It is impossible to be interested in Information security without noticing Richard Bejtlich. He is a successful blogger, author of two books, and co-author of a third. Many have also had the chance to have Richard as a trainer and teacher. And even more have him as an inspiration.
Richard is the Director of Incident Response for General Electric. Before he joined GE, he ran the TaoSecurity LLC – an Information Security consultancy based in the US. His CV includes many other interesting and impressive employers too.
Richard has a background as military intelligence officer, but that is not where he got his interest in information security. It was merely a natural extension. You see, Richard got a Timex Sinclair (ZX80) when he was 8 years old. This sounds like some other people I know. And Richard used BASIC to create Boba Fett. Graphically, of course. And some of us understand that achievement just too well!
So what happened if you where lucky enough to have Boba Fett show up on your screen? Boba would ask you a question (written). “Do you want to see me wave?” You could say yes or no. To Boba it made no difference – he would wave anyway. The reason?
R: “I didn't spend all day rendering that character to not have him wave!”
The ZX was replaced by a Commodore 64, and Richard discovered what a wonderful tool they where to create and edit papers. After his Harvard graduation and his US Air Force intelligence service, he set out to defend enterprises and teach his peers to do the same.
Richard Bejtlich is a very analytic guy. He does not mind telling you what he believes is the truth. As when I ask him about the impact IS has on business, Richard says:
R: "I don't think information security has any real impact on business. On the contrary, business has much more of an impact on information security. No IS department exists to serve its own ends. If it does, it won't last long.
Businesses exist to make money; other organizations exist to meet whatever their goal is. No one exists to "be secure" (which isn't possible, anyway). As a result the history of IS is littered with decisions by business leaders that weakened security infavor of revenue or simply convenience. Nothing changes until a severe, visible, financial- or life-damaging incident occurs."
This is almost as hearing myself speaking, Richard. Perhaps I have spent too much time on your blog…
One of the things that amazes me with Richard Bejtlich is his attention to details. You see it in his blog, you see it in his comments. You see it in his books.
R: “In my first book I defined risk as the probability of suffering harm or loss. I defined security as the process of maintaining an acceptable level of perceived risk.
Digital security applies that concept to information resources, where threats exploit vulnerabilities in assets to violate confidentiality, integrity, or availability via disclosure, alteration, or denial.“
What should a security professional do to improve security?
R: “The role of the security professional is
1) to make it more difficult for information users and resources to do expose themselves to attackers (paraphrasing Nitesh Dhanjani),
2) to increase the amount of time it takes for the threat to accomplish his objective, and
3) to detect and respond as efficiently and effectively as possible when intrusions happen.”
Richard, I have asked all the Security Profiles to comment on the largest challenges in 2007. What are your thoughts on the threats?
R: “The biggest challenge facing all organizations is visibility. A few months ago I wrote a blog post pleading for the creation of Enterprise Visibility Architects.
It's fashionable to talk about "building security in." I say we should "build visibility in" because "security" will never be achieved. It would be an incredible first step to simply know when we are being compromised, because it's going to happen no matter what preventative measures we take."
Thank you kindly, Richard!
To catch up on Richard, visit his blog!
He is the author of the following books:
And co-author of Real Digital forensics