8 de septiembre de 2019

The engineer's conundrum

Well, it has been a while since my last post. Around eight years where as any reader can imagine the IT industry has evolved beyond imagination. Or maybe it doesn’t, what do you think? What its true is that it has been 11 years since I did my first post. That’s around 27% of my career (who knows) so, I have learnt a few things since that day. If you are around the forties most probably you are in the top of your career, maybe not in terms of salary or functional hierarchy, but yes in terms of productivity, brainpower, that is, capacity to deliver. On the other hand, if you are in your late twenties or the beginning of the thirties, you are most probably still growing my friend, putting in practice all that knowledge you did gather in the University, Master program or what you did study. If you are in your fifties and you are an IT engineer, this post may be also of interest for you.


When I started my professional career I already knew what Artificial Intelligence (AI) is, actually I did code a funny Brisca program that I trained against myself and some friends. Bayesian networks and other fancy-AI-terms were already in my backpack, same for the data analytics (we called it data mining) or the bioinformatics. These fourth industrial revolution -things- were born many years ago, although they did evolve as the computers did since that time. In my internship (2006) I did a pentest based in OSTMM methodology and yes, 13 years later the methodology is still perfectly valid. Nmap is still a swiss knife and Nessus is as handy as always. Actually, most of the recommended security tools that exist today were common also 10 years ago. Just a fast comparison from the sectools website using archive.org :
Rank
1
Nessus
Wireshark
2
Wireshark
Metasploit
3
Snort
Nessus
4
Netcat
Aircrack
5
Metasploit
Snort
6
Hping2
Cain & Abel
7
Kismet
Kali
8
TCPDump
Netcat
9
Cain & Abel
TCPDump
10
John the Ripper
John the Ripper

You could argue that this is just a list from just a website, that is true. It’s difficult to support any statement only with this, what I can support is my feeling that not many things have changed since I started my professional career. In spite of that, every year I have this feeling of being a little bit more unplugged from the IT day-to-day. Nobody can be Mr. know-it-all (maybe only our brother-in-law), neither can I. Those that studied or study Computer Science knew from the very beginning that this was a different career, that we were going to get used to study, to have IT news every other day. And yes, even we couldn’t imagine that that was going to be absolutely right! I myself study in a “regular year” between 60 and 100 hours (not taking into account blogs reading, magazines or news), the number of hours is different depending on the employer, how much do you love IT and how much free time do you have. Don’t get me wrong, I love computer science and I keep excited whenever I try a new technology, even buying a new computer (and I have been lucking enough to have a few). But the raising question is, are 100 hours enough to keep yourself plugged with the reality? Well, as Consultant the answer is easy: It depends.

There are many career paths in IT, lets put it simple (pardon): You work in operations, admin stuff, patching and maintenance. You are impacted by change in cycles of 5-7 years, that depends on the technology where you are specialized. Every year there will be updates, new functionalities, more things to do with the same technology but I guess that the pace of change is something that you can handle in that training time. Most probably if you started coding in Java 10 years ago you still can do it and have a good sleeping every night without the worry that a disrupting language programming is coming to left you without job tomorrow (if you don’t think so, try to talk with a Cobol developer or a Mainframe admin). Same IT background, many different jobs, many different specialization branches. From my side I’ve been in the IT Security Consultant and IT Audit fields, so I did put security controls in place in any kind of project or I do review that the controls that are supposed to be in place are there. As a profession related with Trust or, using a more accurate term, “reasonable assurance”, you may face a much more diverse scenario in your day-to-day (please note that this a very high-level opinion, any job could be different and for sure I am wrong in many cases). You verify that the process, system, machine, “thing” will work as it is supposed to do and the bad guys will not sabotage it, jeopardizing business objectives.  So, there is no limit in what an IT auditor may audit, all the IT processes are in scope. When you are a Security Consultant something similar may happen, there is no system in production or under development that you may not be invited to review. Furthermore, there are new threats, new regulations, new IT processes or new technologies (I take for granted that people change also xd). If you look at the picture depending on the day you may feel excited or not so happy but hey, everything is not bad, we still have our 100 hours per year, and we work around 1700 hours each year. That’s a 6% of your time or the budget of your employer depending on the case.

