Our latest interview is with Donald C. Donzal – perhaps best-known now as the founder and editor of The Ethical Hacker Network and ChicagoCon. Don had his first ‘real’ job in IT as a Systems Admin for a hospital. He later formed a successful consulting business , joined a startup, elco Billing Solutions, Inc, as CTO, and became Director of IT for the Dept of Medicine at the Univ of Illinois at Chicago (UIC), the largest medical school in the country. He created CSP Online Magazine as a free and open exchange of security-focused credentials and later expanded with the Ethical Hacker Network, which has grown into a fantastic resource with forums, giveaways, reviews, articles, and more.Don took the time to answer a few of our questions on the security industry and where jobs and certifications are headed in the coming years.
Q: The Ethical Hacker Network has become a clearinghouse in the industry for news and information relating to security training and certifications. What was your motivation to start EH-Net?
DD: It pretty much came from a desire to give back to the community that gave so much to me. I always believed in the concept of paying it forward. So, I had all of this information compiled about security certifications and training options, because, being the geek that I am, I researched it to death when trying to advance my own career. While compiling all of this info, it became apparent that there was not a single source of information on the Internet that specifically dealt with security. Sure there were MS and Cisco certification sites, but nothing on security. So I immediately saw an opportunity to fill an information gap and thus came my big idea for giving back. I didn’t really think of making money back then. To be completely honest, I did think that this would be a great way to get free stuff. I had all this information that would be great for a reference-style site, but in order to get free books and training, I’d have to report on it as well. Light bulb moment!!
I knew I didn’t want simply a blog. At the time, blogs were not accepted as much as they are now. So if I wanted to convince publishers and training providers to cough up free stuff for myself and my readers, blogs just didn’t do it. Next was to consider what format to use that wouldn’t require a massive investment. A magazine would be perfect, but also at that time, most magazines were still in print with just an online presence. Most in the business and media worlds scoffed at online only magazines. It just seemed to make business sense (or lack of time and money sense) to get rid of anxiety-ridden deadlines, eliminate the high cost of printing and have easier and cheaper access to a global audience. Being bold, I decided to try my hand at an online only magazine.
My first effort was The Certified Security Professional (CSP). It was doing well and growing, but I had the itch to do something in the hacking arena. I’m not really an underground kind of guy. There were plenty of sites that dealt with the hacker underground, but I was always looking to do something more on the professional side of hacking. Plus, I truly felt that the term ‘hacker’ and ‘hacking’ had been hijacked by the media. I had a strong sense that I could help legitimize the process by balancing the media coverage. The only way to do that was to form my own media outlet that was a proponent of legal hacking. There was a new term being mentioned every now and then that seemed to fit. So I registered ethicalhacker.net at the same time as CSP (That’s right, I registered it. It was available when I looked and didn’t have to buy it from someone). New idea, no one is doing it, seems to have a need… another light bulb moment.
So I took the lessons learned from CSP and formed The Ethical Hacker Network (EH-Net). Altough .net was originally supposed to be reserved for ISPs, I liked the thought of having a professional ‘network’ of ethical hackers. And it took off. I eventually got rid of CSP, moved the appropriate articles over, and let EH-Net be the 2nd generation site that dealt with much more than just cert exams. We’re kind of a counter-underground. We (mostly) use our real names, project a positive message, welcome newbies with open arms and focus on being on the right side of the law. And here we are now with both Alexa and Technorati listing us as in the top 1% of all sites online. To this day, I still keep as the foundation of the site the philosophy of being a community where people can learn, give back and advanced their careers all in an ethical manner. So far so good.
Q: What do you feel an IT Security Professional that wants to advance his or her career should be doing in today’s job market?
DD: Building their resume. Now that is clearly easier said than done, so let me expand a little. Regardless of when your job search begins or ends, professionals should keep their resume updated at all times. That also includes coming up with ways to fill in the gaps in your resume. And in today’s tough market, there’s plenty of ways to beef up the resume without a huge cost. How about volunteering your time with a non-profit? They need your knowledge, and you need experience. Sounds like a perfect match. Offer to write something just for the exposure. If a print magazine, online publication or trade journal can’t use your services, don’t just give up. Start your own blog. It doesn’t hold the same weight, but it does show initiative and an ability to communicate – definite hot buttons for employers. It’s a known fact that when jobs are scarce, attendance in higher education skyrockets. Maybe that is your path. Work on proving your skills with certifications.
I get asked all the time what is more important on a resume… education, experience or certifications? My answer is YES!! Ask yourself this question. If you were an employer and saw 2 resumes, one with just certs and the other with certs and more, which one would you choose? Or better yet, if you had 100 resumes to go through and not enough time to interview every candidate that sent you one, how would you weed them out?
Of course, the resume has to be out there, but what most people forget is that YOU have to be out there, too. There are literally millions of resumes on job search sites. Rarely does someone get a job by just posting a resume and waiting for an answer. So get out there. Go to a local professional group, community meeting or conference. These are great ways to meet like-minded people and do the first thing required in sales… make a friend. I know it sounds horrible, but you’re selling yourself. Make a friend in the industry, and you’d be amazed at what happens. There’s another pesky rule – it’s not what you know but who you know. A beefed up resume and a pocket full of business cards… sounds like you’re well on your way to the job of your dreams.
