By: Kaushal Toprani
"Why do cars have brakes?" is a question Scott Laliberte, a director
at Protiviti Independent Risk Consulting, often asks his new clients.
"To make the car go faster," Laliberte explained to a group of about
30 students attending a seminar on information security held in the
Rush Building, May 24. Without a way to slow down, a car could not go
down steep hills or take sharp turns.
Laliberte applies the same concept to technology. Without the controls
information security offers, the safe use of information technology is
Protiviti assists over 1,000 clients worldwide in risk consulting,
internal auditing and incident response. Laliberte has written two
books about information security risk assessment, Hack I.T. and Defend
I.T. Recent attacks on sensitive data and new regulations have created
a demand for Protiviti's services.
Laliberte explained the case of Choice Point Incorporated, an
identification and credit verification company. In February 2005, it
was discovered that Choice Point had sold 100,000 Social Security
numbers to fraud artists. The incident cost Choice Point over $20
million. Even since this well-publicized incident, over 82 million
consumers have had their private data compromised, according to
Laliberte also recounted an incident in which a university's keycard
system was hacked, jeopardizing the security of labs where specimens
of infectious diseases were kept for research purposes.
These new attacks have prompted the government to respond with new
regulations that are changing the business environment. The
Gramm-Leach Breach Act requires financial institutions to protect
their clients' financial data. The Health Insurance Portability and
Accountability Act gives the same protection to patients' health data.
Protiviti's security architecture is based on ISO 17799, an
international standard that describes best practices in information
security. Laliberte explained that Protiviti looks at the whole
picture when performing a risk assessment, including business and cost
factors, IT factors, and compliance issues. Protiviti aims to analyze
an organization's needs, standardize the security policies and
automate the enforcement of these policies.
Laliberte also discussed the tools that are available to information
security professionals. Intrusion detection systems, which look at
incoming and outgoing traffic on a network for suspicious patterns or
attacks, aren't a silver-bullet solution to network security.
"They're only as good as the people that implement them," Laliberte
He talked about a company he once audited where the intrusion
detection system was installed, but not configured, and the alerts
were ignored. An IDS often creates a "false sense of security,"
Protiviti uses more than 100 different security tools, each with its
own specialization. Some of these tools are available as freeware, and
others are sold as commercial solutions. Laliberte urges caution when
using freeware, as it is often written by hackers who program back
doors into the code, which leave the system vulnerable.
Laliberte discussed job prospects in the field of information
security. There are various jobs that range from being very
technically oriented to very process-oriented - that is, jobs that
require defining policies. Entry-level information security
professionals can expect to make between $40,000 and $60,000 a year.
Laliberte said he recruited from college campuses. He looks for
students with a track record of success in tasks they take on,
checking their GPA and other activities. He also requires a good
understanding of the fundamentals of IT.
"I can teach the security, but the IT is harder to teach," he
In order for new information security professionals to be successful,
Laliberte recommended reading a lot about the field and networking
with other professionals already in the business. For those who are
looking to get into the field, he recommends getting the Global
Information Assurance Certification Security Essentials Certification.
The most important key to being successful, Laliberte said, is
"No matter what you do, do it well and be passionate about it,"
Students felt Laliberte gave a good overview of information security.
"He was good at explaining things people don't realize," said Andrew
Rutherford, a senior majoring in information systems.
=A9 Copyright 2006 The Triangle
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.