Careers, Concepts, Security Education, Security Management

Breaking into Security

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity. The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

Concepts, Security Management

Is it time of Security Rating of Software and Systems?

One of the fundamental papers in the Information Security industry is “The Protection of Information in Computer Systems” written by Jerome Saltzer and Michael Schoeder in the mid-1970s.  This paper defines eight design principles to ensure the safety, security, and functionality of computer systems and applications.  It’s timeless as those principles still apply today. If you haven’t seen it yet, Adam Shostack of Emergent Chaos does a great job in his blog of explaining the Saltzer and Schroeder Design Principles and equating them to something almost everyone can understand: Security in Star Wars.

One of the ideas that come out of it is the concept of “work factor” and the fire/safety ratings on safes.  Safes are classified by Underwriters Laboratory for their ability to protect their contents from both fire and burglars.  It’s the degree of protection that safe will protect its contents. There are both construction and performance requirements.  The former defines the minimum specifications for the container. The latter defines how long the safe must withstand a burglary attempt.  You can read more about it here:

This idea isn’t new. A DARPA research report from 2001 presents it from a scientific standpoint: “Adversary Work Factor as a Metric for Information Assurance.” In this paper, Schudel and Wood present the hypothesis, “that adversary work factor is a quantifiable metric that yields valuable insights into the relative strengths and weaknesses of modern complex information systems.” The authors go on to develop an approach for observing and reporting adversary work factors for information systems.

It’s time we used the same approach in Cybersecurity. The UL rating system is a standard that’s long been in use in the physical world. Why not begin to follow it in the cyber world?  The IT industry should consider creating construction and performance standards for all computer systems and applications. An unbiased, standardized security work factor rating would allow consumers to understand the safety of an application or system to determine if it fits into their risk appetite.

Why reinvent the wheel?

Online Safety Tips

Protecting Yourself in an Insecure Cyberworld

A friend of mine recently asked for 5 quick tips for people to protect themselves from cyberfraud and identity theft.  While there are many great ideas out there on the sites listed below, here are the five I promote:

  • Watch your credit card. When paying with a credit or debit card, pay attention to who has it and where it’s going.  It’s easy for the waiter/waitress or cashier to steal the information when they take it out of your sight.  Most identity theft occurs with the physical card and not online.
  • Keep track of your charges.  Know each time you spend money especially with credit and debit cards.  This will make the next steps easier when you check your statements. You won’t need to rely on your memory as much (“What’s this charge?” and “Did I make it?”). While this is mostly important for payments made by credit or debit card, it also applies to cash.
  • Pay attention to your statements.  At least once a month, go through all of your bank and credit card statements to ensure all transactions are credible.  It’s so easy to get lazy and neglect reviewing what’s being charged in your name.  With electronic statements, you can do this multiple times a month.  This allows you to catch potential problems earlier.
  • Be careful when using public wi-fi.  It’s a great convenience that so many places allow us to connect to the Internet using their free wi-fi.  Keep in mind though that it’s like yelling in public; it’s not secret.  Malicious hackers can “sniff” the airwaves and steal your information.  I don’t recommend using public wi-fi for anything sensitive.
  • Use strong passwords and keep them safe.  Passwords are our keys to our identity and personal data.  Choose and use the wisely.  Don’t use the same password for all websites. That’s the same as having the same key for your house, car, office, safe, etc.  Use different passwords especially for sensitive areas like your financial institutions.  Microsoft has a good, online password checker to help you select strong passwords.

Below are some of the websites* and resources you can use to learn more about keeping yourself and your family safe online:

What tips or sites do you have?  Please share using  the comments.

* These sites are not associated with Bellevue University. They are provided for your reference. Use at your own risk.


Human Aspects, Online Safety Tips, Security Education, Security Management

Security for the Real World – Password Policies

Passwords suck.  They always have; they always will.  But we’re stuck with them.  They are the cheapest and easiest means of user authentication.

With passwords, come the ubiquitous password policies.  This post addresses two of them seen at most organizations*:
1. Thou shalt not share they password.
2. Thou shalt not write down thy password.

* “Thou shalt” isn’t usually used in policies.  I’m using it for effect.

There are many problems with these rules.  First, they are almost impossible to enforce, unless it’s a really small organization or you have a large police force.  Second, they are often violated by the top echelon in the company.  How many CEO’s share their account with their admin?  Are you going to tell the CEO that he’s violating the company policy?  That’s a CLM (Career Limiting Move) if you ask me.

Rules like the ones above are to protect the organization, not the employee.  They cannot be enforced, except when something bad happens.  Then, the enforcer can point to the policy and report the violation.  I call it a “speed limit” policy, which are good to follow, but aren’t continually nor consistently enforced.

Here’s the key to making those policies work: make the user responsible for his/her account.  The policy statement would then be, “All users are responsible for protecting their login credentials from unauthorized access like they would protect any other corporate asset.”  This puts the onus on the user.  If someone gains unauthorized access to the user’s account because he/she didn’t follow the rules, then the user is accountable.  They are guilty until they can prove themselves innocent.  If someone (like the CEO) wants to share their account, they can as long as they realize that’s it’s them who will be held responsible for any actions taken by the other party.