Once upon a time I was a Computer Science student, that meant that in five years I had to approve 365 credits (3650 hours). After such a big effort, I became an engineer. If I, we, keep the studying pace as professionals, we will get a second Computer Science degree in 36 years (though maybe somebody will be thinking about retirement at that moment). Well, there is a small error in my hypothesis, working time is also learning time. When you join a new project you take your time to review carefully the documentation, to understand what this project is about, to prepare yourself and to learn. You may even buy books in relation with the subject, have interviews with the experts and become yourself “a new  expert” in a few weeks so you can provide the expected reasonable assurance.

Is this enough? Well, it should be. It’s you and your professional judgement who should decide if it’s enough or not (if not, raise your hand and warn your boss please). There will be some projects where, the harsher it is, the bigger the unrest you will have. Here is the Engineer's Conundrum, cause you are a professional, besides you love tech so, why not? Why not studying a little bit more, even in your personal life? But wait a minute, you are already doing your 40 hours per week, you have family & friends to attend, most probably you are gaining weight in your comfortable seat and you need also to come back to sports. After all you are around your forties. So, is this a real Conundrum? Remember the most famous security sentence: There is no 100% security. Oh now yes, everything is fine. If something happens you can say that and everybody will understand. Go play & enjoy the good life, you engineer.
I have my answer, you also should look for your answer. I write with some rhetoric just to relieve any burden to the reader. You know how good do you work, do you? Just to give you a clue I think it is not about how many hours do you study every year, it is not about how fast the technology, regulation or threats evolve, but about how do you challenge your work, your ideas, yourself. It’s good to do peer review, to attend those conferences where you talk with your colleagues, read books (many if possible) and take the temperature to the profession you did choose. No news, isn’t it? After all of that, what is your gut telling you? Here you have the answer.

I started this blog in 2008, I was excited to share everything that I learnt at that time in my job but also to share my own personal research. Sharing always gave me more than I got (I could write a very long post explaining why), and my gut just told me that it was a good moment to come back. Information Technologies are not the panacea anymore, the silver bullet to the world problems, actually many people look at IT as the source of their problems (specially those that were always unplugged or that lost or are about to lose their jobs). Misinformation and noise-data are also in every corner so, I decided to come back hoping that I can bring some light into this chaos. But I am not that altruist, I also hope that I can improve myself in this process, put in practice the hard-skills and why not, discuss with others these thoughts so somebody can challenge me.

Stay tuned.

6 de julio de 2011

Facebook Forensics Paper y algo más...

Ayer me encontré este divertido paper, y digo divertido por que realmente me pareció que muestra cosas curiosas acerca de esta popular red social. Incluye también bastantes datos que por el hecho de conectar nuestro iPhone o teléfono con Android podemos obtener (siempre y cuando tengamos la aplicación instalada claro).

Merece la pena echarle un vistazo.

Dicho esto una breve aclaración para mis tres o cuatro lectoras, allá por el mes de Enero inicié una maravillosa aventura, la escritura de mi primer libro (no tecnológico, se entiende). Desde entonces y gracias a los consejos de algún compañero bloguero (ejem, lobosoft) he consumido mi tiempo libre en tan gran reto, mi escasa pericia en el arte de las letras acompañada de mi perseverancia ha conseguido que esté prácticamente a punto de terminarlo, con lo que este gran proyecto (que espero publicar aquí) llegará a su fin. Aunque solo para poder adentrarme en otro nuevo, mucho más grande y que no tiene nada que ver. ¿Significa esto que "Todo es seguro" muere?, bueno, digamos que ya llevaba meses criogenizado y así va a seguir una buena temporada.

Por supuesto sigo dedicándome a la Seguridad a diario por lo que no descarto que un día... :)

Muchas gracias a todos.