December 7, 2007
My name is Fred Abell. I live in Slidell, Louisiana, just outside of New Orleans. I am a NASA contractor at the John C. Stennis Space Center (SSC) in southern Mississippi. I work at a facility testing small rocket engines and their components. I started processing data, and inherited the systems administration job when the NASA man in charge of data processing took a different position at Marshal Space Flight Center.
I was introduced to SANS when an IT security person said, "We have to harden my HP-UX systems", and he would show me how. We downloaded two papers from the SANS website and went through step by step to secure my computers. I was fascinated with what we did and began to read anything about computer security I could find.
My job at the time was a dead-end position. I had great benefits, but not a lot of experience that would allow me to move elsewhere. My wife was suggesting (strongly) that I get a masters degree in computer science, but programming is not how I want to spend the rest of my working days. My goal was to become a computer security professional. It seems to be the right decision. IT security can't be easily outsourced to someone in India or South America. One must be able to touch a network or computer to do IT security.
Currently I work for ERC Inc., a company based in Huntsville Alabama. I have worked the same job for three different companies because NASA awards a new contract every 7 - 10 years. In the past, I have tried to be sent to SANS for training, but the contract did not provide for security training. I was able to get some SA training, but security training was not on the menu at the time.
I somehow stumbled on the volunteer program while reading something somewhere. The first time I applied I was turned down. The second time I applied was for New Orleans during Mardi Gras, but logistics of driving downtown and parking all day were too much to overcome during Carnival. Being of limited finances, if I was to go to a conference further than New Orleans, I had to choose a one near a resort because my sister is a condo broker.
The first conference I attended was SANS Orlando in 2005. I wanted the Securing Unix course, but I got my second choice of Firewalls, Perimeters, and VPNs. The material was so far above me that on the second day I had to ask the instructor for help. He recommended the TCP/IP Illustrated, Volume 1, from Stevens. This book helped me understand a lot of what was being taught.
SANS was not like any other security course I've taken. Sometimes there would be a 2, 3, or 5 day course at work. The instructor would talk about patching and turning off unneeded services, but nothing about XSS or teardrop attacks.
SANS tests are not easy. You just don't show up, pay your fees, and get a cert. I struggled to pass the test. It took me two attempts, but the amount of information I learned was tremendous. My second course at SANS New Orleans 2007 was on Hacker Techniques, Exploits & Incident Handling. This course complimented the Firewall course nicely, without being repetitive. I was able to pass well enough to be a mentor, but have not had the time to participate. I hope too do so soon.
There has been a major effort at NASA to harden all aspects of IT security. I am fortunate that SSC is proactive on security. The persons in charge of IT security have attended SANS training. I was able to complete the security requirements not only for the computers I administer, but also for two other systems that needed assistance. My SANS training has given me a level of knowledge and confidence that makes me comfortable in an IT security environment. I certainly don't know everything, but I can now ask good questions.
ERC is a company that values the personal growth of its employees. My involvement as a SA who helped with the contract IT security requirements, and with my two security certifications, I was able to successfully petition ERC to reclassify my position. They recognized that my job description had significantly changed. Without the certifications, I might not have done so well.
ERC is a company that values its employees through its actions, not just words. They came to our aid after Katrina hit out area. I can call the president if I need something, and he will listen. This company is growing fast, I can see opportunities developing. The more I learn, the more I can grow with it.
The contract can now pay for some training. They offered to pay for New Orleans so I would not "have to work the door", but I asked them to pay for Orlando 2008. Orlando is going to have the Securing Unix course that I initially wanted to take. My career has left the doldrums and I have a clear path to success thanks to this program.
I will be a facilitator in New Orleans. I am looking forward to learning from the best.
Fred K. Abell Jr.
John C. Stennis Space Center, MS 39529