free and secure, social network for Vendors and their Channel Partners to use every day. It’s kind of like Facebook, but instead of friends – it’s a filtered group of Vendor feeds on a Social Wall.

Channel Partners will have a single place to see a snapshot of new channel information every day. You’ll cut through the noise and clutter because you control who you follow, filter the relevant information and build social conversations around it.

Vendors, manufacturers and distributors of all types will have a single place to engage with your entire channel, targeting the right person with the right information at the right time. The net result is better engagement, sell-through, and access to potential new partners.

ChannelEyes is a ridiculously simple way to organize your business partnerships, saving time and allowing you to take advantage of timely information.

Interview with

Jay McBainJay McBain managed the SMB Channel for IBM and Lenovo. He is an accomplished speaker, author and innovator in the IT industry. Named to the Top 40 Under Forty list by the Business Review, Top 25 Newsmaker by CDN Magazine, Top 100 Most Respected Thought Leader by Vertical Systems Reseller Magazine, member of Global Power 150 by SMB Magazine, as well as Top 250 Global Managed Services Executives by MSPmentor.


You have worked for some high-profile companies in the past, what made you start your own company? JM: Working for 17 years at IBM and Lenovo taught me a lot about the IT Channel and the challenges they face in keeping up to date and communicating with their vendors, manufacturers and distributors. I was always entrepreneurial, even inside large organizations, and starting ChannelEyes gave me the opportunity to pursue a passion.

You serve on several committees such as CompTIA Vendor Advisory Council and MSP Partners Community. What are some of your responsibilities in those capacities? JM: The CompTIA Vendor Advisory Council includes representatives from 15 of the industry’s top technology hardware manufacturers and software vendors giving guidance on where CompTIA can reinvest its resources in policies, practices and programs that can help all channel players achieve their financial and growth goals.

Among the goals of the council:

• Validate and support the development of educational programs designed exclusively for IT channel professionals.

• Validate and support the adoption of industry recognized organizational credentials for IT partners in the disciplines of vertical markets, business models, technologies and business management acumen.

• Advocate on behalf of the IT industry through CompTIA’s Public Advocacy and political action committee initiatives.

• Support the philanthropic initiatives of the CompTIA Educational Foundation.

The CompTIA MSP Partners Community focuses on the creation of industry standards and resources to improve managed services marketing and delivery. The group was created to provide networking opportunities among thought leaders, develop managed IT services-specific programs and tools, and generate member-driven initiatives.

You are also the Chief Social Officer at ChannelEyes, what is a Chief Social officer? JM: Chief Social Officer is a role that includes marketing, sales and business development. Running a social media platform means communicating through dozens of channels across the industry and engaging with hundreds of the top influencers and connectors.

Mobile devices such as iPad are being used to access sensitive Electronic Health Records. What are some of the high-level security challenges you anticipate in that arena?JM: Some of the early limitations of tablets, included lack of security, manageability and compatibility. Newer devices have improved and now offer PKI authentication certificates, biometrics and remote wipe capabilities making them acceptable to many health organizations. One lesser known limitation is if the device is subject to a legal hold – the health organization is in a legal dispute of some kind – the end user will lose the device for an extended and unpredictable amount of time.

The story isn’t just about integrating and managing tablets from the consumer market. Industry experts as well as futurists are calling for more devices, perhaps dozens per individual, gaining access to each medical office.

The consumerization of IT also isn’t just about hardware – we are at the beginning of another interesting trend: BYOA – Bring Your Own App. Some have predicted that the explosion of over 1 million apps may spell the end of the traditional desktop internet. While that is likely premature, apps could provide some real advantages in the healthcare industry including cutting down on training time, allowing health professionals to feel more invested, and replacing costly software licensing with cheaper apps.

However, there are several issues with BYOA including:

• Compliance and regulations with regards to HIPAA, HITECH and others

• Security of the data on public clouds and intermixing with consumer data

• Portability of the output – getting the data back if something happens to company

• Information fragmentation – decentralized data across hundreds of data centers and apps

You have come up with an innovative approach called the “Dandelion Marketing”. Can you please elaborate on that? JM: Most of us sat through Marketing 101 learning the legacy model above. The main objective of traditional marketing training is choosing 2-3 “big” ideas and then hitting a homerun in the marketplace. Careers were made on the back of big sports marketing plays or the agency campaign that turned the corner for the company.

