Security Ripcord

My initial interview with B10m sparked my interest in the security professional field in Europe. As I had recently contacted the trio from RaDaJo about helping me notify a Spanish University one of their servers had been compromised, I decided to contact them with similar questions. The RaDaJo name is a combination of the team member’s names: RAul Siles, DAvid Perez, and JOrge Ortiz.

I had originally met these security professionals during a GSEC Advisory Board meeting in Washington D.C. At the time they were working on another certification that would eventually apply towards their GIAC Security Expert certification. As you can see from the website they were the third, fourth, and fifth persons to receive this intensive credential. During this meeting I was impressed with their outgoing nature and interest in promoting and growing the security industry. The following interview demonstrates they have retained these qualities and that they are continuing to promote security advancement on their continent.

I also highly recommend that you visit their blog site. They continue to provide great information and technical expertise that can be utilized by any security professional. We all should watch out for their technical challenges as they have proven not only to be interesting but useful in real world situations.

Why did you all start blogging? I believe that you are all living in Spain but you blog in English. Is there any particular reason? Do you maintain a sister site in Spanish?

[Raul]
The main reason we started blogging was to provide a security resource for technical people where anyone could see the things we are involved in our daily research and job tasks, and to publish details of specific security areas we are interested in. Additionally, we received several requests from people asking us to create a blog, so unconsciously, I think this also influenced us

We all live in Spain, and although we initially though about the language issue, we finally decided to blog in English to reach a broad population; almost all Spanish security professionals understand English, but obviously, the opposite is not true. At some point we thought about keeping two versions of the RaDaJo blog, in Spanish and English, but being realistic, it would be too much work with a reduced benefit.

When you are teaching your training classes do you use English as a common language or does it just depend on the setting and individuals taking the class?

[David]
SANS regular conferences are always run in English. Otherwise we couldn’t get so many people people in class coming from so many different countries. Nevertheless, in a few occasions in Spain there have been courses run in Spanish (with the materials in English, though) and the feedback has been very positive. I think we may be seeing this more often in the future, but I’m just guessing here.

If a security professional were going to fly to Europe for one security conference, which would you recommend and why?

[Jorge]
As always I would recommend SANS conferences. They really rock in all their tracks! . I have also attended and enjoyed the ISSE Conference (http://www.eema.org/static/isse/ ).

And we also have Black Hat Europe and some others, but I haven’t had the chance to attend yet.

What resources do European security professionals look to during their day to day work to keep abreast of breaking news and events (e.g. Alert/Vulnerability Lists, Websites, Blogs)?

[Raul]
Based on our international experience, the same resources are used by almost all professionals, no matter were you are located. The most popular ones are SANS ISC, Security Focus bugtraq and mailing-lists, the FullDisclosure list… but, as you know, there are dozens of them.

From the alert/vulnerability lists perspective, people use the generic ones, such as SANS Newsbites and SF Newsletters, plus the manufacturers resources (Cisco, Microsoft, Linux-vendor…).

We suggest that every serious security professional should have its own preferred list of resources, created throughout the years, and at least including Websites, Blogs, Mailing-lists, Forums, Security Conferences and Podcasts.

Unfortunately, there are no well known European-centric security resources. People tend to access global resources published in English (some of them located in Europe), and additionally, some localized country-based resources (published in your own language). However, due to the language barriers, it is not common to have lot of people from one EU country accessing resources from another EU country (if they are not in English).

Obviously many people in Europe are multilingual but not everybody. How do these language barriers affect the security situation in Europe and how information flows and is interpreted?

[David]
I think security personnel in most, if not all, big companies can at least read English well enough to understand all technical documentation, articles and news, so getting information is not a problem. Writing and speaking is a little less universal but still most people can, so information also flows (less) in the opposite direction. However, the smaller the company the most common is that people only speak their own language, which is a serious limitation because not everything gets translated and even what it does get translated is never the latest.

The basic security considerations and best practices are the same the world over, but society and business practices do change according to specific regions. I would think that this make it a challenge to generate and enforce information security regulations that span the European countries. Is this true?

[Jorge]
Although the European Union tries to create a common framework for all its countries, it is true that some specific laws are different from country to country. Besides, law enforcement has important barriers due to the different languages in each country and they need to establish good relationships (in their initial incident response phases) with every potential country an attack could come from. Certainly, all this makes it more complex than in the US.

Although security is still a young profession here in the United States the government and businesses are starting to understand and accept the need for security professionals or administrators with security training. How does this compare to European governments and businesses?

[Raul]
We think it is very similar in the US and Europe. The information security field is still maturing and government and businesses are realizing of the huge needs of security professionals. Everything is being computerized, so this fact increases the protection demands and the need of security knowledge and personnel.

Fortunately, the market has changed a lot in the last 7 years; when we started as full-time infosec pros in Spain around 2000 we needed to explain from scratch certain things and terms to customers. Nowadays almost anyone has heard about rootkits, penetration tests and forensics (just to cite some examples).

Are there any security tools and products that are specific to Europe?

[David]
Not that I’m aware of. I think we use the same commercial and public domain tools as the rest of the world. This is a global village and market.

[Raul]
The only exception are government and defense organizations, where each country wants to manage their own security infrastructure. They typically use commercial and proprietary (home-made and secret) solutions.

When Americans think of computer security and Europe many of them start thinking about organized crime and hacker groups from some of the former “Eastern Block” countries. Is this being blown out of proportion? From your experiences are businesses and end-users in Europe in more danger from organized crime and hackers from around the world than businesses and end-users in the United States?

[Jorge]
Well, there are several hackers from the Eastern Europe, but also from other European countries as well, like Germany that has a long lasting hacker tradition. However, I believe that organized crime has increased its activity in Europe during the last couple of years (or at least we have started to notice that it was happening), and started to hit some real businesses and getting some real money.

Due to the nature of the Internet, everybody is equally exposed to the attacks. The only advantage in targeting the United States is that, even with the same percentage of vulnerable systems, the same attack can be used against a higher number of users ( i.e., that will speak the same language, go to the same web page and use the same bank, for example). Other than that we should all watch out!

I would like to, once again, express my gratitude to RaDaJo for the time the took out of their busy schedule to answer these questions. From this information I can see that the security profession is following much the same track as we are here in the Untied States. This is not very surprising as the technologies and risks are generally the same. Hopefully this interview will help people understand that the concepts, standards, and philosophies are generally similar throughout the industry despite international borders.

Go forth and do good things,
Cutaway

RaDaJo, GSE, GIAC, SANS, Interview, Security Ripcord

Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.