You know her as the old man serving coffee but “Security Intern” is actually…..a woman! That’s right! Not only is Jackie “Security Intern” Arlen is a real person but she’s agreed to be interviewed for the D-List.

Q: Tell us a little about yourself.

I am the security intern at Liquidmatrix Security Digest, however I am currently on hiatus as I went from part-time to full-time student last fall. I miss contributing more than I imagined I would. New semester, new schedule, I’m hoping to fit in a day or two a week again. In addition to that, I’m a mom and a person who teaches, learns and shares.

Q: How did you get interested in information security?

People contain information. Loads of information. People interest me greatly. And I’m surrounded by smart people who hold important information. I am also surrounded by dumb people who hold even more important information. I’m interested in helping the first group excel and succeed and ensuring that the second group are well contained and effectively managed. I suppose that really means “human resources”, actually, and I think there is a fairly large contingent of people in information technology who would like to deal less with traditionally educated human resource type folks. I am fairly certain that is where my future lies. The kind of specialist who can mediate and integrate smart technical people with organizations who need their smarts.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I am currently working on my undergraduate degree, though I do have 40 years of life experience. I believe that because I’m focusing more on people hacking that I do need formal education to get my foot in the door. From what I’ve witnessed however, people don’t necessarily need a Comp Sci degree to make a name and place for yourself in information security. Ultimately though, parenting has taught me much about how to manage people, especially those who persist in acting like children after they have offices and suits and shiny computers.

Q: What did you want to be when you grew up? Would you rather be doing that?

Oh brother. Shoot me. Nao. I wanted to be an accountant. Or rather, I thought I did. That said, I was far more interested in playing euchre in the student center than I was attending any of the pre-requisite courses for accounting in university. Turns out, one cannot earn credit for garnering both bowers and going alone. So now, 20 years later I’m continuing that education but in a different direction. I’ve never really lost the desire to create order from chaos, and isn’t a project team just like a shoe-box full of receipts at tax time?

Q: What projects (if any) are you working on right now?

My degree is the big one. And finding my niche. Also, I need an original idea or ten and a thesis to follow. Oh, and training a cadre of miniature hackers suitable for deployment in any situation requiring equal parts social engineer and cuteness.

Q: What is your favorite security conference (and why)?

I think that because Notacon (Cleveland, OH) was my first conference, it’ll always hold a special spot. I like it’s intimacy and the variety of content. I really enjoyed DefCon though I was at times a little overwhelmed by the sheer volume of people there. Ask me this question again in a few weeks after I’ve had a ride on the mechanical moose at Shmoocon.

Q: What do you like to do when you’re not “doing security”?

Parenting, homework, DDR, perezhilton.com, scrabble, fighting the laundry pile, the twitter and it’s internets and watching movies.

Q: What area of information security would you say is your strongest?

The hacking of the people. Social engineering. For certain.

Q: What about your weakest?

Every other.

Q: Can you share with us a story of your social engineering prowess?

I’ve always been able to tell a convincing story. Ditch day comes to mind, I assured my Mom I was not one of the 4 people in the bank on ditch day… but I digress. One of the earliest and most memorable occurred after a football game when I was in high school. Earlier in the week, a friend and I had been to the Army Surplus store and bought neon orange construction vests and hard hats. That Friday evening just before the game was over, we parked our cars perpendicular to the intersection leaving the school, completely blocking one of 2 roads out of the parking lot. The other road led to the bowling alley parking lot. With flashlights in hand, standing in the middle of the road with nothing other than a sense of mischief to guide us, we directed the entire population leaving the game into parking spaces at the bowling alley. A harmless prank though I learned that night that simply acting the part can reap stunning results.

Q: What advice can you give to people who want to get into the information security field?

Me giving advice is about the funniest concept ever but I will say this: there is a place for everyone. You may find yourself looking in from the outside and having no idea where to start. Make contacts. Contacts are endlessly useful. When you ask a question, shut the hell up and listen to the answer. Seek advice from those smarter than yourself. IE: not me. 😉

Q: This is a fairly male dominated industry. How do plan to blaze your own trail upon completion of your degree and do you think your gender will help or hinder that plan?

I’m optimistic enough to think I’ll do just fine. I’m realistic enough to know that not only do I have gender going against me, I also have age. I’m not a fresh-faced graduate. Some will think that’s a benefit, others probably will not.

