INFOSEC

INFOSEC is the abbreviation of the Information Security Systems Organization (ISSO), a division of the National Security Agency (NSA).

They are resposible for providing a secure environment for the Central Intelligence Community and it's subsidiaries.

INFOSEC is also used to describe the work (and, IMHO, attitude) of a certain type of corporate systems security department. MITRE, for example, actually has a dept. named INFOSEC, which does for MITRE (ostensibly) what the above does for the CIC. It also purports to do INFOSEC related work for MITRE clients.

INFOSEC folks tend to look down on the longhaired hacker type with a rude T-Shirt. They tend to continue this even after said hacker type, applying for a job, has cracked five of their servers wirelessly from his Newton and is offering them a documented fix for this problem.

Of course, maybe they just don't like smartasses. Still, I had promised to fix the hole and not bring the Newton in to work.

Note: Hacker and cracked are used to emphasize the different words. So don't email me.

Recent events have shown that the threat of information security (INFOSEC) breaches is very real and frightening. In a recent CSI/FBI survey, nine out of ten organizations reported a breach within the past year, and many of these reported significant financial losses as a result of these breaches.

IT practitioners need to be aware of the following topics in order to ensure the security of their vital information: Networks and Telecommunications, Cryptography, Access Control, Security Architecture and Models, Applications and Systems Development, Security Management Practices, Operations Security, Disaster Recovery Planning/Incident Response, Risk Management, and Law, Investigations, and Ethics.

If you are seeking to go into the INFOSEC profession, your goal should be to land a job where you are likely to gain experience in one of the following areas:

• Secure Applications and Systems Development
• Implementation of Network, Telecommunications, and Internet Security
• Cryptography and Cryptographic Applications
• Management or Administration of Security (Operations Security, Network Security)
• Design and Implementation of Access Control Systems
• Development of Security Architectures and Policies
• Implementation of Audit and Monitoring, Performing Audit Analysis
• Performing Risk Management, Response and Recovery

Such jobs include software or systems engineering, programming, systems analysis, systems administration, or database administration.

Look for a job in which some part of your primary duties is to design or implement security. Once you have gained a few years' experience in one of these fields, then perhaps you are ready to begin looking for a role as a security administrator or INFOSEC analyst.

Note, however, that if you continue to work as, say, a programmer doing security-related work, you are in the INFOSEC field. You do not have to have "security" in your title to be in the INFOSEC profession.

Besides gaining experience in the field, formal education is getting to be an increasingly important component to landing a good INFOSEC job:

• I would look into one of these graduate programs: http://www.nsa.gov/isso/programs/nietp/newspg1.htm

• For certification in the field (I am a CISSP), look into the following:

  CISSP Certification: http://www.isc2.org/

  SANS GIAC certification and training: http://www.sans.org/

Here's a good article on the INFOSEC profession: http://www.INFOSECuritymag.com/2002/apr/INFOSECprofession.shtml

Finally, I highly recommend reading this Slashdot interview with Fyodor, the creator of the very useful Nmap scanning tool: http://interviews.slashdot.org/article.pl?sid=03/05/30/1148235&mode=thread&tid=126&tid=172&tid=95
He has a lot of good ideas for how to build up your INFOSEC knowledge.