The Year of the Breach

As the year is coming to a close, news headlines were dominated by reports of high-profile security attacks, some launched by “hacktivists” such as Anonymous and LULZSEC.

But something  larger was brewing. Amidst hacktivists’ attacks on Sony, HBGary and NATO, highly sophisticated, clandestine attackers—the kind with the rarefied expertise, deep pockets and specialized resources typically only seen in nation-state adversaries—were actively infiltrating a broad range of targets.

These attacks were different: they were patient, stealthy and leveraged a potent combination of technical skill and social savvy.  Some used clever social engineering to get a foothold into their target organizations, while others used zero-day vulnerabilities—previously unknown holes in software—to penetrate defenses. 

While advanced attacks have happened for years, IT security experts observed recent attacks had grown bolder and more frequent. Recent attacks were also highly targeted, customized, well-researched and, in many cases, employed both technical and social

The term used to describe such complex, sophisticated attacks was
“advanced persistent threats” (APTs), but as IT security experts quickly pointed out, APTs were only as advanced as they needed to be to get the job done. A concrete definition is elusive and, as cautioned, “Defining it could limit us and lead us to be blindsided. We need to constantly revisit the characteristics because they’re always changing.”

Much of the day’s focus was on the techniques of highly organized attackers. such
advanced threats, which include APTs, span from corporate espionage to hacktivism.

This article distills certain key insights from those discussions and
aspires to advance the industry’s dialog on advanced threats, spur disruptive innovation and disseminate some of our learnings from some of the most seasoned professionals in information security.

From a Cookie-Cutter Approach to Adaptive

In 2000, the I LOVE YOU worm crippled more than 50 million Pcs. The delivery mechanism was simple but effective: an e-mail showed up in your in-box with a subject line of “iloveyou.” When people clicked on the e-mail’s attachment, titled “love-leTTer-Foryou,” they were infected with a computer worm. while the damage was significant, a
partial solution to this problem came in the form of antivirus software: a signature could be deployed to antivirus agents that would identify the file as malicious and arrest its actions.                                                                          
Today, generic malware is still profuse but signature-based defenses, at either the network or host layer, can greatly decrease the odds of infection. What makes recent
advanced threats different is their defiance of a signature. In the world of advanced threats, malware evolves quickly, and security experts have  described several cases of special-purpose malware custom-developed specifically for their targets. Some were
compiled within hours of launching the attack.

It became clear that enterprises targeted by highly organized attackers cannot depend on signature-based “bread and butter” security tools as a sole means of defence. While the payloads of some advanced threats were fairly standard, entry strategies were often custom tailored.

Attackers typically used social networking sites to gather intelligence and identify specific users within an organization. Some of the main infection vectors that cited were  e-mail, Skype and instant messages with malware payloads in the form of PDFs, compressed HTML, script files, executables and attachments.
customization of attack techniques extend through data exfiltration.

Advanced threats often use sophisticated methods for compressing, encrypting and transmitting data to other compromised organizations, leaving little evidence of the origin of the attack or the destination for stolen information. This move from generic to tailored, from cookie-cutter to adaptive, means that security organizations need to think beyond signatures and re-evaluate how effective their current defenses are.

Remember that people, not technology, were the Achilles heel in most defensive strategies.

People are the Weakest Link 
“People are the weakest link” is perhaps the biggest cliché in information security. Security experts have long understood that users make bad choices, click on links they shouldn’t and install malware through simple ruses.

Corporate IT departments deploy multiple controls to help deal with this threat: e-mail filtering solutions catch many attacks before they make it to users, malicious links are blocked by the network, network scanners look for malicious content, and host-based antivirus (the last line of defense) tries to stop what slips through the cracks.

This process works well for generic, shotgun attacks in that signatures can be updated quickly to immunize users. Advanced attackers, however, are now creating highly credible scenarios in which they convince users to click on dialog boxes warning of fake software updates, retrieve content from quarantined areas and act (unknowingly) on behalf of the attacker.

Attackers have become dangerously adroit at using our weaknesses and behaviors against us. Attackers are creatively leveraging people inside the company to help accomplish their goals. “Internet scams are supposed to be sloppy, but they work.”

Advanced threats defy that stereotype. Experts put a fine  point on it: “The perimeter is not a firewall; it’s our users. They don’t treat their computer as an adversary; they treat it as a tool—an extension of themselves—so they don’t question what it tells them.”

Addressing the people problem will take more than technology. Organizations need to
drive a sense of personal responsibility for security among employees.

Attackers Aim for Advantage, Not Infamy

Advanced attacks are typically not the product of hobbyists. These attacks often require months of planning, mapping out internal networks by looking at the fringes.

