security, encryption, and healthcare

[Joshua Zeidner]

http://www.itbusinessedge.com/blogs/sts/index.php/2007/03/05/security-no-longer-an-outsourcing-untouchable/

-jmz


On 2/28/07, Carlos Macedo Gomes <powerofprimes at gmail.com> wrote:
> I'll throw my $0.02 on this debate of certification/degree vs hands on
> training.  I don't agree w/ everything that JMZ has said, but his
> statement about the **potential** bifurcation of the field into "web
> hacker" and "trained career engineers: and how that plays out in
> "trust in the workplace" does resound with me and what with what I've
> seen in my career.
>
> I also fear that contemporary individuals (i.e., techies)
> inadvertantly assume a certain level of long term career risk in not
> properly establishing a personal **strategy** for "professional
> training & development" and in doing so are investing too much of
> their intellectual capital into the "learning on the job" category of
> learning.  The risk with this type of learning is that it is
> susceptible to "marketplace amnesia" (at best) or "inbreeding of bad
> ideas" (at worst) created by the "hottness" of the IT sector.  This is
> true in most IT fields and very, very true in Information Security.
>
> Folks working for a long time in IT and Computer Science understand
> that the baby rarely gets thrown out with the bath water.  Take a look
> at networking protocols starting in the early 70s with Ethernet and
> follow through today to ATM on the WAN and 802.11 in radiowaves.  Like
> the venerable Moore's Law we seem to keep squeezing out more and more
> functionality out of very similar IT infrastructure of the last
> several decades.  I'm not sure if we'll ever see a change in this
> process but I'm not sure if the current marketplace passion with
> enumerate and patch (especially in IT Security) is going to get us out
> of this hole anytime soon (see #2 in the following):
> http://www.ranum.com/security/computer_security/editorials/dumb/
>
> Quick background on me:
> Information Security Specialist (full time) at a Fortune 50 organization
> Adjunct Instructor for Computer Crime and Investigations at ITT Tech
> BS Computer Engineering, '96 Texas A&M University
> MS in Information Assurance, '08 (expected) Norwich University
> ISC^2 CISSP, ISACA CISM, GIAC GCFW, GIAC GCFA
>
> All the above said, I believe that some (and possibly many) can learn
> and do learn more from hands on learning than from book learning.  I
> know I did via student jobs in college and later using what I learn
> immediately at work.  I also teach at ITT Tech part time and see the
> need for hands on education and training (especially with the
> changes/pressures in the US workforce due to challenges and
> opportunities of globalization).  Also, a couple of my best friends
> bailed early (w/ a semester or two left to graduate) on engineering
> degrees from Texas A&M in the early 90's to chase startups and they
> are very, very bright fellows still actively doing work in startups
> and consulting.  Nothing wrong with that path if you take into account
> the long-term, strategic risks I mentioned above.
>
> I think Blain Burham said it best in this interview from Vol 1 Issue 1
> of the NUJIA:
>
> <snip>
> NUJIA: How does the historical perspective affect the curriculum?
>
> Have you heard about security-aware applications? How about trusted
> databases? What is involved in developing very high assurance
> solutions?
>
> If you look at what was going on in the early days such as MULTICS in
> the early late 1960's and early 1970s, we knew a lot about this
> stuff.[8] We have suffered from a collective amnesia for about 30
> years and have forgotten a good deal of it. For instance we based
> MULTICS on a ring architecture and then 25 years later we're all
> excited about defense in depth. Sure, it's good, but it isn't new.
>
> Another interesting "new" emphasis is intrusion prevention; for
> example, we've been working on keeping bad guys out using firewalls
> and the like, but now we're looking at limiting the damage that bad
> guys can do when they get in. This is simply rediscovering the
> reference monitor. I have trouble calling an idea that's more than
> three decades old "new."
>
> I think that one of the roles of the university is to identify the
> foundational ideas that are just as serviceable now as when they were
> formulated. We have the obligation of healing the amnesia. We have to
> be sure that those foundational ideas are revisited, used and
> revitalized so that we don't miss out on fundamentals. Particularly in
> the case of information security the intervening years have, by and
> large, not brought forth knowledge, understanding, or experience that
> has improved on that foundational knowledge. Put a bit differently, we
> used to know how to do this business – and it worked. We also made
> mistakes. We need to recover that knowledge and the benefits of the
> experience of the mistakes. It appears that the university bears the
> principle responsibility for recovering and conveying this
> foundational knowledge. It certainly isn't happening in the
> marketplace.
