Published: 01 Apr 2002
On a door inside eEye Digital Security headquarters is a modified zoo sign warning guests not to annoy, torment, pester, plague, molest, vex or worry the engineers within. Two skateboards are parked at the suite's entrance. Among employees in this large lair is Marc Maiffret, the company's chief hacking officer. His hair-blue now, green then-stands out but also fits in with the bluish-purple ("blurple") walls, paper lanterns, candy dispensers and video game paraphernalia that make for funky feng shui.
The company, a maker of high-end network security software, last year discovered a vulnerability in Microsoft's IIS Web server and later issued the first warning of malicious code exploiting that flaw. Maiffret and his crew named that worm Code Red after the caffeine-rich soft drink that sustained their long hours of research. At 21, the Southern California native devotes his days to writing code, working on OEM deals, finding vulnerabilities and talking to the press. He bristles when asked about his BMW and his Aliso Viejo, Calif., condominium. He's not trying to be difficult, he explains. "I just get weird when people ask me questions beyond eEye, as none of that really matters."
That zoo sign, though meant to set the workplace tone, may unintentionally say something else. People like Maiffret are among a new breed of information security professionals: youthful and technically adroit, self-studied and totally disinterested in the corporate look. They also may become an endangered species.
What's In a Name?
For all the talk about standards and protocols for products and services, information security has done little to formalize criteria needed to make it a bona fide "profession." Ask 100 practitioners what it takes to be a "security professional," and you'll likely get 100 different answers. This is partially due to information security's "open employment policy," which has led some unlikely people -- ambulance drivers, cattle ranchers, police officers, high school dropouts, etc. -- to join the ranks. In some ways, the odd mixture has strengthened the pool of expertise. But it also has muddied the definition -- and formal recognition -- of the field.
"A lot of people come in and believe security is some totally different language and another world they'll never learn. Managers, meanwhile, think there's nothing to security and, therefore they can hire just about anybody and train a moron to do this," says Ira Winkler, chief security strategist for Hewlett-Packard. While some industry groups are pushing professional certifications based on a common body of knowledge, there remains a fundamental disagreement about what exactly a security professional is supposed to be (or do). In turn, security continues to be treated like IT's second cousin, considered part of the family but with little say -- let alone pull -- in budgetary and staffing issues. With few exceptions, it still doesn't have a seat at the corporate table.
To improve the security specialist's recognition within the enterprise, a growing number of its practitioners are pushing for accredited college curricula, professional credentials and, in some cases, serious attitude adjustments.
Marc MaiffretChief Hacking Officer, eEye Digital Security
The Marc Maiffrets, who have raw talent despite no diploma, will likely survive the purge. But what's to become of others caught up in this cultural cleansing? Will these efforts improve or exacerbate the current divide? Most importantly, when will the profession evolve to the point that security is recognized in the same vein as medicine, law, education and accounting? And is it enough -- or even necessary -- to cross the threshold to operational- and board-level respect within enterprises?
The Cultural Divide
"The biggest difference between us and the new breed of kids and hackers making the transition is that they tend to believe that the bits and the bytes and the coding is the be-all and end-all. If you're not a coder, you suck," says author and entrepreneur Winn Schwartau, whose 20-year infosecurity career ranges from building security awareness programs to creating a game show for security conferences. "I've been in endless debates on this and refuse to debate it anymore. It's incredibly myopic on their part. If that's your worldview, we're really in trouble."
Schwartau's harsh words later are tempered by a suggestion: Keep this article positive. What's happening to infosecurity happens everywhere. "What it is, is youth," he explains.
Numerous practitioners interviewed for this article repeatedly echo that sentiment. Please, don't draw a line between Us and Them. Don't lump or split people into certain camps. Don't make the division the focus.
Yet each person, young or old, admits traits that distinguish the "old guard" from the "new order," and that fundamental division is at the heart of the debate about what it means to be a security professional. The field itself, all of them note, is still young and not yet mature.
Most agree that older practitioners from the mainframe days generally can't keep up with today's technology and increasingly complex attacks. On the other hand, their experience and management skills remain vital to problem solving and selling the importance of security throughout the organization. They have a certain cachet in the organization that the new guard doesn't.
