Canadian Information Processing Society (CIPS)
 
 

CIPS CONNECTIONS

INTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., ITCP, MVP, DF/NPA, CNP

Noted Expert in Networking, Security, and Internet Technology, and Successful Writer, Speaker, and Educator

This week, Stephen Ibaraki has an exclusive interview with Michael Gregg.

Michael Gregg has more than 20 years experience in the IT field and is an expert on security, networking, and Internet technologies. He is the president of Superior Solutions, Inc., a Houston-based security assessment and training firm. He is also a networking and security expert for searchnetworking.com and searchsecurity.com, where his weekly column answers questions from readers.

Michael holds two associate’s degrees, a bachelor’s degree, and a master’s degree.  He presently maintains the following certifications:  CISSP, MCSE, MCT, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and TICSA.  

Prior to founding Superior Solutions, Inc., Michael was a Senior Computer Security Manager. He is a security consultant and has also taught for various organizations such as Nortel, Motorola, Adaptec, Lucent, Fidelity, Kaiser Medical, Southwestern Bell Corp, US Governmental agencies, and Alaska Communications System and also assisted Foundstone in the training of NSA employees. With a proven reputation as a dynamic and influential speaker, Michael’s delivery style is energetic and entertaining, yet insightful.  He focuses on real life examples and uses analogies to meet his learning objectives. He is a nine-time winner of Global Knowledge’s Perfect Instructor Award. 

A prolific writer and security expert, Michael’s contribution to the IT community includes the development of the Advanced Security Boot Camp for Global Knowledge, creation of the lab guide for Intense School’s Professional Hacking Boot Camp, outline editor for The TICSA Security Study Guide, and creation of Assessing IT Infrastructure Vulnerabilities class. Michael has acted as technical editor for several CramSession study guides and wrote the Certified Ethical Hacker CramSession.  His articles have been published on several IT websites including CetMag.com SearchSmallBizIT.com and GoCertify.com.

He is a member of the American College of Forensic Examiners, the Independent Computer Consulting Association, and the Texas Association for Educational Technology. Michael enjoys giving back to the community and he recently served as a volunteer consultant to help develop the first certification program for the AISD High School.

His recently released book,“CISSP Practice Questions Exam Cram 2” (Que) is a highly effective preparation tool which includes more than 500 practice questions to help readers reinforce their knowledge of the 10 CISSP domains.

Discussion:

Q:  Thank you Michael, for speaking with us today!

A: Thank you for taking time out to talk with me, Stephen.

Q:  Your extensive career includes success as an author, speaker, and educator. You are an acknowledged expert in security, networking, and the internet. What directed your interest towards security and networking issues? Can you describe your career and detail the valuable lessons you have learned from your extensive history of many successes?

A: Well Stephen, you may not believe this, but I believe that I have learned more from my mistakes than I have from my successes.  I think one of the valuable lessons I have learned is that it is important to have mentors.  For those individuals just starting out in security, find someone that you admire, someone that has achieved success in the industry.  Don’t be afraid to ask them for advice.  There are some really great people in this business and most are more than ready to help others along.  The other piece of advice I would offer is to keep learning.  Our industry is in a state of constant change, you must keep learning or you will fall behind.  Someone told me long ago that “growth is optional but change is inevitable, choose “growth,” that is advice to live by!

Q:  Describe your role at Superior Solutions, Inc. and the services you provide.

A: My role at Superior Solutions allows me to wear many hats!  Because we are a small organization, I am tasked with many different duties.  Primarily, I serve as lead during security assessments, I also lead the development of new course material, and I try to find time to teach a class now and then.

Q: With such a rich and varied background, this would entail exposure to innumerable interesting events. Please share your most “amazing” experience.

A:  Overall, it is amazing how so many things are tied together in this life.  Chance meetings turn into future opportunities that develop into exciting projects. 