>
> I'm concerned that much of the curriculum we're teaching is tactical –
> how to deal with the current technology and today's problems but not
> conveying the fundamentals that would allow people to build
> high-assurance systems. In our foundations course, we read Ross
> Anderson's book[9], Bruce Schneier's Secrets and Lies[10], and many
> (about 40) wonderful papers including "The Inevitability of
> Failure.[11]" and Schell's "Information Security: Science,
> Psuedoscience, and Flying Pigs.[12]
> </snip>
>
> The full interview and other articles can be found below:
> http://nujia.norwich.edu/1_1/i01v01kabay.pdf
>
> ymmv,
> C.G.
>
> On 2/28/07, Joshua Zeidner <jjzeidner at gmail.com> wrote:
> >  Joseph,
> >
> >    In response to your comments below... there are many problems with
> > an 'uncredentialed security expert'.  Many of these problems extend to
> > non-security disciplines as well.  Essentially, it comes down to
> > trust.  And this hypothetical person has absolutely nothing at stake,
> > he could completely screw things up and what does he have to lose?  He
> > most likely picked up a few books, tooled around on his(or her) linux
> > box for a while, and started talking the talk... if someone didn't
> > even make the basic effort to get a degree in the discipline, I( and
> > many others ) have a very hard time being convinced of their sincerity
> > and credibility.  The typical fact is that they don't have any, they
> > jump into something because they see a hot salary, they fake it for as
> > long as it makes sense, and then jump ship into something else or go
> > start a rock band.  This group will in turn run themselves ragged
> > chasing after each and every technology trends that comes along.
> > These trends are getting more and more ridiculous and rapid every
> > quarter, and the investment one must make in keeping up with them( at
> > a personal or department level ) is way too expensive for the value
> > they may provide.  I just stay away from this crowd, they will just
> > run themselves down eventually.  These folks will not only destroy
> > their own careers, but they will ruin a department, website , etc. as
> > well.
> >
> >   Although I am sure many here want to cover for their buddy who never
> > managed to get a degree, or perhaps they don't have one themselves...
> > but the fact is that if you are dedicated to the field, you have to
> > show the effort. I've worked with a person in the recent past who
> > fancied himself a security expert who loved to rant off about
> > honeypots and tcp-ip stacks, but none of these little factoids he
> > picked up have any grounding in experience, and there is no particular
> > reason why anyone would want to take him seriously.
> >
> >   Even those who jumped in the mix during the 90s from other fields...
> > I still find them to be lacking in the basic skills of development.
> > As the job market continues to shrink, believe me those people without
> > BS CS on their little piece of paper will be sifted out, especially if
> > labor regulations are introduced.  In the recent past the CS field had
> > enough of a vacuum in the market to allow for these types of people,
> > but the economics of the current situation are turning it into a field
> > just like any other; you have to go and get someone to give you a
> > piece of paper that says you have knowledge of this field.  If you do
> > have experience and no degree, I would suggest making plans to get
> > one.  I'm certainly noticing that these groups are becoming stratified
> > into the 'web hacker' people and the trained career engineers.  When
> > push comes to shove and the DOL has to make a decision about who to
> > help, who do you think will make the cut?
> >
> >   -jmz
> >
> >
> > On 2/28/07, Joseph Sinclair <plug-discussion at stcaz.net> wrote:
> > > I have to say, I don't agree with much of JMZ's view.
> > >
> > > It is entirely possible to work in security without an advanced degree and without academic experience.  The academics are needed if you're designing new algorithms, but most security work is designing and implementing security subsystems and auditing software for security concerns.  It doesn't take major mathematics to do that (unless you're implementing an encryption algorithm, something almost never done in practice), you just need a good strong detail-oriented focus, a strong systems-design skills, and a touch of paranoia, since everyone misses something in this field.
> > > Will healthcare tie into security, absolutely, although HIPAA defines requirements, the implementation of those requirements leaves a lot of room for software, and policy, innovation.  I don't think you'll find your math skills greatly used, however, unless you decide to do some work on one of the open-source encryption systems cross checking the algorithm implementations or something similar.
> > >
> > > Regarding the value of a degree, I've worked with incredibly skilled people who have no degree, and I've worked with incredibly incompetent people with a PhD, most people are somewhere between those two extremes.
> > > The degree matters to an extent (and more education is generally a good thing), but the character and qualities of the person who earned the degree always matters far more than the degree itself.
> > >
> > > The "baby boom" generation (born 1946-1964) is statistically much larger than the generations born in the 20 years prior or the 20 years following.  They also reproduced at a lower rate than their parents (average < 2 children/couple, net loss of population).  In fact the primary reason the US population continues to grow is immigration, but that can't change the fact that the average age of US residents is rising (see http://www.census.gov/ipc/www/usinterimproj/natprojtab02a.pdf)
> > > That said, the "graying" of the population is somewhat exaggerated (even in 2050 the census predicts that only ~21% of the population will be over 65), of course the projections to 2070, are somewhat more extreme, but they're also not statistically reliable.
