Yep, the kiddies are back in school, and things are back to normal as everyone comes back from summer holidays. I am one of those kiddies back in school for a few weekends. After the great HPC learning experience back in July, I wanted more. Not having anything better to do on the weekend </sarcasm>, I signed up for a CISSP training course deliverd by Robert Beggs from Digital Defence. Now I am scared to do anything requiring a computer. Ok that is a gross exaggeration but it has got me thinking about security from some different points of view.
I've worked in a few positions where I was in charge of the security of computer systems. That should be no surprise because if you are working as an IT Pro, you are, in one way or the other, managing security as well. I've met too many people who feel secure with a firewall at the edge, anti-spam and anti-virus on the mail server and a WSUS server in the corner patching systems. Is that security? Well it is part of the puzzle but it doesn't end there. All the security technologies in the world won't do anything if anyone can just walk in, pick up a computer and walk out. Don't laugh it happens more often than you think. One of the biggest security issues has to be awareness. End users not understanding the basics of the corporate, IT staff not being aware of the latest security procedures or worse not having a security policy in place to guide everyone.
As I sat through the classes a lot of it seemed common sense, and I think you'd have that same feeling. But as you might have read in the Security Horror Stories post the other day, these things happen every day. As we develop the content for the upcoming My TechNet Security tour a lot of what I learned is on my mind.
For anyone familiar with the CISSP, you've heard about the CIA Trianlge. Confidentiality, integrity, accountability. You are probably also aware then of the ten security domains. If not when you see them listed, it starts to re-enforce the security you know about and get you thinking about those you are not familiar with. I really urge anyone who is working in IT to take some security courses, get certified and make it a part of who you are as an IT professional. Technologies come and go, but securing them will always be a priority. While you are at it, <shameless plug> register for the My TechNet Security Tour </shameless plug> and start thinking about how you can improve security in your organization and at home.