With so many passwords to remember, people need to write them down.  Telling people not to just isn’t realistic.  Some use a password vault application.  Others use a piece of paper.  Both are fine as long as it’s rigorously protected.  It’s fine for people to write down their passwords as long as they store it in a very safe location.  My mom has a piece of paper with all of her passwords on it in a desk drawer in her apartment.  I’m fine with it, since I may need it one day as her power of attorney.  Her apartment is in a secure facility, so the risk is minimal.  There’s a lot bigger risk of her becoming incapacitated and me not having access to her accounts.

That’s what it comes down to: understanding RISK and establishing Accountability.  What are the risks associated with the actions?  Who’s responsible?  Answer those and you make a cognitive decision that’s both realistic and enforceable.

Careers, Security Education

Cybersecurity Degree vs. Certification

What’s best for your career – a Cybersecurity certification or a degree in Information Technology (IT) security?
[Guest Author: Laura Linhart]

A few years ago, this question would not have been as relevant as it is today.  The CISSP® (Certified Information Systems Security Professional) sponsored by the International Information systems Security Certification Consortium (ISC2) first offered as a security certification in 1994, was the first information security certification to meet ISO standards.[1]  Since then, the number and types of information or Cybersecurity certifications and professional organizations that offer these certifications has proliferated.

The growth and evolution of information or Cybersecurity as a degree unto itself has also been significant in recent years.  Today, many colleges or universities offer it is a field or major unto itself, offered as both undergraduate and graduate degrees.  In previous years it was only available as a subset of another major such as data processing, computer networking or computer science.

From a career or professional perspective, information security appears to be a stable and growing profession[2] .  As the profession continues to grow and evolve, the question of which is more relevant – a degree or certifications is now a consideration.   As with most things in life, the best answer is “it depends”.  Where you are at in your career, life’s journey (i.e., age) and your own ambitions are things to consider.

Degree – to expand or gain knowledge.  On the positive side, a degree is forever, and does not require any upkeep.  It will get you in the HR screening process door if an IT degree is a particular job requirement.  It indicates that you have the work ethic to complete something.

Certification – to establish your credibility.  Require continuing care and feeding (continuing certification requirements).  Most also require years of experience in the specific area of certification.   It indicates that you have the subject matter expertise.

Another variable to consider is practical experience.  In some situations, practical experience means the most.  It indicates that you have the ability, and can apply and expand on what you know.

The bottom line is that there is no one answer that fits all.  It depends on your particular circumstances.

In reality, you will probably need both a degree and certification(s).


Physcial Security, Security Assessments, Security Management

Security Convergence – Ready or not, it is here!

The security industry has been talking about the convergence of physical and information security functions for years.  Many act as if it’s a big deal or that it’s a difficult endeavor to accomplish.  I say, ready or not, it’s already here.  Security functions and technology has merged right under our eyes.  Let me explain.

First, let’s define “Security Convergence”.  According to ASIS, it’s, “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”  The key words are risks, interdependencies, and solutions.  It’s critical to review the risks to the business and determine the best methods for mitigation.  Notice that this definition contains no reference to information security or physical security.

Traditional practices have caused many large organizations to create security silos to solve individual problems rather than looking at the best solution to reduce risk.  They separate physical from logical (or information) security without realizing that these groups serve the same purpose: mitigating risks.  More progressive organizations have their security converged and are thus better able to handle common risks.  These organizations are addressing the reality of risk management, which looks at methods to address risks regardless of the form.

Many new or small organizations lack a separate physical security force that is seen in established firms. They will often outsource physical security functions as part of their lease.  They believe it covers all types of risks and ignore others that they cannot address due to time or money constraints.  These businesses would be better served with a converged security function under a single employee who’s responsibility is to address all types of security risks: both physical and logical.  With this, the company is better positioned to manage their security risks in a consolidated function.

One last point on the physical/logical security convergence is that most of the equipment used by physical security, such as cameras and monitoring, badge systems, etc. is already on the network.  The camera system in your facility is most likely on your corporate IP network.  There’s also a strong possibility that’s also true with your badge system.  They are network servers, but are usually managed outside of IT.  This is another case where a converged security function can better maintain critical company services.

Security isn’t something you bolt on and hope it works.  It needs to be incorporated into the fiber of the organization.  A converged security function allows this to occur in the most cost-effective way.

What do you think?  Feel free to comment below.

Security Education

What do you need? Security Education or Training

As you’re looking to improve yourself as a Cybersecurity citizen, you often need help from an outside source to increase your knowledge and/or abilities.   Security is a broad topic encompassing many disciplines and Cybersecurity is no different.  There are technical, procedural, and managerial aspects to be considered to grow what you know about Cybersecurity.  There are often many, different ways to solve the same security problem. Knowing what to do and how to do it requires both knowledge and experience.  How do you gain it though?