I have never been a fan of black or white rhetoric when predicting future trends. The traditional media vehicles have been, continue to be, and will in the future be very important for delivering results. TV, radio,

SOCIAL MEDIA


magazines, billboards and the like will always have a key place in the marketing plan, especially when you consider demographics. Also, a celebrity corporate spokesperson who can connect with a targeted audience and who you can build a brand on will likely grow in importance in upcoming years.

The change is happening at the grass roots level. We are being taught by newer, younger companies that have neither the budget or, in some cases, the traditional training to adhere to the past principles of going “big” on a few ideas.

The Dandelion is a popular concept where survival is based on wide and effective dispersion of seeds into the ecosystem. Knowing that most seeds will fail to plant, quantity is preferred over quality. With today’s overwhelming amount of information coming in all directions, it is fair to say that most messages will fail to plant as well?

You are heavily involved in social media, can you tell us more about Lifestreaming? JM: One of the interesting concepts coming in Web 3.0 will be something called “lifestreaming”. The term was coined by Eric Freeman and David Gelernter at Yale University in the mid-90’s. It is basically a time-ordered stream of documents and electronic media that functions as a diary of your life.

Personally, I have been using Quicken (or its predecessors), scanning all of my papers, and categorizing all of my digital pictures since I was in elementary school. It has become a huge directory tree of tens of thousands of documents sorted by year and month, chronicling my life day by day. The ability to look back and find where and when I spent money, including scanned receipts, and digital pictures allows me to triangulate every day of my life, both personally as well as professionally.

Perhaps a negative effect is that I have become a “go to” guy for finding old documents. It goes something like: “Hey Jay, remember that Gartner study from 1994 on total cost of ownership?” As the years have passed, I have added different technologies to the stream. For example, voicemails, instant messages, Facebook, Twitter, LinkedIn and other information is now included.

As a professional, how can one build Personal Brand using social media? JM: Building a personal brand is key in today’s “flat” world. Social media is one of the tools that blend with a more physical presence through local communities, charities, industry events, associations and peer groups. Social media can build large, targeted virtual peer networks and has an ability to amplify thought leadership more than any medium in the past.

How can small business and non-profits benefit from social media? JM: Social media is an addition to the toolkit – not something new and different. Small businesses need to focus on making a good product/service, marketing and distributing it effectively, and then supporting the customer. Social Media can add to all of these core pieces if used effectively. It may be free (or nearly free) but the opportunity costs must be carefully weighed before investing precious resource into it.

Cloud computing is here to stay, what are your experiences in that domain. JM: I have spoken as a futurist for over 15 years on the idea of pervasive computing – a world where connectivity is ubiquitous, each person owns 20 or more computer devices and the network serves and stores content and value. The cloud is the coming together of this trifecta and will change IT businesses from a technology and business model perspective. While it will take 10 years to fully realize the power of these new opportunities as we move through the adoption curve and legacy systems, people will look back and see this time as more revolutionary than the introduction of the PC in the late 70’s.

Can you tell us about various tools and technologies which could help grow ones IT Business? JM: IT businesses, like all businesses, need to focus on making a good product/service, marketing and distributing it effectively, and then supporting the customer. Investing in products that make these activities more automated, efficient and cost effective are the place to start. Social Media can add to all of these core pieces if used effectively. ChannelEyes, for example, was developed to reduce information overload from emails, portals and newsletters and place it all on a single wall – filtered by who you want to hear from and the type of information you want to see.

How important is professional networking and can you offer us some tips for networking within our professional community? JM: I have spent a lot of time in my career studying industry communities and came to an interesting epiphany about how communities work. Gartner Group conducted an interesting research piece in 2009 where peer networking, associations and communities are the highest ranked ways that small and medium businesses learn, form opinions, and in the end, make decisions.

IDC reported the same finding when they were digging into Healthcare earlier this year. In fact, 4 of the top 5 reported resources for Electronic Medical Record


(EMR) selection criteria involve associations, affiliates, colleagues, and buying groups.

With the abundance of information at our fingertips, why do people choose communities? JM: Business has always been transacted with some level of personal interaction. With the rise of e-commerce in the late 90’s and now with Cloud Computing growing in popularity, it will be interesting if this remains true in the future.