Maiffret, clearly among the young set, dismisses the differences, instead emphasizing commonalties. "Whether you're a hacker now, 20 years ago or 20 years later, we all share the same thing -- curiosity. It's the driving force," he says, sitting at a long teak conference table inside a circular room at eEye's Southern California headquarters. At this year's RSA Conference in San Jose, Calif., Core Security Technologies CEO Jonathan Altzsul and CTO Ivan Arce, both young men on the upslope of their careers, privately comment on the generation gap. "Things change rapidly. This requires changes in the information security professional and a dynamic attitude towards the technology," Arce says.
Adds Altzsul: "The older guys know how to create and enforce policies. The young guys do not understand that very well. What you have are two different generations of information security people that don't share the same experience."
"I think the field is being populated by a lot of new technologists who look on security as a technological job rather than looking at it as an army defending against enemies," says Donn Parker, a founding father in the field and still active as a security consultant for RedSiren Technologies.
In the Beginning
Where did these two distinct threads of philosophy and methodology come from? To predict the role of the future security professional, it's important to understand the different upbringings that led to two fundamentally different approaches toward solving the same security problems.
"Initially, I think the field was populated by pretty unqualified and relatively incompetent people, though lots of smart people were in the field as well," Parker says. "People were told, 'You'll either be laid off or work in security,' and most chose to work in security, even if they weren't good or highly qualified."
Though its birth as an occupation is arguable, information security became visible in the mid-1960s, when federal auditors began to assess the controls within mainframe computing environments. With no blueprint to follow, they turned to one another for help, experimenting with programs and calling each other with new discoveries. "The old guard -- people like me -- used to know everything there was to know in security," Parker says. "But as security became more complex, generalists like me ended up knowing less and less about more and more."
Donn ParkerRedSiren Technologies
The early practitioners worked in relative obscurity; even their co-workers were unaware of what exactly these new audit types did. The media helped change that by publicizing computer crimes and bringing attention to the people charged with creating safeguards. But businesses were much slower to embrace security. A visit or call from the security guy could only mean trouble. A military-like mentality of hardening perimeters against an unseen external enemy didn't resonate with executives. Security was a budget drain and productivity stifler.
The government-sponsored Rainbow Book series, begun in the 1980s, produced the first documents to recommend essential security practices. Some argue this is when information security officially made it onto the map. Early security reached a nexus in 1987, when Congress passed the Computer Security Act, which established minimum security practices for federal agencies and workers.
Security during the mainframe era was as much physical as it was virtual. But with a rise in real-time, multiuser operating systems in the 1970s came a refocus on security at the operating level. By the early 1980s, computational work was being moved off expensive machines stored in a section of a building to networked PCs spread throughout a facility. The decentralized client-server computing environment was less costly, but also less secure. More people had access to data through modems and computer links; enterprise security became a daunting task.
In the 1990s came widespread use of the Internet. Data dripping from the spigot turned into a deluge as the number of TCP/IP-interconnected computers and networks radically increased -- along with the potential for cyberattacks. Physical perimeters became virtual perimeters, with strangers (partners, suppliers and customers) now reaching deep into corporate networks. Security was as much about "enabling e-business" as defending against cyberattacks. Meanwhile, the demand for qualified security personnel far outstripped the supply.
The New Kid in Town
Helping to fill the growing gap between prevention and protection, cyberthreats and attacks was a new type of hacker. With few texts and even fewer teachers to guide them, these information-hungry, computer-savvy kids turned to chat rooms and hacker groups for instruction. They pooled talents and created free online tools that rivaled commercial software. Working from home, they produced penetration tests to bolster freeware robustness and broadcast holes in commercial applications to boost their popularity.
In contrast to the "nerd" image of their elders, some wore ostentatious attire and unconventional hairstyles. Others were distinguished only by their hacker handle, or 'nym, which they preferred over their real names.
A meritocracy developed that placed the most talented at the top of the hacker heap. Their work got noticed, and mainstream professionals began asking them for advice. Soon they began joining the corporate ranks. A new type of security consultant was born, one whose roots ran deep in technology, but not necessarily with training from a university computer science or engineering department.
As people poured into the field, the culture began to change. Now, it appears to be at a crossroads. Will information security continue as an Ellis Island for young talent, regardless of age, education and background? Or will it expand its demand for qualifications, such as an apprenticeship based on a college education and real-world experience?
The More Things Change...