When I first began the “intern gig” liquidmatrix.org, people assumed I was male for a long time and I did not dissuade anyone of that. Women face challenges that men do not. As a “young male”, the intern was accepted by most. As an “old(er) female”, I was fairly sure people would view me with a more critical eye and dismissive attitude. Women often struggle to be taken seriously, I’d never been wholly accepted and with few exceptions @securityintern was a trusted entity. That was new for me and oddly satisfying. Having said all that, I have knowledge and insight to bring to the table. I’m also old enough to know that choosing battles carefully is a skill, almost an art-form, and which weapons to use in order to gain ground. New graduates don’t have that. Hopefully, someone(s) will find value in what I offer.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: @securityintern

Email: infosecintern@gmail.com

Today’s interview is with Joshua Corman. I was introduced to Josh at SANS Network Security in San Diego, CA in the fall of 2009 by Dave Shackleford. He’s a great guy with lots to say about lots of different things.

Q: Tell us a little about yourself.

I’m 34 years old. I live with my wife and 2 daughters in New Hampshire [Live Free or Die].

Security pros didn’t initially know what to make of me – some still don’t. I’m technical, but no l33t. Business savvy, but not a marketing wonk. Mostly, I’m a very effective translational bridge between the super technical and the rest of the world. I was at a BlackHat many years back sitting with some guys from Lehman Brothers. I could understand WHAT was just covered, but could also help them understand WHY it mattered and HOW it impacted their day jobs. Unfortunately, that mix of technical acumen, business savvy, and strong communication skill is far too rare in our industry. In fact you and I probably know all of them.

I am passionate about Security – I see it as both a technically interesting/challenging space, and also a sacred trust / higher calling. I am candid and direct – firm, but fair – critical, but not to be negative. I can sometimes be mistaken as negative, because I start by identifying a problem – but I am a fierce optimist in my actions and in my drive to affect positive evolution. I am big on intellectual honesty. I am a huge advocate for the security practitioner.

I wrote my “Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry” for a few reasons:
1) I felt the “trusted security advisors” had been increasingly abusing that trust.
2) I felt that we had ceased to keep pace with the evolutions in this space.
3) I saw how hard things were getting for the CISO +/- community and no one seemed to be looking out for them
4) I think part of me was trying to get fired… so I could get a breather from Security for a bit.
5) I saw several peers quitting security – and decided maybe I should 1st speak up and try to change things.

Well, I didn’t get fired. And my candor was very appreciated. For some practitioners, I put crystalized what was on the tips of their tongues or just beyond their reach. For others, the discussions fundamentally changed the way they looked at their work. I half expected backlash from some of the vendor community, but none of them could refute anything I was saying – because it was true – and it was fair. In fact, much to my surprise, some of the vendors were very happy that I started this ongoing dialog – they actually agreed.

Beyond being cathartic, the process gave me a renewed conviction and confidence that these challenges [although huge] were possible to fix – as long as we are candid, critical, ask the tough questions, challenge us to evolve, and get people talking.

Silence, Willful Ignorance, and Blind Spots are/were killing a space I am passionate about – so I wanted to motivate us to do just the opposite.

We’ve got to evolve – and we haven’t been. One of the biggest threats to our evolution at the moment seems to be the overall affect PCI DSS is having – but don’t get me started on that… [yet].

Q: How did you get interested in information security?

Well. I have always loved the heros of ancient mythology and modern mythology (comics) – so I’ve always wanted to fight bad guys. My father worked for Digital, so I’ve been around computers since I could walk – and was fascinated by the early viruses. My 1st adult job was at Cabletron, a network company. I got a lot of foundational knowledge and value there, but one of our partners came in one day [Intellitactics] and gave us a “Security Primer”. I knew that day I had to get into Information Security full-time. I joined a start-up doing Behavioral Anti-Malware and was hooked. We were later acquired by ISS [Internet Security Systems] – which gave me more access and breadth. And they were later acquired by IBM where I helped drive the Cross-IBM Security Strategy and had exposure to just about every topic in the market.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

As an undergrad, I initially studied Micro/Marine Biology. I got kind of bored with it, but I was happy to be infused with the metaphors, models, and scientific methodologies. Any fan of Dan Geer knows how useful biology can be in the field of IT Security. I ultimately got my degree in Philosophy. I liked trying to solve insolvable problems. It was great practice for IT Security. Also, I knew that sound logic, analytical structure and writing skills would suit me for anything I tried to do.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a Marine Biologist and train dolphins. I love the sea – always have. Over time though, I wanted to write and direct films. Still do!

Q: What projects (if any) are you working on right now?