I once had the opportunity to help some friends put together a book of positive quotes and inspirational stories.  This work of charity was at the request of a friend whose company was being downsized.  Before it was all over, we printed over 1,500 copies of these little booklets.  Everything that was needed for the production of the books was donated.  It seemed as if nothing could stop it.  I received emails for the next several years from individuals that ended up with copies; some were from other states and countries.  

Q: Can you share with us, a humorous story?

A: Years ago, I taught a class in New York City.  Most of the equipment was lost in transit.  So, I had the students go in the telecommunications closet of the training center and remove what we needed to complete the class.  While it did negatively effect the training center’s operations, it allowed my class to be successful and helped them learn real-life skills as we were forced to analyze what portion of the network to disable and what to leave functional.

Q:  Please provide an overview of your recently released book, “CISSP Practice Questions Exam Cram 2.”

A: The CISSP Practice Questions Exam Cram 2 was designed to be an aid in preparing for the exam.  With more than 500 practice questions, the detailed explanations of correct and incorrect answers included in CISSP Practice Questions Exam Cram 2 will ensure that you have a full understanding of the information covered in the exam. The Quick Check Answer Key allows you to quickly find answers as you work your way through the questions. CISSP Practice Questions Exam Cram 2 is a highly-effective, complementary resource to your exam preparation and studying.

Q: What ten compelling tips can you offer individuals preparing for the exam?

A: 1) Go to the ISC2 website and download a copy of the CBK.

2) Read through the ISC2 requirements to make sure that you meet the requirements.

3) Spend enough money on resources up front to ensure you'll pass on your first try.

4) Consider teaming up with a group of friends to help prepare for the exam.

5) Use my book as a study aid.

6) Spend the most time on the domains that you are least comfortable with.

7) Remember that it is unlike Microsoft and most other IT vendor exams, as it is not a computer generated test.

8) Pace yourself, you have 6 hours to complete the exam.

9) For those that lack the depth and breadth of knowledge in all ten domains, a training class or more intense study will be required. One good choice would be Villanova University's CISSP course. I am one of the developers.

10) Make sure you’ve had a good nights sleep and eat a good breakfast before entering the testing area.

Q:  As a nine-time winner of Global Knowledge’s Perfect Instructor Award, you have a proven track record of success as a trainer and educator. What is the secret of your success?

A: Hard work and persistence goes a long way in this business.  One secret to my teaching success is to always make sure and give students something they can relate to.  I have some really crazy stories.  As an example, I always tell people how TCP and UDP are like moving companies.  UDP is fast and unreliable just like my nephew, Mark; he helped me move years ago and lost my dryer!

Giving students something they can relate to helps them grasp the concept and it makes learning fun.   

Q:  What valuable experiences can you share from your speaking experiences?

A: Practice makes perfect.  While we all must sometimes speak at a moments notice, it takes time to develop outstanding presentations.  You need to know the audience, know the material, and develop the presentation in a logical, structured way that offers information that benefits the listener.

Q:  Since the mainstream usage of computers and the Internet by individuals, businesses and corporations, security has become a major area of growth. What do you see as the most compelling security issues in the future and how can they be resolved?

A:  There are several that offer challenges to the industry:  

1) Identity Theft – This has the potential to be a big problem.  Victims are forced to spend much time and effort trying to clear up the mess left by thieves.

2) Encryption – Encryption is widely used but not widely used enough.  I am still amazed by the number of organizations that do not use encryption and use items such as clear text email.

3) Spam / Viruses / Worms – This will take increased participation from industry and government to get a real reduction.

4) Wireless Insecurity – This will be solved over time.  Primarily, this is an awareness problem.  Organizations and home users are practicing better security.

Q:  Tell us about the various security certifications including CISSP and the benefits of getting these certifications.

A:  Some of my friends call me a certification junkie.  I am always quick to tell individuals that certifications are not a magic bullet for someone’s career.  However, they can help.  It does demonstrate that you have a minimum level of understanding of the subject and that you have taken the time to learn more about the subject.

I believe the CISSP certification is one of the best in the industry.  It is well respected, covers many aspects of security, and once individuals are certified, they will need to gain continuing education credits each year to maintain their certification. I think this is great, technology changes so fast, we all need to keep learning to keep current with our skills.   

