http://www.thetriangle.org/media/storage/paper689/news/2006/05/26/SciTech/It.Expert.Preaches.Importance.Of.Security-2014305.shtml By: Kaushal Toprani 5/26/06 "Why do cars have brakes?" is a question Scott Laliberte, a director at Protiviti Independent Risk Consulting, often asks his new clients. "To make the car go faster," Laliberte explained to a group of about 30 students attending a seminar on information security held in the Rush Building, May 24. Without a way to slow down, a car could not go down steep hills or take sharp turns. Laliberte applies the same concept to technology. Without the controls information security offers, the safe use of information technology is limited. Protiviti assists over 1,000 clients worldwide in risk consulting, internal auditing and incident response. Laliberte has written two books about information security risk assessment, Hack I.T. and Defend I.T. Recent attacks on sensitive data and new regulations have created a demand for Protiviti's services. Laliberte explained the case of Choice Point Incorporated, an identification and credit verification company. In February 2005, it was discovered that Choice Point had sold 100,000 Social Security numbers to fraud artists. The incident cost Choice Point over $20 million. Even since this well-publicized incident, over 82 million consumers have had their private data compromised, according to Laliberte. Laliberte also recounted an incident in which a university's keycard system was hacked, jeopardizing the security of labs where specimens of infectious diseases were kept for research purposes. These new attacks have prompted the government to respond with new regulations that are changing the business environment. The Gramm-Leach Breach Act requires financial institutions to protect their clients' financial data. The Health Insurance Portability and Accountability Act gives the same protection to patients' health data. Protiviti's security architecture is based on ISO 17799, an international standard that describes best practices in information security. Laliberte explained that Protiviti looks at the whole picture when performing a risk assessment, including business and cost factors, IT factors, and compliance issues. Protiviti aims to analyze an organization's needs, standardize the security policies and automate the enforcement of these policies. Laliberte also discussed the tools that are available to information security professionals. Intrusion detection systems, which look at incoming and outgoing traffic on a network for suspicious patterns or attacks, aren't a silver-bullet solution to network security. "They're only as good as the people that implement them," Laliberte said. He talked about a company he once audited where the intrusion detection system was installed, but not configured, and the alerts were ignored. An IDS often creates a "false sense of security," Laliberte said. Protiviti uses more than 100 different security tools, each with its own specialization. Some of these tools are available as freeware, and others are sold as commercial solutions. Laliberte urges caution when using freeware, as it is often written by hackers who program back doors into the code, which leave the system vulnerable. Laliberte discussed job prospects in the field of information security. There are various jobs that range from being very technically oriented to very process-oriented - that is, jobs that require defining policies. Entry-level information security professionals can expect to make between $40,000 and $60,000 a year. Laliberte said he recruited from college campuses. He looks for students with a track record of success in tasks they take on, checking their GPA and other activities. He also requires a good understanding of the fundamentals of IT. "I can teach the security, but the IT is harder to teach," he explained. In order for new information security professionals to be successful, Laliberte recommended reading a lot about the field and networking with other professionals already in the business. For those who are looking to get into the field, he recommends getting the Global Information Assurance Certification Security Essentials Certification. The most important key to being successful, Laliberte said, is passion. "No matter what you do, do it well and be passionate about it," Laliberte said. Students felt Laliberte gave a good overview of information security. "He was good at explaining things people don't realize," said Andrew Rutherford, a senior majoring in information systems. © Copyright 2006 The Triangle _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon May 29 2006 - 22:15:34 PDT