During this time of growing “electronic ubiquity”, the need for trusted and expert sources of information has increased significantly. The amount of competitive choices for products and services, combined with vast information on the internet and endless buzz through social media, has created a scenario where cutting through the “white noise” has become one of the most important skills as we enter the 10’s.

Communities offer a smaller group of like-minded people (perhaps even competitors), sharing similar experiences and challenges, the ability to collaborate and improve decision making. The feeling of belonging is strong, as well as the affinity of membership. There is a feeling that communities are more democratic as they are built by the membership, and participation is encouraged and celebrated.

Who starts these communities? JM: Tracing back some of the more popular communities to the beginning, the following sources are evident:

ConnectorsMalcolm Gladwell does a great job of explaining the concept of connectors in the Tipping Point. These are people that you would recognize, even dating back to grade school, that seem to be the center of the universe. Another way you can recognize connectors is in a place like Facebook. You seek out this person, and they are 1 degree of separation from everyone in your school, company, neighborhood, etc. In the business world, many connectors have translated this skill into organizing and building a strong following. They have also recognized that vendors will pay top dollar to participate in these already established communities. There is also a feeling by these connectors of altruism, or “giving back” to the industry or geography where they do business. You may think that connectors are the most extroverted and charismatic people, but in reality, not always.

Industry verticalsSeveral communities start as a result of a new technology or sub-industry. An example in the IT

industry is Virtualization, Cloud Computing, Electronic Health Records or Managed Services. When the needs of a group is not being met by larger or non-related peer groups, new ones form organically from members as they branch out.

Traditional MediaTrade magazines and event promoters have been quick to recognize the communities trend, and have formed powerful groups under their trusted brand. Having a strong subscription or attendee following, makes the transition to community a logical step for these organizations.

New Media – Social MediaThe fastest growth of communities has occurred with the explosion of social media. Whether Twitter, Facebook, Linkedin, or the dozens of other purpose built community tools, the cost and complexity to start a community is approaching zero. Many connectors started as bloggers who have built a loyal and passionate following. Many bloggers have evolved into community leaders.

Distributors and vendorsThe fact is that some companies get it and some don’t. Several organizations now recognize communities and have built organizations around community marketing. It is not uncommon to hear Chief Community Officer in marketing circles. Organizing a community goes far beyond marketing and advertising however, with product development, pricing and programs all tightly connected.

How do these communities interact with their followers? JM: A dizzying array of new marketing vehicles have popped up in recent years. Traditional media such as magazines and events are very important in communicating to a community, but new media allows innovative ways to extend and enhance the message. From webinars, podcasts, vodcasts, blogs, tweets, Linkedin groups, to virtual trade shows, community groups are using as many as 30 different marketing vehicles to be pervasive within the group.

The challenge with these marketing vehicles is different than in the past. The main inhibitor to effectively marketing was money, today it is effective content and delivery. Many of the vehicles I mentioned above are free or cost very little compared with traditional media. Keeping content fresh, abundant and delivered daily takes resourcing beyond the marketing department.

Media savvy Executives who can keynote an event, tweet about it offstage, promote the message to the media gathered, and then write a blog about it later on

SOCIAL MEDIA


is the new model for the future. Messaging that would have required triple-checking through legal a few years ago, needs to be just-in-time and delivered on a daily cadence. I have a mantra that is “be visible everyday”.

Finally, community members have very effective personal spam filters. Anything that doesn’t add value to the community will be rejected and have a negative result for the organization delivering. The old days of powerpoints and product spec slides doesn’t cut it.

Why are communities important? JM: Beyond the human requirements of personal interaction and belonging, communities provide tangible benefits to all involved. Unfiltered information based on common experience will always trump random white papers and case studies posted on the internet. The give/get relationships within a community inspire openness and, in most of the communities I have seen, a level of bluntness that is refreshing.

Some key advantages of communities:

• Cost of entry low as compared to traditional media and other marketing opportunities. Very much a “grass roots” feeling.

• Ability to communicate and receive value is high. Tons of touch points, combined with a high degree of passion.

• Trusted source – community members have likely experienced your challenges, or will shortly. The feeling you can “steal with pride” best practices and contribute your own successes.

• Ability to enter new markets or industries. Opportunities to network, build like-minded connections and potentially drive business development opportunities.

