October 2, 2007
- 1. Jim, what attracted you to the Internet Security field?
I started working in this industry as a developer writing C++ code for a network management application. This was in 1990 which put it before the Internet became part of our daily lives. At the time, there were no such things as web sites, but we had an Internet connection (a T-1 as I recall, which was a lot of bandwidth when all you had was a 14.4 Mb/s modem connection at home). We had a pretty active bunch of developers using USENET news and email to peers and researchers.
At the time, no one thought much about security. It was a UNIX development shop and we all had root on our SunOS workstations. In fact, we all regularly used host-based authentication (.rhosts files) and NFS mounted home directories, so it was fairly easily run whatever we wanted on other folks systems. This all went along pretty well. We even used NFS for our source control system. That is, until someone discovered that the combination of NFS and individual root access gave anyone the ability to do whatever they wanted within the source code repository.
Long story short, we had an incident. Actually a series of them where backups would fail unexpectedly, builds would fail, etc. The one that finally caught people's attention was when the nightly backups failed and the next day the source code tree had been deleted. My boss hired an outside contractor to come in and do a security review. For some reason, she asked me to work with him so that once he left, we would have some knowledge left in-house. This was the first time I even thought about things like permissions, user or group IDs, much less a 'firewall'. (You see, at that time, when you exported NFS to the world, it *really was* to the world.)
At this point I transitioned from a development role to being a system administrator for our 'porting effort' which forced me to learn about six different flavors of UNIX. I went to a number of events put on by SAGE, LISA and USENIX and was lucky enough to meet some of the early experts in computer security. I attended one of the initial presentations by Gene Kim and Gene Spafford about tripwire, and I met Phil Zimmermann during the period where PGP was considered munitions and he was asked to kindly testify to our government about how it may have 'leaked' outside our borders. I guess it was really meeting these folks that turned me on to the field.
- 2. Can you share how the decision was made for you to obtain GIAC Certifications and the value of such certification?
Sure. That occurred a number of years later when *I* was the outside consultant. I was an infrastructure architect, designing solutions for hosting applications on insecure networks where guaranteed availability and performance were part of our contractual obligation.
I had a pretty good background in the field by that time, but nothing formal outside my conference classes. I figured that if I was going to focus on this in my career, I really needed to both refresh my knowledge and pursue a lot more depth in security. I did some on-line research, and there was a local SANS conference in Boston coming up where I took the firewalls class from Chris Brenton. This class and the whole environment were so outstanding that I decided on the spot to continue with the program.
Speaking to the value, well that was a bit different. Initially it was a hard sell even to get my company to pay for the certifications. It was not on their approved class list, and most of them had never heard of SANS or GIAC before. But I pushed it (actually I told them I was going to pursue the classes on my own if necessary) and after the second one (GCIA with Judy Novak and yourself as two of the instructors) I was able to get them to accept the program.
I see two aspects where the certifications provide value. The external one, which is the one that 'sells' it to your company or clients, are the certifications themselves on a resume. While not many hiring managers or clients know what they are, they do know they need security expertise and it sounds impressive to hire someone with a few of them. The second aspect is the training itself. As I explained, I have had the opportunity to learn from some of the preeminent folks in the field over the past 15 or so years and the GIAC courses and instructors are absolutely among the best. To learn about packet analysis from people such as yourself and Judy or learn incident response from people like Ed Skoudis gave me the same feeling that I got by leaning about sendmail from Eric Allman, or taking a Perl class with Tom Christiansen. (for those of you who don't know those names, to paraphrase a commercially successful neanderthal "do a little research" <grin>
- 3. Many people are wondering if a Security Certification really makes a difference, do you feel this has helped your career?
Absolutely. The certifications themselves helped me land contracts as a consultant and were instrumental in getting me my current job, and the training helps me every single day.
- 4. Does the GIAC certification help you respond to threats better, faster or more efficiently?
Again, absolutely. I can say the courses directly apply almost daily in my work on projects internal to my company. I use the Internet Storm Center as (almost) my home page, and the value from there, coupled with the GIAC training, cannot be overestimated. Two specific examples within the past 18 months are cases that allowed us to catch and identify two pieces of "zero day" malware and deploy countermeasures before the AV vendors could respond to the threat.
- 5. Do you feel these certifications have helped your company's overall direction and bottom line?
Direction, clearly yes. One of my primary roles at my current job is incident management. When I was hired, one of my first projects was to write the response plan and I can truly say I would have been lost without the GCIH training. Last year I applied log management tools and techniques from the GCUX training to directly influence our automated alerting capacity. Currently I am working on designs that will help us in regulatory compliance.
As to the bottom line, I am not in finance, but I believe it has saved us money on several projects by providing a better design. Also in my incident response capacity I work directly with our legal staff and there are investigative efforts where we directly benefit because of information my partner and I (also a GIAC alum.) provide.
- 6. Did you take any additional Security Certifications or will you attempt the GSE Certification?
I currently hold five GIAC certifications; GCFW, GCIA, GCIH, GCWN and GCUX. My initial intent was to pursue the GSE as a capstone of this training. Currently I am working to convince my present employer that the Masters degree at SANS.edu would be beneficial to them.
This sort of goes back to when I started in the field. I hold a BS in CS, but when I started as a developer, it took all my time and effort away from pursuing a graduate degree. It is quite unfortunate since I was very close, having completed all the coursework and only needing to finish my thesis.
But those were the heady times of the early 1990's and the Internet boom was making my company very successful. Somehow I never got back to finish the thesis. So, earning a Masters from the SANS Technology Institute is a personal goal of mine as well as being what I believe will be a more universally recognized achievement than the GSE.
- 7. Are there any plans to require new hires to have or obtain Security Certifications as a condition for employment?
Not as a condition for employment. However, we have a very strong GIAC base in our security department. Four of us hold one or more certifications and we are encouraging this training as widely as we can internally.
- 8. What are your plans for personal development in the future? Where do you think you'll be two years...five years?
As I mentioned, I plan to follow the SANS.edu course and hopefully get the Masters of Science in Information Security Engineering within the next couple years. Even once this is complete, I intend to take additional training and to maintain my existing certifications.
Where will I be in two to five years? Hopefully, still at my current employer.<grin> But, seriously, I intend to continue in the security field, applying the breadth and depth of the training and experience to make computing a bit less scary wherever I am.
</begin soapbox> Perhaps this is egotistical, or simply a fool's wish, but I feel that the Internet and the "information age" is still in its early development, roughly equivalent to an adolescent. There are many areas of promise but also many areas where things could go horribly wrong. While I have no delusions that my small contributions will make any wide changes directly, I do hope that by continuing to learn and teach the people I come in contact with, including our legislators, I can help keep some sanity in the discourse. Sharing information in general is a very good thing. Perhaps it is the best hope we have as a world to become something more than a group of self-centered, quarreling countries fighting over ideologies while many of our brothers and sisters cannot meet the simple daily needs of their families.
I guess to sum it up, my greatest hope is that by working in information security, I can help this technology make information sharing easier but the misuse of private information more difficult. </end soapbox>
Thanks for the opportunity of this interview!