Q:  What is computer forensics and how is it related to the security field?

A: Great question.  Historically, forensics was thought of as being in the exclusive domain of law enforcement.  Computer forensics is something that all security professionals should have knowledge of as security is all about prevention, detection, and response.  Forensics equals the response portion of the previous equation.  Security professionals must know to respond to security incidents, how to handle the evidence, and how to learn from the situation to prevent it from happening again. 

Q:  Given the current IT marketplace.....for those relatively new to the computer field and for seasoned veterans, which areas should they target for future study? For those interested in pursuing a career in IT, where should they start in terms of certifications? 

A:  For those new to security, I would suggest starting off with the Security + exam.  For individuals just starting in IT, I would suggest the Network + exam.

Q:  What are your views on certifications versus formal education versus experience?

A: I like to see a mix of these three.  In my opinion, this demonstrates a well rounded individual. 

Q:  With 20 years experience in the IT field, how have you been able to leverage your education and experience, and what 10 career tips would you give to those considering a career in the computer field? How do you keep up with all the changes?

A: 1) Never stop learning.  Many surveys show that reading is on the decline.  If this is true, this is a sad fact. 

2) Write down your objectives, written objectives have a much higher probability of becoming reality.

3) Look for future trends.  Change is coming, make sure you are ready.

4) Make time to develop profession relationships.

5) Attend training classes.  You’ll be surprised at what you learn.

6) Join associations.  Find trade organizations you like and become an active member.

7) Think win-win.  Make time to help others.

8) Build a small home network to practice skills.

9) Build a list of useful websites that you can check frequently to keep abreast of changes.

10) Do what you like.  If you pursue what you like in life, it will not seem like work!

Q: You are also a prolific writer and security expert and have written a variety of books, courses, and articles especially in the area of networking and security. What prompted you to start writing?

A: I had a college professor that encouraged me to write. His advice was that the art of writing is revision.   I found writing to be a useful way to learn more about a subject and to help others learn.

Q: List your 10 best resources for business and technology professionals interested in certification and security.

A: Here are some of the sites I would recommend:

1) http://www.cve.mitre.org/
2) http://securityfocus.com/
3) http://slashdot.org/
4) http://www.searchsecurity.com
5) http://www.cramsession.com
6) http://www.isc2.org
7) http://www.gocertify.com
8) http://www.acfei.com/main.php
9) http://www.infragard.net/
10) http://www.nsa.gov/snac/

Q: What do you consider to be the most important trends to watch, and please provide some recommendations?

A: 1) Look for organizations to put more emphasis on performing security assessments.  There is a big need to make sure that the organization’s policies are being complied with and that the organization’s assets are being properly protected.  Individuals wanting to capitalize on this should consider gaining knowledge about ethical hacking and vulnerability assessments

2) The demand for individuals possessing IT audit skills will continue to grow as companies need to verify they are compliant with laws such as HIPAA.

3) Programming skills will remain important,but these jobs will continue to move offshore because of wage pressure.  Individuals with those skills should continue to broaden their knowledgebase.

Q: What future books can we expect from you?

A: If I told you, someone might beat me to press!  All kidding aside, I am just finishing up a new class that will be offered in conjunction with ISC2 and is titled, “Assessing Network Vulnerabilities.”  I also just finished up designing a CISSP prep class that will be offered by Villanova University.  I am also in talks with Que about another security related title.  

Q: What kind of computer setup do you have?

A:   In the office, there is a variety of equipment.  It seems to come and go depending on the project, however, there is a nice setup for forensics that I like to work with.  At home, I am running gigabit Ethernet.  I also have a neat setup for video and audio editing.  My project over the holidays was to put together a PVR.  For those of you wanting to capture HDTV, you’ll need to buy your cards now as they will become illegal after July 2005 due to changes in federal law.

Q: Michael, thank you again for your time and consideration in doing this interview.

A: Thank you for taking time out to talk with me.