• Credibility that comes with “member of” status. Make the affiliations and partnerships that make your organization seem larger and more connected. Getting published or quoted as an expert or thought leader is invaluable for your organization and personal brands.

Finally, what is the future of communities? JM: Based on the data from analysts, combined with the relentless growth of information available across the internet and the behavioral habits of people, it is difficult to predict a slowdown in the growth of communities in business. Exponential growth, in fact. Specialization will continue to expand as well, driving more need for these groups and subgroups. There is an upper limit to the size of a community where the point of diminishing returns kicks in. The point at where coordination of the group and the generality of messaging outweigh the benefits listed above. Smart communities will organize sub-groups before the fringe members go off and launch a competing community.

Do you like to travel? What are some of your favorite destinations? JM: I love to travel. In addition to the 50 or so industry events I attend each year, I am on a mission to visit 100 countries. I leave for Russia and 6 neighboring countries in just over a month which will put me at 57 on the journey to 100! Here is the story:

How did it begin? Simple. “The Bucket List”. Yes, the 2007 movie, starring Jack Nicholson and Morgan Freeman (http://www.imdb.com/title/tt0825232/) was the inspiration. I, like I suspect many others, had a goal to visit much of the world but no real plan to do it. The gentle reminder that every day is precious and waiting till retirement age is risky:

• Potential for health issues• Lack of energy• Getting limited (and censored) through “tours”

Why 100 Countries? Again, simple. Round number.Actually, it was a bit more complicated…I wanted it to be remarkable, challenging, but yet attainable. Knowing that dozens of countries are in perpetual war (civil or otherwise), and others were small islands spread around the world, I chose a round number representing half. By the way, the United Nations recognizes 192 countries, and the US State Department recognizes 194. The debate over places like Vatican City, Kosovo, and Taiwan make the number go up or down but the general consensus is 195 countries in the world today (2010). The Unofficial Rules of the Tour (#1 rule is that there are no rules):

• 8 days per trip – not work related travel. Leave on a Friday, return on a Sunday – only miss one week of work each time.

• Every June and December (try to catch summer wherever I go north or south)

• Book flight three months ahead, use Google Maps to determine path and transportation type between countries, and start locking in details the week of the trip.

• Process inside each major city is to park 10 miles outside of downtown and strap on Rollerblades (actually Mission inline skates to be exact) and skate up and down each street one by one. The skating is efficient and effective even in heavily crowded areas. I can travel about the speed of a bicycle meaning a good 4-5 hours will cover a large city and 30+ miles.

• High degree of flexibility including sometimes driving at night, catching a nap in the car or staying in a luxury hotel – all somewhat random and in the moment.

http://www.imdb.com/title/tt0825232/

02/2012(21)

How to choose Countries?A few times I have literally spun a globe and booked a flight where my finger stopped (China). Sometimes it is educational and theme based (tracing back WWII from Auschwitz back to Berlin). Other times it is centered around major events (watching World Cup soccer from home countries of Argentina and Brazil) and then going to the actual site later (Johannesburg).

The randomness is what drives some of the fun.I eat 100% local to the country I am in – usually off

the beaten (tourist) path and likely in some back alley somewhere. I don’t speak any languages outside of English so it usually consists of a bunch of pointing and sheepish grins.

What is the Endgame?The question I am asked most often is: How can you enjoy the travel and suck in local culture when you are dashing through countries almost daily?

Two answers:

• Rollerblading means that I cover more of a city than most people who stay for days and stick with “Top 10” tourist sites

• I am keeping a “best of” list and will go back after the tour (perhaps in retirement) and spend quality time in the chosen places.

At the current pace, I will likely be done 100 countries by the time I am 50 – leaving lots of time to go back and explore deeper.

What next?Another bucket list item is to one day sail the blue ocean and perhaps approach these countries in a different fashion – as a mariner.

ABY RAOAby Rao has several years experience in IT industry nad has working knowledge in applying various security controls and implementing countermeasures related to Web Applications and Database. He is skilled at planning and leading all phases of Software Development Life Cycle, Project Management and Agile Software Development. Aby has a Bachelor Engineering in Computer Science, Master of Science in Information Science, Master of Science in Television Management and various IT certi�cations including CISSP, Security+, ITIL, ISO/IEC 20000 etc. He is also an independent �lmmaker and currently resides with his wife in Durham, North Carolina, USA.

http://onlinecomputercourses.co.za/

IT SECURITY


You have more than 20 years of experience in IT, please tell us about your professional background in IT Security.Raj Goel: I had my first IT consulting client at age 13, first business card at 16, and have been consulting ever since. In 1997, a large Health Insurance company in the US asked me to help them understand something called HIPAA. We had no idea what HIPAA was, nor did they – however, the client’s management knew that this proposed law needed to be understood, if the health portal project we were working on was going to succeed.

