January 12, 2009, 3:45 PM — Joel Scambray, co-author of Hacking Exposed, 6th Ed. shares equal parts helpful technical tip, sage career advice, and interesting personal profile.
This is the first in a regular series that will highlight new books and their authors.
What I like best about computer security, says Joel Scambray, co-author of Hacking Exposed, 6th Ed., is the challenge of the attackers' advantage and the defenders' dilemma.
"Fortunately," says Scambray, "information security is one profession that anyone who uses a computer can learn about first-hand every day." His advice: "Take a little time regularly to explore the security features of the computer you use frequently, using the Internet as a resource for more information. If you want to take it up a level, create a separate computing environment from the one you use for personal or business use (for example, a set of virtual machines running a free operating system like Ubuntu) and try out the attacks and countermeasures described in Hacking Exposed. There's no better way to learn the theory and practice of information security "that's how the authors and thousands of readers have done it since 1999!"
5 must-dos
- Define a security policy, even if it's short and simple.
- Get permission from and notify system owners before performing any testing.
- Be patient -- running the tool/test is the easiest part, interpreting the output is what differentiates the exceptional from the merely adept.
- Define the problem positively -- too often, security is regarded as "nothing happening is good." Set clear security objectives in advance, and think about how you will measure success or failure.
- Remember that security is about risk management, be practical in prioritizing the things you will fix and not fix (because you can't do it all).
5 classic mistakes
- Believing 100% security is achievable.
- Buying a technical tool but never reviewing or understanding the output.
- Mandating a policy without demonstrating practicality and/or getting buy-in.
- Over-investing in buzzword-compliant but incremental solutions when simple and inexpensive countermeasures can address most of the risk.
- Biting off more than you can chew -- pick your battles and be iterative.
Who should read Hacking Exposed? As with previous editions, Hacking Exposed 6 is targeted at people who protect information technology infrastructure and applications. Although written in a style accessible to wide audiences, the primary focus is on technical specialists such as corporate IT engineers, software developers, consultants, technical group managers/directors, program/project managers, and similar IT roles where it is critical to have a practical understanding of cybersecurity attack tools and techniques, and how to defend against them.
