http://www.thetriangle.org/media/storage/pa
per689/news/2006/05/26/SciTech/It.Expert.Preaches.Importance
.Of.Security-2014305.shtml
By: Kaushal Toprani
5/26/06
"Why do cars have brakes?" is a question Scott
Laliberte, a director
at Protiviti Independent Risk Consulting, often asks his new
clients.
"To make the car go faster," Laliberte explained
to a group of about
30 students attending a seminar on information security held
in the
Rush Building, May 24. Without a way to slow down, a car
could not go
down steep hills or take sharp turns.
Laliberte applies the same concept to technology. Without
the controls
information security offers, the safe use of information
technology is
limited.
Protiviti assists over 1,000 clients worldwide in risk
consulting,
internal auditing and incident response. Laliberte has
written two
books about information security risk assessment, Hack I.T.
and Defend
I.T. Recent attacks on sensitive data and new regulations
have created
a demand for Protiviti's services.
Laliberte explained the case of Choice Point Incorporated,
an
identification and credit verification company. In February
2005, it
was discovered that Choice Point had sold 100,000 Social
Security
numbers to fraud artists. The incident cost Choice Point
over $20
million. Even since this well-publicized incident, over 82
million
consumers have had their private data compromised, according
to
Laliberte.
Laliberte also recounted an incident in which a
university's keycard
system was hacked, jeopardizing the security of labs where
specimens
of infectious diseases were kept for research purposes.
These new attacks have prompted the government to respond
with new
regulations that are changing the business environment. The
Gramm-Leach Breach Act requires financial institutions to
protect
their clients' financial data. The Health Insurance
Portability and
Accountability Act gives the same protection to patients'
health data.
Protiviti's security architecture is based on ISO 17799, an
international standard that describes best practices in
information
security. Laliberte explained that Protiviti looks at the
whole
picture when performing a risk assessment, including
business and cost
factors, IT factors, and compliance issues. Protiviti aims
to analyze
an organization's needs, standardize the security policies
and
automate the enforcement of these policies.
Laliberte also discussed the tools that are available to
information
security professionals. Intrusion detection systems, which
look at
incoming and outgoing traffic on a network for suspicious
patterns or
attacks, aren't a silver-bullet solution to network
security.
"They're only as good as the people that implement
them," Laliberte
said.
He talked about a company he once audited where the
intrusion
detection system was installed, but not configured, and the
alerts
were ignored. An IDS often creates a "false sense of
security,"
Laliberte said.
Protiviti uses more than 100 different security tools, each
with its
own specialization. Some of these tools are available as
freeware, and
others are sold as commercial solutions. Laliberte urges
caution when
using freeware, as it is often written by hackers who
program back
doors into the code, which leave the system vulnerable.
Laliberte discussed job prospects in the field of
information
security. There are various jobs that range from being very
technically oriented to very process-oriented - that is,
jobs that
require defining policies. Entry-level information security
professionals can expect to make between $40,000 and $60,000
a year.
Laliberte said he recruited from college campuses. He looks
for
students with a track record of success in tasks they take
on,
checking their GPA and other activities. He also requires a
good
understanding of the fundamentals of IT.
"I can teach the security, but the IT is harder to
teach," he
explained.
In order for new information security professionals to be
successful,
Laliberte recommended reading a lot about the field and
networking
with other professionals already in the business. For those
who are
looking to get into the field, he recommends getting the
Global
Information Assurance Certification Security Essentials
Certification.
The most important key to being successful, Laliberte said,
is
passion.
"No matter what you do, do it well and be passionate
about it,"
Laliberte said.
Students felt Laliberte gave a good overview of information
security.
"He was good at explaining things people don't
realize," said Andrew
Rutherford, a senior majoring in information systems.
© Copyright 2006 The Triangle
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|