I was off from my blog for a long time, as I was busy preparing for my first participation in Microsoft’s biggest technical event of the year – the "Tech Ed" which was to happen in 6 cities throughtout India. Then in June the event actually happened all over the country and we were hoppping from one city to another almost repeating the same technical sessions on different tracks to differernt audience. It felt great to have different responses on the same technology from different people and it felt exciting to face such a large audience in every city.
In the month of July it was time for me to choose some of the technology areas of my interest and the ones Microsoft as a company wanted to focus on. This was the year starting FY07 when I was told to identify fields and technologies I wanted to drive through next year.
It was this time that my passion for security came to forefront. I always held my offline sessions and discussions keeping security at the centerstage, no matter what technology it was – Microsoft or non-Microsoft, Windows 2003 or Windows Vista, Linux or Windows. Initially, as my curiosity towards security concerns faced by the organizations rose, I concluded that the perception of security was mostly realated to hacking, web-based attacks, programming, scripting and writing secure code. As it was long since I had given up programmimg and taken up Operating Systems and Networking as my career, I initailly thought that I might not be able to get a good hang of these issues beacuse of a non-programmng background. But I was still determined to go as deep as I can into gaining knowledge on all these issues, and hence I started with helping CIW in launching their Security Analyst certification in India. I first acquired the CIW Certified Security Analyst certification myself (and thus became the first person to get that cedrtification in India), and then provided a taining to the Security trainers from all over India in this certification course. This course was precisely related to the backdoors, bugs and discovering vulnerabilities in Linux and Windows Operating systems. It then made us learn the differences between an auditor and a hacker, so that we were able to penetrate into the systems by exploiting the vulnerabilbies, but were not suppose to harm or do any damage to the systems.
But even during this certification my perception of security revolved around security policies, bugs, virusses, worms, hacking, and firewalls only. It was hard for me to stay at that level of knowledge into securing systems. So, this July I decided to go on and work towards another level in achieveing knowledge and experience on Information Systems security, and decided to go for CISSP (Certified Information Systems Security Specialist) certification. I had heard that it was a challenging certification and tested your real wisdom and experince on IS security issues. I hence started studying hard for it and went ahead talking to many security officers and professionals in my organization and outside. I decided to appear for the CISSP exam to be held in New Delhi, India, on August 05, 2006.
What I realised as a part of preparation for this certification was that I probably had little idea before this that how deeply and widely were we using the security technologies in all the work that we did in our everyday life . I had little idea that even the automatic doors at my office, the lights inside the building and the location of the office buliding itself were cautiously chosen as a part of the security policies of the company. Not even that I started enquiring the guard at my office entrance about how he analysed a suspect and what he does in case he faces some odd activity outside the office. I started to look and notice the survillence cameras all around and wondered who was monitoring the activities recorded by them. I have since started to examine in detail, the public key that is recieved and installed by my browser, and examining what was the length of the key which was used to encrypt the data inside it. I figured out the differences between the Security Models and Security Policies and looked at the cars, ACs, Microwave ovens, all devices for what was a part of their trusted base.
Working with Operating systems and computers has since been different for me and I suddenly was happy whenever my system hung up and shut down itself! I have since then started to categorize systems into classes defined by the TCSEC criteria depending upon the level of trust and assurance they provide. I have probably gone mad over so many vast areas of concerns in Information Systems Security.
Despite participating in numeorous quizzes and discussions on the CISSP exam, the real exam came out to be very different that what I had expected! I could hardly figure out whether it was easy or tough, and so desperately waited for the e-mail declaring the result. After about 10 days, I finally recieved an e-mail congratulating me for passing the exam! I was overjoyes with the news, and went on further preparing to now put my blogs, podcasts, webcasts and all my offline sessions this month on all these areas in Information Systems Security that I had excitedly worked on.
So keep watching as I feature all my sessions and blogs this month on different domains of Information Security!