About those degrees…

There is a meme going around related to the Equifax hack that points out an executive in charge of security doesn’t have a degree related to security.
Surprise! A lot of the folks who currently keep us safe on the internet don’t have degrees in security. They just didn’t exist when we were in school. I think Paul summed it up best:

[T]alking about Susan Mauldin’s music degree is a socially acceptable way for men (and they’re almost all men) to vent about a woman who they don’t feel belongs in their workplace – especially not in a senior role. That truth is simply unavoidable.

Paul’s article over on Security Ledger is well worth a read looking at security professionals and what their credentials are. Also, a summary of the discussions happening in various online fora about her and the breach.
On my Facebook feed, there have been a lot of discussions. It’s interesting because many of my friends are experts in security and/or internet technology. Some have degrees in relevant studies, but a lot are self taught. They are the embodiment of Chris Robert’s quote in Paul’s article.

“So many of us in security have worked our way in and clawed our way up and we stand on the experience that we have and build on the experience of others,” noted security expert Chris Roberts (@sidragon1) told [Paul]. “This realm we’ve created over the last 20+ years has only recently lent itself to certification and most of us have the scars and bruises from so many years of experience which arguably counts for as much if not more in some cases.”

Anti-abuse and deliverability are even newer field than security and they don’t have much in the way of certification, either. But most of us working in the field do have the scars and bruises from experience.
We are living in the future. Those of us who are creating the future are doing the best we can. Sometimes that means we have a degree in music. This doesn’t make us unqualified.
 

Related Posts

Indictments in Yahoo data breach

Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo’s servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals.
Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.

Read More

Mailbox tools are a security risk

On Sunday the NYTimes published an article about Uber’s CEO. One of the pieces of information that came out of that article is services like unroll.me sell information they scrape out of emails sent to their users.

Read More

Shibboleet

Using unique addresses for signups gives me the ability to track how well companies are protecting customer data. If only one company ever had an address, and it’s now getting spam or phishing mail, then that company has had a data breach. The challenge then becomes getting the evidence and details to the right people inside the company.
In one case it was easy. I knew a number of people inside the company and knew they would take it seriously and pass it on to the folks in the best place to deal with it. I did. They did. They got their systems secured and notified customers and it was all taken care of.
Other cases aren’t as easy.
Many years ago I got mail from my credit card company to a unique address. This was long before SPF or DKIM and the mail contained links different from the company’s main domain. I called them up to see if this was real or not. They told me it wasn’t, because tier 1 support are trained to tell users everything is suspicious. Eventually, though, it became clear this wasn’t a phish, it was just bad marketing by the company.
A few years ago I reported a possible breach to representatives of a company while at a meeting. Coincidentally, the address only their company had started getting phishing and spam during the conference. I brought it up to them and followed their directions for reporting. They asserted the leak wasn’t on their end, but to this day I get multiple spams a day to that address. They claimed that the spammer was someone I was friends with on their website, but they could never quite demonstrate that to my satisfaction. I treat that site as only marginally secure and take care with the information I share.
After Target was breached they emailed me, out of the blue, to the address I use at Amazon. There was some level of partnership between Amazon and Target and it appears Amazon shared at least part of their database with Target. I talked with security folks at Amazon but they told me they had no comment.
Of course, on the flip side, I know how challenging it is to sort through reports and identify the ones that are valid and ones that aren’t. When I handled abuse@ we had a customer that provided a music sharing program. If a connection was interrupted the software would attempt to reconnect. Sometimes the connection was interrupted because the modem dropped and a new person would get the IP address while the software was trying to reconnect. This would cause a flood of requests to the new person’s computer. These requests would set off personal firewalls and they’d contact abuse to tell us of hacking. There wasn’t any hacking, of course, but they’d still argue with us. One of my co-workers had a nickname for these folks that was somewhat impolite.
We had to implement some barriers to complaints to sort out the home users with personal firewalls from the real security experts with real firewalls that were reporting actual security issues. So I get that you don’t always want or need to listen to J. Random Reporter about a security issue.
Sometimes, though, J. Random Reporter knows what they’re talking about.

Yeah, I spent the morning trying to get support at a company to connect me to security or pass a message along. Too bad there isn’t a security shibboleet.

Read More