The answer is Cybersecurity training and education.  There’s often a question as to which you need: training or education.  There is a difference between the two, which I’ll explain below. You need to be aware of your needs, wants, and goals before proceeding, or there’s a chance you won’t meet them.

Cybersecurity education provides a more general background on the philosophies and concepts behind Cybersecurity.  It allows you to understand the context for security tools, techniques, and technologies. With security education, you understand why it’s important to have particular protection methodologies in place and is at the strategic level of thinking.  Cybersecurity education emphasizes principles of risk management and how security fits into an organizational culture and structure. Education is long term taking many months if not years to acquire. Finally, education teaches critical thinking and allows the student to learn how to learn, which is crucial for new subjects or technologies.

In contrast, Cybersecurity training is more specific to a technology, procedure, or skill.  It’s tactical or operational, rather than strategic. Training emphasizes the building of explicit skills and applying what you know to a particular situation.  When you attend cyber training, you are learning about a specific technology or practice that can meet an immediate need. Lastly, training is short term and can often be accomplished in days or weeks.

In this discussion, I’m trying not to sway your though as to which is better, because both are important for expanding your Cybersecurity knowledge and abilities. You need to decide for yourself the method you want to take in order to meet your goals. The important thing to consider is that you keep growing and increasing your knowledge.  Feel free to comment below on your views of education versus training. Don’t stop learning!

Security Education, Security Management

National Center of Academic Excellence in Information Assurance Education

In April 2012, the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA) and Department of Homeland Security (DHS) announced that Bellevue University is designated as a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) for the academic years 2012-2017. This is a great accomplishment for the University and demonstrates our continued dedication to not only Cybersecurity Education, but also to the security community. 

The CAE-IAE application, submitted earlier this year passed a rigorous review that was evaluated against a stringent criteria, demonstrating its competency and commitment to academic excellence in Information Assurance education and security practices. The letter received by the University with the announcement demonstrates the quality of our program.  “One reviewer remarked that Bellevue’s submission, ‘demonstrated fine curriculum, expert faculty and noteworthy outreach.’  You are to be commended for submitting such an exemplary application.  Your ability to meet the increasing demands of the program criteria will serve the nation well in contributing to the protection of the National Information Infrastructure. “

Mary Hawkins, the Bellevue University President will be receiving the official certificate of designation signed by the Director, NSA, the IA Director, NSA and the Cybersecurity Assistant Secretary, DHS, at the 16th Colloquium for Information Systems Security Education (CISSE) in June.

An official press release and announcement is forthcoming.


Cyberwar – Is it Happening Now? – Part 2

Cyberwar as a term, concept, and action isn’t going away.  We are stuck with it.  The challenge is how do we define it?   Whether or not we’re even in a Cyberwar now is entirely open to opinion and personal biases. 

It makes for a great debate, which is what happened last Wednesday, February 22nd at Bellevue University.  That afternoon, Dr. Matt Crosston and I debated this topic in front of a full audience of students, professors, and other interested parties.  We addressed the problem with definitions and perceptional bias.  Our goal was to get participant thinking about the real issues, so we can begin to develop real solutions.

You can see the seminar/webinar/debate yourself at
After you watch it, please feel free to comment with your ideas or opinions on cyberwar. Is it really happening now?


Cyberwar – Is it Happening Now?

I was all set to write this great piece on Cyberwar and how it’s a bunch of fear-mongering by those who don’t understand it, but Scot Terban beat me to it.  See his thought-provoking piece on InfosecIsland or his blog titled: Dr. Cyberlove… Or, how I learned to stop worrying and love CYBERWAR! (Here’s the link for those who are paranoid:  It’s a great piece to get you thinking about Cyberwar and if we are indeed in one now. 

According to Sen Joseph Lieberman and Jay Rockefeller, we are on the brink of a cyber disaster.  They equate our cyber situation to 9/11.  Now I’m all for increasing focus on security, but not for the sake of FUD (Fear, Uncertainty, & Doubt). Selling fear never works in the long term.

Cyberwar is a sexy term that’s hotly debated.  Many take one side or the other as to whether or not we are at war over the wires (or wireless).  Can computers kill?  Are we in the land of The Terminator and Tron?  Are we on the brink of Cyber-Armageddon? Can people live without Twitter and Facebook? 

These questions and more will be addressed in the seminar / webinar / debate Dr. Matt Crosston and I are having next Wednesday starting at 1pm. If you live in the Omaha area, you can participate in the debate in person, in the Bellevue University Hitchcock Humanities Center’s Criss Auditorium. Presenters will be me, Ronald Woerner, Assistant Professor and Director of Cybersecurity Studies in the University’s College of Information Technology, and Dr. Matthew D. Crosston, Associate Professor, ISIS Program Director – International Security and Intelligence Studies Chair – Political Science.
Please visit for more information and to register.

Just call me Dr. Cyberlove…