I could tell you, but I’d have to… Aside from a brand new job at The 451 Group, I do have 2 Security related initiatives cooking. One has to do with the supply side of vulnerabilities. Most of this market is focussed on the symptoms versus the underlying disease. We’re fighting the heads of the Hydra – not its heart. Another effort has to do with the good versus evil side of Security. Security is both a market – and a higher calling. Most do not realize the awesome responsibility that comes with Security. There are very bad people, doing very bad things. Too few of us recognize this – or are willing to rise to meet this sacred duty. What draws some of us to this problem space is somewhat akin to what draws people to be firemen, soldiers, EMTs, etc. E.g. Rich Mogull was an EMT. It is a space in need of Protectors. Some of us are drawn to this because we have a need to serve our fellow man.

Q: What is your favorite security conference (and why)?

Tough one… I’m growing sick of most of them. This space evolves so fast, but the conferences remind me how little we [collectively] are evolving. Of the bigger shows, I guess I dislike DefCon least of all. Some of these smaller shows are a lot more relevant. I really enjoyed webcasts I saw from SOURCE Boston, DojoCon, and BruCon. I’m super excited to do our PCI Debate at ShmooCon in January. I see PCI as a very serious threat to this space. Mike Dahn and Anton Chuvakin disagree. Hopefully we’ll break records for the sale of ShmooBall

Q: What do you like to do when you’re not “doing security”?

There’s life beyond security?!? [kidding]
I love movies. I love music. I love to cook. I especially love my 2 daughters. My personal time often involves 2 or more of these. Then there is also my lovely wife’s Honey-Do list… I had been playing Ice Hockey, but fell out recently due to too much travel. I miss it, I’m hoping my new job lets me get back into it.

Q: What area of information security would you say is your strongest? What about your weakest?

Hmmm. Good question. Tough question.

Strongest: I really feel like I’ve always groc’d the Malware threat domain. But I’ve really moved beyond that. I feel like I’m strongest at pattern recognition. I’m able to see the tectonic plate movements and see where things are going. Most of my higher value contributions in the last few years are looking at the macro issues in the Security space. I don’t look at what people just did – I look at WHY they did it, and predict what is likely to happen next – with pretty good accuracy. I think we’ve got a complex [and highly sub-optimized] ecosystem, so I’ve been paying attention to the major forces that shape it – evolution in Threat, Compliance, Technology, Economics, and Business Priorities. When you see the patterns, you can predict what will happen next, what will work and what will not, and see how we’re failing over-all – as well as figure out how to evolve to approach a better equilibrium.

Weakest: I’d have to say “Identity & Access Management”. In the grand scheme of things, I know it is super important. That said, I’ve always found it incredibly boring. I’m just being honest. Recently though, I’m starting to pay more attention to it – for at least 3 reasons 1) As we embrace clouds, this space gets even more important. 2) I’m eager to see us combine disparate controls for greater security. E.g. WHO accessed WHICH data, via which APPLICATION, on which SERVER, etc. and 3) One of my analysts Steve Coplan has some real mastery and passion for the space, and together we’ve been seeing some of the roles it could play in the future. I mentioned cooking… as an individual ingredient, I’ve been bored by this space – but in the right soup, it plays a critical role.

Q: What do we, as a society, need to do in order to make information security more important?

Very good question.

I’d like to see more varied educational backgrounds enter our field. The most interesting angles I’ve seen often come from the people with atypical fields of study. The new thinkers bring us Economics, Psychology, Sociology, Communication skills, Biology models, Philosophy, etc. Security is far too focussed on technology. The People, Process, and Technology trinity put technology LAST. I think until we’ve embraced and involved people-at-large, we’ll be fighting up hill. I often refer to my mother-in-law in speeches. If my mother-in-law can get it – or carry a security mind-set or “ready stance”, we won’t have so hard a time getting some of our security agendas to make progress. That’s just an example. In general,

Security folks speak in security tech/elite terms. If you want to get executive support, you need to speak their language. If you want a more engaged and aligned government participation, meet them at their level. If you want to take a bite out of eCrime and attacks on the unwashed massed in the “leper colony” of our mother-in-laws PCs, we need to use pop culture and accessible means to raise their ThreatIQ – even 1%. The people who say End User education doesn’t work are usually vendors who want to sell technology or people who suck at educating/communicating. Lame, 10 year old, annually mandatory Flash training doesn’t work – correct. I’ve written about positive examples before – maybe I’m due for this topic again. Quick example though: My hairdresser told me how she saw a Facebook quiz asking 20 questions. She skimmed them and realized that many looked like the kind of personal data that her bank might ask her for security questions. She was so proud that she didn’t fall into answering it. I made her 1% more skeptical – but that’s where it starts. You were with Shackelford and I at SANS when I said he and I should do a series of YouTube videos for the masses… “You can learn a lot about Security from [fill in the blank] – e.g. a Zombie Uprising”. Social Engineering WORKS… how come only the bad guys use it? We have a lot of untapped room for progress if we can make a Stop, Drop, and Roll-like campaign for Internet Safety.