Q: What skills should an Ethical Hacker have to be successful in a penetration testing job role?
DD: Skill #1 is an undying sense of curiosity. That is the hacker mindset. But how do we apply that to ethical hacking? Well the other word in that phrase is ethical. Having a criminal record is never a good thing, and it follows you even though you keep it off the resume. Even if an unethical action is done, it may not have been a criminal act. As we all know, our past has a way of catching up with us. So make every attempt to be ethical in all things you do.
Have those skills as a foundation and we’re off and running. Ethical hacking is growing, and with any maturing industry, it is starting to specialize. Originally, there were 2 main camps for ethical hackers, Systems Admins (I use the plural because networking is included here as well) and programmers. It’s expanded since then to include forensics, physical security, and many more even including project management. After all, we need someone who can write and communicate all of the technical jargon into a 1-page summary that a c-level exec can understand and use to take action. But I think everyone should at least be able to understand the other roles of a pen testing team even if it’s not your area of expertise. So the Windows and Linux Admins should learn TCP/IP and basic programming like Python. The Programmers should bone up on Cisco and Microsoft. If you’re just entering the field, try a little of everything to figure out where your strengths lie. Then go for it.
What are the long term job growth prospects for Ethical Hackers?
DD: That’s a tough one. In this economy, companies are looking for ways to keep the doors open, so they look to cut costs in any way they can. Unfortunately, this makes them not very proactive on security. On the other hand, regulations and standards like HIPAA and PCI force the hands of many organizations. I can say that my friends in the pen testing arena are doing decently well and are always looking for good people. The government is growing as well. Both the private and public sectors are having an interesting dilemma. They have positions but not enough experienced people to fill them. It seems like everyone out there wants the perfect employee to justify the high price of investing in a new employee. That makes it hard for those just breaking into the industry, yet very lucrative for those who have the skill and experience. But the economy can’t be horrible forever, so between an eventual growth in the economy, the constant threats, and regulations requiring ethical hacking services, I do see the long term outlook being good in our industry.
When do you think we will see another ChicagoCon?
Great question. At the same time the economy was tanking, I also had some personal priorities to weigh. Nothing bad, and, if asked in person, I’ll ramble on probably more than anyone cares to listen. I just don’t think a public forum is the place to do it. But when it came time to cut a project, and I looked at the time and effort to put on a community event compared to the reach of an online magazine that has really garnered a following, the decision was easy. The rest of my time is spent with family. I think I made the right choice. J
As for the next one… 2011 is a new year. I have my eye on the fall. In the meantime, if you’re looking for local events in Chicago, check out SANS Chicago, IANS’ Midwest Information Security Forum and THOTCON. So I guess I can say that ChicagoCon is not dead, just on an extended hiatus. ;-)
Q: What new skills do you see in demand for 2011?
DD: The top areas of this year will be the same next year as well. So computer forensics, network pen testing and web app security will still be in high demand. As for things that we’ll start to see grow even more in 2011? In a nutshell, let’s point out the obvious… mobile, 902.11n and IPv6. IPv6 gets mentioned every year, so I guess we can take that with a grain of salt. But keeping with the theme of making your resume stand out, if this is a skillset you have, you’ll be in a better position. 902.11n will eventually get intermixed with normal wireless security. Then there’s mobile with all the apps currently out there for iPhone and Android, and the coming apps for Windows Phone 7, Blackberry and Palm’s WebOS (now HP’s choice for their mobile devices). Add in the fact that there really is no requirement for these apps to be secure before consumers bring their devices into the enterprise, and we’re in for a busy 2011.
Q: How do you feel cloud computing will affect the work that security practitioners do?
DD: It won’t. IMHO, cloud computing is a marketing term. With that in mind, it won’t ‘affect the work that security practitioners do.’ It may just mean that professionals need to be more adept in their web app pen testing.
Q: If you were an IT generalist wanting to move into a security career, what path would you take?
DD: Start reading The Ethical Hacker Network. ;-) I say this in jest, but the free online magazine for which I am the Editor, covers this topic numerous times and from many angles. It will give you an idea of what others have done and also gives you an opportunity to get advice directly from the community of which you want to be a part.
Let me give a common roadmap, but please keep in mind, your path and results may (and should) vary. Also forgive me in advance for putting this in terms of certifications. Start with making sure you get the basics with CompTIA’s Security+. Then move into something like CEH by EC-Council by doing a course that covers more than what the CEH requires. InfoSec Institute does a good job with this (and not just because they are the sponsors). Please don’t ever think that just by passing the CEH exam, that you are now a pen tester. It really is more of an intro to the field. After that, move on to something more advanced like eLearnSecurity’s PTP, Offensive Security’s OSCP or SANS GPEN. As all technical pursuits, you will never be able to stop learning if you want to keep pace. And you will eventually have to specialize. So the credential you pursue will be based solely on where your strengths lie.