I learned what I could about the proposed legislation, and delved into the HIPAA Security standards. That led me to becoming a CISSP, and and gaining a real understanding how ISO27001, HIPAA, PCI-DSS, and other data security and privacy standards are related.

My first presentation on HIPAA compliance was in October 2001 – a month after 9/11. Since then, I have led, or conducted over 150 seminars, webinars and full-day conferences. I have also been published in INFOSECURITY Magazine, quoted in CSO Online, and appeared on TV on the Geraldo Show and PBS TV.

To date, I have delivered CLEs to over 3000 attorneys, approximately 1500 accountants/CPAs and thousands of CISSPs world-wide.

In short, I have been in IT for over 25 years, and IT security for 15+ years.

Please tell us about your company, services you offer and organizational growth in the past few years.RG: I co-founded Brainlink Internatonal, Inc, with my wife, in 1994. We offer three sets of services:

Interview with

Raj GoelRaj Goel, CISSP, is an IT and information security expert with over 20 years of experience developing security solutions for the banking, financial services, health care, and pharmaceutical industries. He is a well-known authority on regulations and compliance issues. Raj has presented at information security conferences across the USA and Canada. He is a regular speaker on PCI-DSS, HIPAA, Sarbanes-Oxley, and other technology and business issues, and he has addressed a diverse audience of technologists, policy-makers, front-line workers, and corporate executives. Raj works with Small-to-Medium Businesses (SMBs 10-200 employees) to grow their revenues and profitability. He also works with hospitals and regional medical centers across the Northeast (NY, Vermont, New Hampshire, Maine, Pennsylvania) in helping them meet HIPAA compliance requirements and utilizing Health Information Systems (HIS) effectively. You can contact him at [email protected].

mailto:[email protected]


• Managed IT support for Small Businesses (5-100 employees) in Manhattan, NYC.

• HIPAA, PCI-DSS and IT security audits across the USA to Hospitals, Medical Groups and Level 3 and Level 2 PCI merchants.

• Cyberforensics – data acquisition and evidence analysis to Matrimonial and Criminal Defense attorneys in NYC.

Managed IT is the fastest growing segment of the business and IT security compliance audits are holding steady. There is also a growing interest in CyberForensics from the attorneys.

You have presented to several C-level executives. What are some of their concerns related to IT Security and what is their approach towards organizational risk mitigation?RG: That is a broad question. At a very high level, CEOs and CFOs are primarily concerned with lowering costs and increasing revenues. IT security does not really matter to them – I have met with very few CEOs or CFOs who actively seek out IT compliance or IT audit services. If they could avoid them, they would – with the exception of Sarbanes-Oxley (SOX) compliance – which is the only regulation that has captured their attention and budgets.

The CIOs/CPOs/CSOs are more focused on becoming compliant and usually, their biggest concern is managing the conflicting standards and regulations. In some cases, the standard is poorly worded (e.g. PCI) or their realities do not mesh with the law (e.g. HIPAA).

For example, HIPAA requires that all systems be patched and updated. Contracts with vendors require that the hospital cannot update or apply Windows patches to MRI or XRAY machines without voiding warranty. That is still a challenge.

The other challenge is that HIPAA requires disaster recovery and standard DR is expensive. A LOT of cloud providers are selling their services as HIPAA-compliant, without really understanding (or intentionally ignoring) what impact ECPA and the Patriot Act have on HIPAA/PCI/GLBA compliance.

Since you do a lot of work in the New York City area, I am sure your international readers are curious to know if you are willing to take on any international assignments?RG: Depending on the jurisdiction and the laws involved, yes, we are willing to take on international assignments. Acceptance of non-US assignments depend on current

geopolitical issues, laws involved, and cultural issues. The biggest challenge we help clients deal with is the internal cultural issues. The corporate culture, local community standards, etc., so, before I accept an assignment, I take steps to understand the culture I will be stepping into.

