You can't secure what you don't acknowledge.SM

Thursday, October 11, 2007

The industry's first patch management program?

Apparently I was ahead of my time. Way back in 1996 I wrote and sold a program called LANUP through a consulting company a buddy of mine and I ran on the side. LANUP - short for local area network update - was designed for NetWare operating systems. I wrote it out of desperation because I was administering so many NetWare servers at the time - I needed some automation. LANUP was essentially what we now call patch management programs - without all the bell and whistle "management" functions. I apparently didn't fully comprehend the value of it at the time. After all, this was waaay before the Internet took off and before OS security threats were a big problem - especially for NetWare.

Well, I recently came across the original ad I snail-mailed to potential clients at the time (K-12 school systems). Check it out:
So, a fully-patched NetWare server once per quarter for only $89! Keep in mind this was back when you had to manually download (usually from CompuServe) and install (often from floppy disk) each and every patch for the NetWare OS. In fact, LANUP ran directly off a floppy disk! It was quite fast too - I wrote it in C making native NetWare IPX calls via netx and VLM clients (remember those?). The program even had some embedded assembly language to speed things up. Woooooo. :-)

Good old LANUP....Definitely one of those "could've been a gazillionaire" moments had I pursued my idea I suppose. Oh well, life goes on!

Monday, October 8, 2007

Are you open minded?

One thing I talk about when speaking on information security careers is something that many overlook yet it can make or break our success in this field. It's learning from others and continually educating yourself throughout your career. A lot of us in IT are pretty closed-minded. It's not just toddlers and teenagers that think they know it all - it's often ourselves and our peers. A typical mindset is that information security's the top rung of the IT ladder. Once you're here, you're officially "all-knowing". If you've been here a while and have gotten some good experience, there's certainly no need to better yourself to get to the next level.

I had this same mindset out of college after I obtained my bachelor's degree I thought "I now officially know everything there is to know about technology...and computers...and networks". Ha! Little did I know that I, in fact, knew very little - especially once I started attending seminars and conferences and reading what others are writing about IT and security. I realized that I'll need to constantly learn new things if I'm going to keep up - much less take things to the next level. It's a key secret to success in our field than so many people in IT overlook.

I recently gave a presentation at a local university to a group of graduating seniors outlining what it takes to succeed in information security. I had handouts with fill-in-the-blanks and encouraged everyone to email me for a copy of the slides and if they ever have any questions. Guess how many people out of the class took notes during my presentation and followed up afterwards? One. Yep, the one guy who was the most eager to learn struck me as the guy least like me when I was in school.

Be willing to learn from others. Every day there are new books, magazines, articles, and blog postings chock full of information about our field. It's conference time as well so see which shows you can afford and get the most out of. Be it tools, techniques, policies, or general perspectives, once you open your mind - and take the time to learn - new information, you'll be amazed at how you can enhance your career and build your expertise. I've done this in my own personal life with real estate, car racing, and more. I've simply put my head down into books, listened to audio programs while driving around, and within a very short period of time have made major improvements. It had such an impact that it inspired me to create Security On Wheels so I can help others build their expertise in this field and take their information security knowledge to the next level.

There's nothing holding you back. Read, read, and read some more. When it comes to attending security-related presentations, be the person taking notes at the front of the room. Ask questions, ask for copies of the presenter's slides, and re-read your information once you return the office. By all means try to avoid the belief I once had that there's no need to learn new things. Being honest with yourself by admitting you may not know as much about security as you need to is not a weakness. It shows character and confidence.

It's this open-mindedness and eagerness to better oneself that separates the top people in their fields from everyone else just going through the motions in their ho-hum jobs every day.