13 tough questions about computer security

Security novices often ask great questions, and these student queries elicit responses worth a short security course

Page 3 of 4

Question 8: Is the NSA leaker a hero or a traitor?
He's a bit of both. Ultimately, he broke his NDA and many laws. He has put other people's lives at risk. He should be punished for that. The only rationale to do what he has done is if what you are revealing is illegal or unconstitutional. So far nothing he has revealed is either of those things. Nothing he has revealed is a surprise to those of us who follow the NSA.

Just read any James Bamford book. He was writing about the NSA's capabilities 25 years ago. The only new things that he revealed, to those of us who follow the NSA, is names of programs and perhaps some individual exploits.

That said, he is to be applauded for bringing the excesses of what the NSA is legally allowed to do to the public masses. I'm hoping that everyone being upset with the NSA will lead to laws being changed, so the NSA cannot legally collect everything they are already collecting. It upsets me, and others, that it took a single employee breaking the law to make the rest of the world up in arms about something we've known for years if not decades.

Question 9: We discussed the FBI takedown of the Silk Road in class and I was wondering: If the NSA has all of the access to our personal lives, why did it take the FBI three years to take them down?
Law enforcement is always slow, especially when it crosses multiple jurisdictions. It takes time to start legal projects, collect evidence, obtain warrants, and proceed. But I suspect that most of the time was spent just getting on the FBI's already busy radar. The FBI, like your own company, has a budget and a project plan each year. I bet Silk Road wasn't on the radar until enough people started complaining. Plus, many times the investigation goes on far longer than what's needed to collect evidence, as perpetrators go after bigger targets and commit more crimes, resulting in easier-to-prove court cases and longer jail sentences.

Also, the NSA and the FBI don't always share information. The NSA, for the most part, doesn't care about drug trafficking, money laundering, theft, and a lot of the other things the FBI cares about. As bad as our laws are, the NSA can't simply share what it has with other legal entities.

Question 10: I want to work in information security, first as an administrator then ultimately as a consultant. What is the best certification to pursue?
I have about 50 certifications, and I learned something new from each one of them. Each cert made me a more knowledgeable technician, and each gave me something that made me more employable. But if you're talking about which ones count the most, that's a slightly different answer: It's the certification most relevant to your potential employer or its customers.

Fortunately or unfortunately, experience counts more. Because of that, you want to pick certs that give you both credentials and real hands-on experience. I like the CompTIA stuff. It teaches a lot. But their certs are basically thought of us "base" certifications. When you earn one of those, you know the basics. Still, great to know, and you will learn something.

Personally, I'm not a huge fan of the CISSP (because it's a lousy test), but it's probably the one cert that most employers and clients like to see. I think it's because bosses and clients often have it and think it was hard, so they like to know other people they are hiring had the same hard time with it.

I'm a huge fan of anything SANS does or offers. I think the SANS courses, books, instructors, and certs teach you more hands-on experience than any of the other relative certs. When I see someone with a SANS cert, I immediately trust them. It's the security geek's CISSP. I also like the CEH and other certified auditor exams. Each has its benefits. Each teaches you something.

| 1 2 3 4 Page 3
Cybersecurity market research: Top 15 statistics for 2017