What tips would you offer to young adolescents to protect their identity online?RG: That is a great question. How should adolescents protect their identify online?

a) AVOID Social Media – Facebook, Twitter, etc. Consume the content, if you want, but do NOT create profiles, or posts online. If you do create profiles on social media, limit the information that you post about yourself and your profile information. Do not provide too much information that someone can use against you. Remember that what you post in social media applications cannot be removed and will be available forever for people to read.• Learn the risks that going online creates –

you can see my video at www.Brainlink.com/blog/what-to-teach-your-kids-employees-and-interns-about-social-media/ or on YouTube.

• Read/understand as much as you can that privacy is eroding fast and it is not in Facebook, Google, Match.com, your mobile phone company, your ISP, your employer OR your government’s interest to protect it. It is YOUR privacy, it is YOUR identity, and only YOU can protect it.

b) Avoid using online dating sites.c) Use common (or uncommon) sense – never

EMAIL, SMS, POST or TWEET anything that you would not want to defend in court.

d) If you break laws (speeding, underage drinking, engaging in political or social protests, etc.), DO NOT to brag about it.

e) Choose your friends carefully – in real life, and online. Not everyone who wants to friend you is a real friend and they could be opportunists, predators, robots, law enforcement or criminals.

Small and medium size health organizations find HIPAA/HITECH compliance requirements overwhelming. How do you help them in that domain?RG: Everyone finds HIPAA/HITECH daunting – from the smallest to the largest. I assist clients in understanding why HIPAA/HITECH matters to them, why it is important to comply and most importantly, how we can INCREASE PROFITABILITY by becoming compliant.

www.Brainlink.com/blog/what-to-teach-your-kids-employees-and-interns-about-social-media/



IT SECURITY


That is the angle most consultants, IT professionals and businesses overlook. Compliance can lead to greater profits.

During your interaction with Attorneys and accountants, what were some of the cyber-security areas they were interested in?RG: More and more, attorneys are concerned about digital evidence and cyber-forensics. Other than that, their interest in cybersecurity is pretty minimal. Getting better Google ranking, more business through LinkedIn, and more friends on Facebook – that attracts their interest – not cyber-security.

Social media has its own benefits, but privacy can be bit of a concern. What steps can individuals take to protect their civil liberties and privacy?RG: That is too big of a question to answer. See the short answer above and then watch my video at http://www.Brainlink.com/blog/what-to-teach-your-kids-employees-and-interns-about-social-media/, read the articles at http://www.brainlink.com/category/articles/ and then we can talk.

In US, Federal Trade Commission plays a vital role as an investigator of privacy and security breaches. What should IT Security professionals be aware of with respect to FTC’s role in security?RG: The FTC is not an investigator in the traditional sense – they have become the guardians of consumer privacy in the US. I recommend watching the several webinars and presentations I have done on LESSONS LEARNED FROM THE FTC at http://www.rajgoel.com/lessons-learned-from-the-ftc-federal-trade-commission to get a better idea.

What are your thoughts on SOPA, PIPA and ACTA legislation from consumer perspective? Will consumer privacy and security be safeguarded due to these legislation?RG: SOPA, PIPA, ACTA do NOT protect consumer privacy. These laws are bought-and-paid for by the RIAA and the MPAA to protect their business model and profits in a dying industry. It is like horse-buggy manufacturers passing laws that limit vehicles to no more than 20 MPH/30Kph.

As a consultant and prolific speaker, effective time management must be an important aspect of your life. Any tips on how you go about juggling various roles?

RG: Learn Time Management! I have taking courses at Landmark Education, read the 4-hour Work Week and Getting Things Done, and received personalized coaching that has helped me build and maintain my priorities.

How do you keep yourself up-to-date with latest development in IT. What are some of your information sources?RG: Slashdot.org, TheRegister.co.uk, various industry journals and constant reading are how I keep up to date. In all my presentations, I use publicly disclosed data, and integrate disparate events and incidents into a coherent narrative.