Executive consultant and management trainer William H. Murray, whose career includes 30 years in security, is among those trying to root out what he calls "the rude ones" -- kids who were given jobs in information security despite refusing to shed their gray-hat practices. That doesn't mean Murray can't relate to the internal struggles of these young hackers, who sometimes don't fully understand the power they possess -- or the consequences of abusing that power.
Years ago, while Murray was working at IBM (www.ibm.com), a colleague called to say he'd found an escape mechanism in a program. Within an hour, Murray had written code to embed in a document that, once opened on the other end, would send every file stored in the recipient's computer to the sender without him noticing. "And I was just about to send it to a colleague when I had that little 'gotcha.' I said, 'Whoops. Nice people don't do this.' "Then I thought, 'Dear God, that sense of power I felt just as I was getting ready to push that button -- that's what the hackers feel; that's why they do what they do. They don't have the little habit of saying, 'Would a nice person do this?' They were never taught it."
Murray, Parker and Schwartau are among older practitioners who believe better ethics training is one way to improve the up-and-coming ranks. It's slowly taking root in elementary schools, where children today are taught computer etiquette -- a subject never available to their siblings and parents. Meanwhile, professional groups such as the International Information Systems Security Certification Consortium (ISC)2 (www.isc2.org), have made ethical behavior a fundamental requirement for certification. Despite these efforts, formal ethics still isn't an integral part of computer security. Other occupations have clear-cut codes to follow -- and consequences for those who deviate from them. A physician found to have violated his Hippocratic oath, for instance, lands in hot water with a medical board.
A lawyer who fails to properly defend a case can be suspended from the bar. But there's no official entity overseeing the powerful role of the security practitioner. And while a few countries are instituting laws for criminal hacking, many view these regulations as too little, too late. Instead, infosecurity relies on market forces to weed out those who fail to meet basic ethical obligations. But is it working? Is more ethics enforcement needed? No one seems to know for sure, suggesting the industry might be getting what it wants and needs from the current paradigm.
While ethical standards are slow to catch on, a prerequisite formal education is gaining momentum. Those new to the field are finding it harder to jump in without a college degree. Just ask 16-year-old Douglas Pichardo, who sought advice on a computer security career from members of a SecurityFocus (www.securityfocus.com) mailing list. "Most said I should go to a good college and get a computer science degree, and I agree with that," the Virginia Beach, Va., student says. "One guy in Great Britain hadn't gone to college, and he hasn't been hired yet, but he has gotten 80 negative replies from people. Other people -- one or two -- who went that route said it probably would have been smarter to have gone to college and gotten a degree."
There are now more educational options for people like Pichardo. Universities and colleges now are offering programs, even degrees, focused on computer, Internet and information security. East Stroudsburg University in Pennsylvania last year became the first school to offer a formal bachelor's degree in information security. Other universities, such as Purdue, Berkeley, George Washington and George Mason offer certificate specialties through computer science and computer engineering departments. Many others also offer security programs or tracks to fill the demand for security specialists.
Instead of moving toward a specialized track in security, HP's Winkler believes security education should remain under the "computer science" curricula, where students receive broader training. "People need college degrees -- not to do a good technical job, but because these people will be more robust, have better writing skills and better understand the people they have to talk to," he says. "A college background is supposed to provide people with breadth, not depth."
That interdisciplinary approach is applicable to computer security programs, some say. "Security professionals need grounding in a wide range of computer science, information security, communications and psychology. That's the basis for our master's program," says M.E. Kabay, program director in information assurance at Norwich University in Northfield, Vt.
Kabay says he still encounters infosec people who argue over fundamental concepts such as confidentiality, integrity, availability and utility. "They don't get it. They don't know about it. That's how fragmented and bad the degree of common terminology is in our field. We're still not a profession with all the standards that apply to any other profession, like engineering or medicine or chemistry.
"But it's coming," Kabay adds. "We're moving to a stage where there are half a dozen places where you can get a bachelor's degree and two or three where you can get a master's, and it will increase. And we'll see security people becoming more professional and more rounded and more aware of the range of skills -- including human communication skills -- that are essential for success in our field."
As the profession moves toward mandatory degrees, what's to become of those who jumped in without that piece of parchment? "I see so many promising people, primarily men, seduced into going straight into the field with the education they got in the back alleys of the Internet instead of going to college because there's been this demand," says Carolyn Meinel, a consultant known among the security digerati as the "Happy Hacker." "They get used to making all this money, and what's going to happen when five years from now there's enough people coming through the old-guard pipeline -- people with college degrees?"