One other thing to mention is that the above example is for pen testing. The question asked about a security career. There are many other disciplines in the security field… infrastructure, secure coding, auditing, compliance, security management, incident response, and the list goes on.
Q: What are the hottest IT Security certifications this year?
DD: Same as last year. :-P
Q: What do you think will be the top three security certifications three years from now (2013)?
DD: Same as this year. ;-)
Q: What are your opinions on employer or government mandated certification programs such as the DoD 8570.1?
DD: I like it… with a caveat. I am famous for saying that certifications are a baseline of knowledge and by no means an indication of expert status. I think I can type that in my sleep. But it’s important. Neither employers nor employees should ever think that since they have some letters after their name that they are ready to get a job solely based on that alone. On the other hand, the mandate is not so great for those who are older in this industry and actually do know more than most without having the alphabet soup after their name. But for those just coming into this line of work, I think it’s good to let them know that there is a bar. It may be a low bar, but there is a bar nonetheless.
What do you feel holds more weight in the market, vendor security certs (such as the CCNA Security or Cisco ASA Specialist) or vender neutral certs (such as the CISSP, CPT or Security+)?
DD: Depends on the job. If I’m interested in a highly technical position in the trenches of a Cisco shop, then a CISSP does me no good. Same thing if I’m interested in a management job in a security division of an organization, an MCITP is less of a requirement. But for the purposes of this interview, I feel it’s important to point out that a security job is much less focused on a specific product by one company. But just as above, if someone had credentials from both sides of your question, that resume would rise to the top. As an example, look at someone with a CISSP, CCIE and MCITP vs. someone with Security+ (great but entry-level credential), CCNA and MCTS. You be the judge.
Q: What is your opinion on using “braindumps” to prepare for certifications?
DD: They’re great if all you want is to pass the exam. But as mentioned above, a resume that pops to the top has much more than that including experience and an ability to show true knowledge. How well do you think braindump cramming will help you if asked some real-world questions on an interview? Hmmm.
But there’s an angle that not many consider, and that’s the ethical and legal one. How did the company get questions and answers that are pretty much verbatim? If it’s a test taker or a testing center giving the braindump vendors the material, either way, both scenarios violate agreements with the certification organization. Bad way to get into ‘ethical’ hacking.
Here’s a good tip. How about someone looking to get certified making their own braindump based on the books they read and the sample questions in those books? It forces you to go over the material many more times and, in effect, it makes the information stick.
Q: When do you think live online training will approach the quality of traditional classroom based training? What about for courses that are highly technical in nature with complex labs?
DD: It’s close now with video conferencing technology and virtual machines, but then again it depends on how you define quality. There’s a certain ‘quality’ to training in a classroom setting with a live person right there in front of you. Add in the fact that you have to get up early, be presentable, have the give-and-take with not only your instructor but also other students all in a setting away from work, kids and other distractions, it just makes the whole experience more immersive. Thus in my opinion, classroom training will always have an advantage. On the other hand, I’m thankful for the efforts of training companies to offer more alternatives to standard training. In times where companies cut training and travel budgets (sometimes so much so that the students are paying for these courses out of their own pockets), it allows much more of the community to get the skills a professional should have.
Q: How do you keep yourself in the know and up to date on the latest security issues?
DD: Read, read, read. I don’t care how you do it, just read. It used to be just books and magazines. Then came the internet and blogs, podcasts, online magazines and such. Now add in Twitter and other social media sites, there’s no end to the ways in which someone can keep up. So what do I do personally? Well, I’ll admit it… I’m cheap. So much of what I do is available for free. I download a number of electronic versions of print magazines that cover the spectrum of tech (not just security) such as CPU Magazine, MaximumPC, (In)secure Magazine, Hakin9, etc. which are great when travelling or in bed. I get free print magazines such as eWeek, Redmond Mag, etc. that are useful when nature calls. Whenever I’m standing around doing nothing, let’s say, while waiting for my son to get off the bus, I use my phone to browse the latest entries from Twitter and Facebook. Then there’s plenty of security specific sites and podcasts too numerous to mention for exploits, tool releases, news and more. Newsletters can also be handy but can quickly get out of hand. So I find Twitter is taking over that space. Follow thought leaders, and they’ll all keep you informed. Being the Editor of The Ethical Hacker Network, press releases and direct email get sent to us often. As the site has grown, our forums have become very active with news, tips, tricks, techniques and more. So being a part of any community, be it ours online or local groups in person, helps you and others be in the know.
Q: We have seen a shift in the past 5 years from server side attacks to client side attacks. Do think the security industry as a whole can lock down the client side as well as we have done with the server side?
DD: In a word… No! Simply because as long as humans are in the equation, we’re never safe. I do think we go in cycles. Humans will become more informed and aware of the threats. Then when IPv6 becomes more prevalent, things will switch again to the network. Then back up the OSI model again. At that point humans will become complacent again, and the whole thing just keeps on a spinning. The good news is that I think there will always be a need for security professionals. That sounds like a great place to stop and say thanks.
Thanks Don, and be sure to check out the latest at Ethical Hacker Network