Who are some of your role models in personal and professional life.RG: Marcus Ranum, Bruce Schneier and Howard Schmidt are my personal cybersec heroes.


http://www.Brainlink.com/blog/what-to-teach-your-kids-employees-and-interns-about-social-media/

http://www.Brainlink.com/blog/what-to-teach-your-kids-employees-and-interns-about-social-media/

http://www.brainlink.com/category/articles/

http://www.rajgoel.com/lessons-learned-from-the-ftc-federal-trade-commission

http://www.rajgoel.com/lessons-learned-from-the-ftc-federal-trade-commission

http://Slashdot.org

http://TheRegister.co.uk

Quality

Integrity

Sense of SecurityCompliance, Protection

and

[email protected]

Now Hiring

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to [email protected] and quote reference PTM-TS-12.

Teamwork

Innovation

Passion

http://www.senseofsecurity.com.au/

KNOW-HOW


This article is primarily targeted towards people who are at entry-level positions, or are making a switch to IT Security from a different field of work.

Experienced professionals shouldn’t have a problem running through the list fairly quickly.

Hands-on skills are invaluable. It doesn’t matter if it’s paid or pro-bono work As you might have heard a million times before from various pros in the industry – there is no alternative to gaining hands-on industry experience. Even a few hours spent on a project will hold more value than unlimited lab experiments. Project-based work can take you a long way and add credibility to your resume. People who transition to security from other closely associated fields, like system or network administration, physical security, disaster recovery planning, and programming, often get a chance to be intimately involved in security. Grab any such opportunities and make the most out of them. For example, a software programmer might consider ways in which he/she can embed a robust security framework in their software development life cycle. For those individuals who are completely new to the industry, you can prove yourself by taking on some small-scale projects, even if it means you have to work for free. One place to gain some valuable experience is to connect with local non-profit organizations and see if you can help them harden their machine, or provide

assistance with their anti-virus or firewall configuration. If you are a rockstar, you might just end up creating a part-time or consulting gig at the organization.

Get a certification or twoI have noticed a perpetual “hoopla” on the topic of industry-recognized certifications, such as CISSP, CISM, CEH etc. A few pros have even criticized the purpose of these certifications. I understand their sentiment and point-of-view, but if you notice any security job opening, you will see these certifications listed more often than not. If you are someone who doesn’t believe that a 4-6 hour exam can judge your skills, then try something different, such as the OSCP (24 hour hands-on exam) or any of the open-book SANS exams. While you are studying for any exam, I would recommend that you create a home “lab” and experiment with what you learn, as well as attend seminars, network with other professionals, read white papers, and participate in mailing lists/forums etc. All of these activities done together will help you be a well-rounded and confident professional.

Volunteer whenever you get a chanceThere are hundreds of security conferences organized all over the world. In addition, you can volunteer at local events organized by ISSA, OWASP, ISACA, ASIS, HTCIA, IAPP etc. Although you will require membership

10 ways to enhance your career in Information SecurityAt first glance, this may look like one of those self-help articles promising that your life will turn around 360 degrees if you follow the advice offered. Sadly, I am making no such promises. It could very well be 30 or 50 ways to enhance your career, but I have limited it to 10, based on my personal experiences.

02/2012(21)

to these organizations, it may be worthwhile to attend a couple of their sessions to see how much they value their volunteers and organizers. Volunteering is a great way to make new friends in the profession and learn about their career path. A few volunteering positions also offer you a platform to exhibit your leadership and public-speaking skills. Most importantly, volunteering demonstrates your keenness to be a part of the community and contribute to the success of the profession.

Attend at least one conference a year, big or small – it’s worth itSecurity conferences are held all over the world. Some of the security conferences bring together the best of all the talent that’s out there. It’s a perfect place to meet these professionals and strike up a dialogue with them. If you are the adventurous kind, you can sign up for events such as Lock Picking, Capture the Flag, etc. Often conferences also open up the floor to various product vendors and companies who are hiring. Many people spend time during session breaks talking to various companies to learn about latest trends and technologies. If you prefer to do less interaction and more learning, you can attend the sessions, or walk over to the booths where they sell the latest security books. If you are lucky, the authors of the books may be there for a book signing. Overall, it is a good place to explore your career options. If BlackHat and HackerHalted are beyond your budget, then look at local conferences. Usually conferences organized by the local ISSA chapter or *con conferences, such as ShmooCon or CarolinaCon, are good options as well.