Meinel believes it will be up to employers to send uneducated hackers with raw talent through college -- if not to improve the workforce, than to avoid potential industrial sabotage. "I'd hate to see what happens with this industry because the guys who are going to lose their jobs will be able to do a lot of damage. There is more than one reason to not waste the valuable resource," she adds.
Down to the Letter
While education is gaining acceptance, credentials remain controversial. The list of acronyms that can now accompany a security professional's name is expanding exponentially. Perhaps the most established certification is (ISC)2's Certified Information Systems Security Professional (CISSP) certification, obtained by passing a lengthy multiple-choice test. Beginning in 2003, younger applicants will be required to first obtain a four-year degree-a decision coincidentally announced by (ISC)2 officials after a 16-year-old high school student in India, who met the three years' professional experience, passed the exam.
In announcing the college requirement, (ISC)2 managing director James E. Duffy said, "Most professions require a degree. Most jobs in that sector of IT require a degree." Other certifications include The Disaster Recovery Institute's Certified Business Continuity Planner (CBCP); the Institute for Certification of Computing Professionals's Certified Computer Professional (CCP); The Association of Certified Fraud Examiners's Certified Fraud Examiner (CFE); the Information Systems Audit and Control Association's Certified Information Systems Auditor (CISA); The SANS Institute's Global Information Assurance Certification (GIAC); and TruSecure's ICSA Certified Security Associate (TISCA).
But what do all those letters really mean? To some, it isn't competency. "Where once security was self-taught and passed on by fellow administrators, security training today isn't considered valid without a formal curriculum. The motivation for security training has shifted from simply learning to achieving certification," says Carole Fennelly, cofounder of Wizard's Keys, an independent security consulting company. "Not that there isn't a need for standards to measure security knowledge, but certification alone isn't enough."
Conversely, the lack of certification does not mean a person isn't qualified. Like the early system administrators, some of the brightest security people hold formal training with disdain. It's easy to send people to class and get them certified -- this is simply knowledge, not skill."
In the meantime, business and law schools are calling on infosec leaders to speak to their students about computer and Internet security issues. The U.S. government is helping make the security profession more visible -- and attractive -- by offering scholarships to high school students and mid-career professionals to pursue cybersecurity and take government security jobs.
The push is one way to bring respectability and consistency to the field. The future information security specialist must come better equipped in communications, business and technical skills to be considered -- and treated -- on par with other professionals. Established and enforced ethical guidelines will help weed out -- though certainly not prevent -- bad seeds in the space. Specialization in the form of credentials and specific college degrees will help push new technologies and policies. As Tripwire (www.tripwire.com) CTO Gene Kim, 26, a product of Purdue University, puts it: "The people who will stand out five years from now will have succeeded by making the old-guard principles applicable and relevant."
Information security will continue to draft free agent talent, and benefit from the diversity. There still will be room for those who stumble into the space because as former biostatistician and current @stake CTO Dan Geer notes, "Smart people often can make the jump, and often you get some sort of hybrid vigor out of this. You cross two plants, you sometimes get a stronger plant. You cross two careers, you might get a stronger leader in that space."
That cross-pollination of careers will continue, as will security ranks strengthened by promotions or lateral moves from within an organization, as it was when the field first formed in the 1960s. Curiosity will still be the cultural binder -- as well as, perhaps, a four-year college degree. More employers will look for certain letters after an individual's name, though it remains to be seen whether it will be CISSP or some other acronym.
The next wave of security workers will be better prepared than those who initially came to the space. That's how it works in every occupation. At the very least, security is finally on the agenda in a growing number of boardroom meetings. The marketplace already is making a distinction. Security certification bonus pay increased faster than all IT disciplines last year, with bonuses averaging 8.3 percent of base pay through Q3 2001, according to David Foote, an industry analyst on IT workforce and executive management issues.
"This is a great time to get into the field," Geer says. "So if you've been thinking about it, don't wait five years, because like anything else, getting in will be harder the longer you wait.
"If you can, pay some attention to your credentials, because over time credentials matter. My credentials are experience and reputation and where I've been. There will come a point where that isn't going to be as important as what you know and who says you know how to do it."
About the Author:
Anne Saita is senior editor at Information Security.