I am a hacker - whether I like it or not

[... and not the bad cyber criminal type.]

For the latest ITWeb Security Summit (which was amazing) I was chosen as a speaker.

I had the following challenge -

• talk about the different InfoSec Standards available
• do it at 3:40pm 
• do it straight after the tea break
• make sure that the attendees don't fall asleep

Needless to say - it took a lot of thought but I eventually managed to keep them interested according to some positive reports I got after the talk.

I'm not going to go into the details of the talk here but after quite a bit of re-assessment I realised that I had basically "hacked" the standards. Hacked - in the good sense. There was no "piracy" involved (me maytee) and everything was above board. (and above plank.) 

But to keep the attendees interested in the talk I basically took the standards and applied them in ways they were just not designed to be used. And that is the true definition of hacking. 

In the past 4-ish years or so I have tried to model myself as a serious Information Security Professional. I have tried to put away the "hacking" part of me and concentrate on "working for the Man" but it seems that, without me trying, that part of my brain will find a way out. 

So, I will set my aim for the next year to nurture the "hacking" side of my brain and mold it into something I can use as an Information Security Professional. 

My 2 cents - NAC and FLOSS (Part 1 - FLOSS)

Since I started my blog and subsequently joined the Security Bloggers Network (see the side panel), I have been following a number of stories posted by other blog members.

Ok, two debates on SSAATY - open source and NAC. I have my opinion on each and here goes:

Alan contends, and I agree with him to a point, that users shouldn't be concerned with the making of software -ie, is it open source, commercial, closed, powered by little rodents, etc. They should only make sure that the software does what they want it to. And I agree to a point.

However, we are security people and we deal in risks and mitigation. Using closed source software does present one with certain risks that open source software does not and that is: what happens if the product is discontinued.

I have seen companies spend millions on closed source software only to wind up with a solution that can not be upgraded or changed. There are some programs that only run on dos and are so closed and so important the company lives with this outdated operating system. I'm not picking on DOS, think of all the proprietary financial systems that had to be quickly fixed or rewritten for Y2K on Unix. A proprietary system that at least has published and open standards (preferably industry-wide standards) would mitigate this risk to a point.

An example that just popped into my head is Internet Explorer. I know of an IT company that has built its entire way of working around an Intranet site. Good for them but they used IE6 specific "features" in the website and it doesn't work with IE7. Had they stuck to standards they would have no problems but they didn't.

You may argue - but Open Source and Open Standards are not the same but Open Source they usually go together whereas closed standards are usually in place to protect market share and don't work very well with Open Source software (where the standards are open as soon as the code is read and analyzed).

To Be Continued.