Q: You mention PCI quite a bit in Twitter. What is your feeling on its effectiveness? What needs to change?

Where do I start… I’ll try to be brief. I am very concerned over the unintended consequences and impacts Compliance is having on our space. This is a BIG issue – probably the most central issue in our entire industry. Compliance is the #1 driver of security in our space right now. We have come to fear the auditor more than the attacker. You and I know Compliance != Security. One can be compliant and far from secure. The issue is that the world has conflated the digital dozen of PCI DSS for credit card PII data with industry best practices for all security. People are spending on mandated security – and little else. It was meant to set the minimum starting line, but in a down economy and overly costly/complex market – it’s become the finish line. This is not the intent – but it is the result.

I’ve compared PCI to the No Child Left Behind Act for Security – and the analogy holds very well (rybolov prefers “No Merchant Left Behind”). As an industry, we need to be VERY careful and VERY deliberate about the role compliance should and shouldn’t play. Compliance cannot keep up with [or be an effective proxy for] the evolutions in threat or technology – not with 2 year cycles and minor changes. Jack Daniel put it well, “Security is 2+ years behind threats, and compliance is 2+ years behind security”. But this is just ones issue with it. What’s good is we’ve started some ongoing Adult, Rational debates on this. There is a 2 part podcast debate with CSO and NetSecPodcast. We debated this at ShmooCon and there is a [controversial] video that will be posted soon [we hope]. We’re also doing another panel Wed March 3rd at Bsides San Francisco… maybe even DefCon! The Southern Fried Security Podcast interviewed me this week on this topic. I think it airs as a special episode this Saturday. The important thing is the rational discussion with people from diverse, informed perspectives. It’s advanced my thinking and theirs – we need to keep going. It affects our whole industry.

Q: I saw you launched “Rugged” and the Rugged Manifesto at www.ruggedsoftware.org. What is the goal?

Software is modern infrastructure. Unlike steel and concrete, this digital infrastructure is not nearly as reliable. We’ve done a decent job developing tools and frameworks and evolving how we respond to weak software… but we’ve really failed to reach the non-security community. Rugged is a meme – a contagious value set – aiming to make non-security folk understand and value Rugged Software. I was also a little sick of our industry saying developers are lazy – so not true. Developers are talented, professional problem solvers. We’ve done a poor job raising awareness getting people to see why they should care about Rugged software. “Security” has not worked. Rugged is something non-security people are understanding. Programmers can want to be Rugged and write Rugged code. Buyers can demand Rugged Software, etc. We’ve had huge excitement thus far. Oh… and by the way… clearly security vendors stand to benefit from Rugged getting traction, as more people need help becoming Rugged. If all we do is get 1-5% more people to their 1st OWASP meeting – or first Top 10 list… this is how change starts. Last point, there are lots of critics in our space – so there have been some “haters” already. My response is… we all claim we want better security – and for more people to care about security. Is Rugged perfect? Heck no. Is there good intent – and possible promise in it? Yes. I’m asking people to latch onto the good. shrdlu and jjx put it well in their blog posts. Its a baby meme and needs support – but its worth nurturing and pursuing. So decide if you want to help make it better – or tear it down. I’m hoping for the best in our community to be their best and add their influence in a positive direction.

Q: What advice can you give to people who want to get into the information security field?

Hmmm. You need to bring your “P’s” or don’t bother. We need Passionate, Principled, Purposeful, Protectors (nod to Clint). This space is HARD, it is thankless, and it will suck the life out of you if you don’t “bring it”. We’re over our quotas for whiny, mopey, entrenched, sedentary, defeatists. Lead, follow, or get out of the way. Also, you need to be able to thrive on change. In a space that changes CONSTANTLY, our current ranks are often incapable of changing. Yes, “change == risk”, but guess what folks… we’re surrounding by it. Do the Evolution! So we need fresh blood – and if you fit the bill, please join the ranks.

Q: What advice do you have for technical people who want to move into an analyst or researcher role?

I will say that we need fresh voices and people will to dialogue and tackle the tougher, central issues. I think too often the Analyst community is simply reflecting the “Consensus of the Uninformed” or echo’ing what a vendor told them. So selfishly, I’d like people with intelligence and passion [who may not even like analysts] to consider joining the ranks.

In fact, I’m hiring – right now. I need someone who wants to help me cause the right kind of trouble in exactly the right and necessary spots.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: @joshcorman
BLOG: http://cognitivedissidents.wordpress.com/
Email: jcorman@the451group.com
skype: joshcorman
AIM: joshcorman
LinkedIn: http://www.linkedin.com/pub/joshua-corman/2/840/5b0