Consider obtaining formal education or an advanced degreeI have noticed that several professionals in the industry go back to college or a university to receive formal education. Research in the US has indicated that typical college graduates earn about 73 percent more than typical high school graduates, and those with advanced degrees earn significantly more than high school graduates. Some may argue this point, while others may not have the resources or inclination to go back to college. In any case, a formal degree may open new doors and potentially put you in a better position for a promotion or raise. If you are the entrepreneurial kind, then an MBA will enable you to network with like-minded people and incubator programs at various universities may even kickstart your business.

Find a mentorThis is such a important step in anyone’s career. I refer to mentors as SWOTers. At an informal level, they

http://hakin9.org/

KNOW-HOW


are the best people to offer you advice, suggestions and guidance related to your Strengths, Weakness, Opportunities and Threats. The most important elements in a mentor/mentee relationship is honesty and trust. You can find a mentor at work, conferences, local chapters, or even through other connections, including neighbors or the friend of a friend. Feel free to have more than one mentor, as there is nothing stopping you from doing this. You will really gain quite a bit if you find someone with several years of experience in your field of interest. Often, your workplace will promote a mentorship program. I cannot stress enough how much this can help your career.

Talk to recruiters at regular intervalsThis may sound silly at first, especially if you already have a job with which you are fairly happy. Recruiters are resourceful for four main reasons 1) They can provide you with invaluable market information 2) They can give you a sense of what the industry needs are in terms of skillset 3) They are good at critiquing resumes 4) They can analyze your background and estimate your market value in terms of compensation and benefits. Talking to recruiters will help you negotiate a raise/promotion at your next performance review. Sites like Linkedin, Salary.com and Glassdoor are other supplementary resources you might want to consider checking. Along similar lines, if your company has an approachable HR team, take your HR manager to lunch and discuss various cross-functional opportunities within your company.

Don’t be an expert, yet“Yet” is the keyword in the above-mentioned phrase. Many of you may aspire to be an ace pentester, or a top-class malware analyst, but don’t forget that it takes several years of training and experience to get there. Information Security is such a vast sphere of work, that calling yourself an expert early on in your career is not just foolish, but also sets yourself up for failure. If you are new, take your time and learn the landscape first. Involve yourself in various types of projects, this way you will know your strengths and weaknesses. Once you feel confident and passionate about a certain field, then you can start your journey in that direction. I have talked to a few people who thought PenTesting is “cool” because they can claim to be “ethical hackers.” Due to their fascination with the title and not the job profile, they quit their job even before they completed their first Metasploit exploit.

Read and exploreBlogs, forums and mailing lists have been such a boon to the technical community. Each time we come across

a technical term, or need assistance troubleshooting an issue, we turn to the internet. Similarly, subscribing to various blogs, via RSS reader, brings in vast amounts of information right in front of you. Knowing key players and their opinions will give you an advantage, especially during interviews. On more than one occasion, I have been asked what security blogs I subscribe to, and was lucky to be able to have an answer for them. Some of the blogs I would recommend are: Anton Shuvakin’s Security Warrior, Dark Reading, Jeremiah Grossman, McAfee Labs, OWASP, various SANS blogs, Schneier on Security, Social-engineer and Ethical Hacker Network. Following experts on twitter is another good way of receiving bite-sized information.

Make security a part of your lifeI have observed that people who are successful in any profession are generally passionate about their line of work. In our context, such people see security embedded in every element of their life. Purely out of curiosity, they will tinker around with technology, and during the process, will discover something new that fuels their curious mind. These people don’t count the hours they spend hacking their cellphone or reviewing code because they are experiencing “flow.” If you are keen to read how some people manage to work for many hours without any breaks or distractions, I would recommend the book titled Flow: The Psychology of Optimal Experience by Mihály Csíkszentmihályi. Security is not a profession, but a lifestyle.

There is nothing divine about the list mentioned above. As a matter of fact, anyone with few years of experience may find this list trivial. What this list offers is a chance to be introspective about your career and gauge where you stand, what needs to be achieved, and possible next steps. Feel free to reach out to me if you have any questions or comments. Good luck with your career!


http://Salary.com

In the next issue of

If you would like to contact PenTest team, just send an email to [email protected] or [email protected]. We will reply a.s.a.p..

Available to download on May 15th

Soon in PenTest Market!• Qatar CIRT team talk about IT Security• Interview with Tal Argoni• IT Security and a specialist recruiters point of view• Interview with Alexandro Fernandez• Pentesting business startup

and more...

https://www.htbridge.com/

http://www.sptechcon.com/boston2012/