> > > The problem that arises in that to pay social security for that 21% (vs. the 12% today) the working 42% (vs. 52% today) will have to pay around 40% of their income under the current social security model (3 times the current amount), and the economy wouldn't be able to support that.
> > > The solutions are well known, and there's no doubt they'll work, the problem is that they're not completely intuitive, and they reduce the power of the government, something many government officials don't like (they want more power, not less).  Also, everyone in Congress is deathly afraid of changing Social Security for fear of upsetting some very powerful lobbies in DC (AARP being chief among them)
> > > Healthcare for the elderly isn't likely to have a huge economic impact. Lifestyle medicine, such as psychiatric treatments, sleep-aids, and ED drugs (mis)used as enhancers, has a much larger impact and is driving much of the current growth in healthcare.
> > >
> > > As far as bubbles go, energy is a good current candidate, as is materials science.  It may be another year or so before the next bubble is really clear, but it probably won't be healthcare, that's more likely to hit in 2017, if ever.
> > >
> > > As for socialized healthcare, if you want to know what that's like, just look at France, or England.  Both have had socialized healthcare for some time (to varying degrees), and it's very eye-opening to see what the result of that has been.  If you want someplace closer to home, look at Canada, and ask yourself why so many wealthier Canadians cross the border to US hospitals for treatment each year.
> > >
> > > Sorry for the long rambling post, I wanted to try to cover all of your points (including some earlier items).
> > >
> > > Josh Coffman wrote:
> > > > I don't know that having the BS helped me or not after I had a few years of experience.
> > > > It sounds like a BS alone isn't enough to be taken seriously in Security. Dont really know.
> > > >
> > > > It is my understanding that the Baby Boomers were called such because they were a big population jump following ww2.
> > > >
> > > > I think nationalized (aka socialized) healthcare has more issues than population changes.
> > > > Personal opinion, but I'd trust a collective influence of individual decisions more than a centralized generalization by a few pushing influence
> > > > over the rest of a society. Stated another way, I trust my own opinions for my own life and my family's rather than handing it over to someone
> > > > in DC who doesn't know me and only really cares for continuing their pay and power with no responsibility.
> > > >
> > > > Admittedly, both ways have their issues.
> > > >
> > > > -j
> > > >
> > > >
> > > > ----- Original Message ----
> > > > From: Joshua Zeidner <jjzeidner at gmail.com>
> > > > To: Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us>
> > > > Sent: Tuesday, February 27, 2007 1:16:15 PM
> > > > Subject: Re: security, encryption, and healthcare
> > > >
> > > > On 2/27/07, Josh Coffman <josh_coffman at yahoo.com> wrote:
> > > >> Excellent, Josh!
> > > >> Guessing my Math B.S. doesn't get me anywhere, and I'd understand that.
> > > >> It's just a B.S.; and I was too tired of being poor to accept the masters program offer. d'oh!
> > > >> Sounds like some other certifications would be helpful. Personally, I don't think I have the time. :(
> > > >
> > > >   It is a telling sign that a B.S. no longer gets you anywhere...
> > > >
> > > >> So Healthcare is growing, but how does that affect IT?
> > > >
> > > >   Well, where the money goes, IT goes... but that is not necessarily
> > > > going to change things for IT people.  I would think that some
> > > > background in healthcare would be marketable, but health agencies
> > > > manage things in the same way as any other type of organization and IT
> > > > people typically arent directly involved in the administration.  One
> > > > thing I have found is that managers will sometimes view domain
> > > > specific knowledge negatively, because it is threatening to their
> > > > position.  Typically managers want highly technical people who are
> > > > just simply going to fulfill technical requests and don't have the
> > > > possibility of getting involved with the actual administration of the
> > > > particular business.
> > > >
> > > >> I think it will become a bubble, and a big one...
> > > >> The large, aging sectors of our society will create an increased demand for health services. (Also, seems
> > > >> like so many people of various ages have 2-3 prescriptions for misc things.)
> > > >
> > > >   so they say, but the problem is that the younger working people are
> > > > going to pay for it.  Health 'insurance' is not really insurance in
> > > > the classical sense, its a financial scheme that promotes the sale of
> > > > certain types of services, and allows for creative payment structures.
> > > >  Im not really sure why we have any more of an 'aging population' than
> > > > we have ever had( did the older generation have less kids? ).  It
> > > > always seems like healthcare hooplah to me.  Its not hard to figure
> > > > out why the Healthcare industry wants to promote this future of
> > > > millions of old people hooked up to expensive devices and taking
> > > > costly medications.  These are the types of issues that prohibit
> > > > national health care plans...  jmz
> > > >
> > > >
> > >