The reconnaissance can go much further: targeting key employees, deconstructing their life by scouring social media, custom-crafting an attack so that it is stealthy, patient, and very effective.

Cybercriminals, the ones who look to steal credit card numbers and other
commoditized and sellable data, have become increasingly sophisticated but advanced
attacks are different. Increasingly, they focus on espionage—stealing specialized data
that may be of high value and strategic importance to the commissioning entity, which
can be foreign governments, rival corporations and organized crime groups. The entities behind advanced attacks literally mean business.

Also, entities perpetrating many advanced attacks are substantively different from the
hacktivists groups that have attracted attention in recent times. Hacktivists want to
embarrass and expose their targets’ activities, taking pride in publishing their conquests.

Many advanced attackers, in contrast, have the goal of stealth. They do not want to be
discovered or seek publicity.

Now some advanced threats are now masquerading as hacktivist attacks, with the goal being to confuse forensics and place blame on groups that are often eager to accept it. This pattern makes it difficult to size the scale of advanced threats: a willing scapegoat makes post-incident attribution particularly problematic.

The New Normal: Act as Though You Are Already Hacked  

The events of the year have shown that determined adversaries can always find exploits through people and in complex IT environments. It’s not realistic to keep
adversaries out. Organizations should plan and act as though they have already been breached.

Three foundational principles of security are compartmentalization, defense in depth and least privilege. in combination, these three tenets dictate that if one system (or person) is compromised, it should not result in a compromise of the entire system.

While simple in concept, these tenets have proven complicated to implement in practice. Organizations have long relied on the notion of a “perimeter,” where a big thick wall—in the form of firewalls and gateway defenses—guards the organization, with good guys (insiders) on one side of the wall and attackers on the other.

Security perimeters are now considered a construct of the past. Boundaries are nearly
impossible to define in modern organizations. The inclusion of partially trusted users
such as customers, suppliers, contractors, service providers, cloud vendors and others
have made organization boundaries very porous. Beyond the eradication of traditional
organizational boundaries, the consumerization of IT has brought a rash of unmanaged
devices into the enterprise and exposed the organization to services (and suppliers) that are opaque.

IT consumerization has also blurred the line between the business lives and
the personal lives of employees. We have moved from the illusion of a perimeter-driven defense to living in a state of compromise.

Accepting that some systems, some people, and some services may already be under the control of attackers changes information security strategy. it forces a return to the core principles of compartmentalization, defense-in-depth, and least privilege.

Organizations need to focus on closing the exposure window and limiting damage through efforts to compartmentalize systems, stop sensitive data egress and contain malfeasance. This new model also demands that we rethink old habits of sharing sensitive corporate information—such as source code, product plans and strategic roadmaps—using collaborative processes that presume perimeter defenses can keep attackers out.

Security improves through greater situational awareness: gaining the ability to
understand what’s happening beyond our network boundaries to detect threats on the horizon. Organizations get smarter by looking beyond their infrastructure and observing  the ecosystem. The ecosystem approach to security relies on organizations actively sharing information with other organizations about threats. It also demands greater visibility into the security of suppliers and service providers within one’s supply chain.

The key is to know what digital assets are important to protect, where they reside, who
has access to them and how to lock them down in the event of a breach. This ability to
tighten the net before and during an attack is key, and it requires a mature process for
incident handling. Incident response should not be considered exclusively a security
function. Instead, it is an organizational competency that must be developed and
continually honed well before an attack occurs. if organizations are planning responses
as an attack unfolds, they are too late. A competency approach allows remediation
activities to kick in automatically—like a reflex.

The Road Ahead

The reality of advanced threats demands a disruptive approach to defense—one where
enterprises can be agile and thrive in a contested environment. This approach must be
applied holistically: approaching advanced threat defense not as a discrete function but
as a natural consequence of robust but agile security.

Many of the holes that exist today come from an unmanageably complex iT infrastructure. Given that information security is a “weakest link” problem, only through understanding our assets, processes and endpoints do we have a chance at effective defense. Unraveling complexity and fielding a successful defense means that we also need to think creatively about the range of attacker motivations, which can extend far beyond data theft.

With every new technology, we have the ability to weave security into its fabric, to begin anew. We are at the start of an industry-wide move to cloud-based services and systems. We stand on the precipice of a sea-change in technology. There is a new mantra that goes within the industry saying “If we can’t get it right with cloud, shame on us.”

Today more than ever, security is an ecosystem problem in which every constituent has a responsibility. Attackers are collaborating, sharing information, going after the supply chain, co-opting careless insiders and evading our long relied-upon defenses. we need disruptive collaboration and innovation in defense. Through collaboration, information sharing and increasing our agility, we can successfully fend off APTs and other advanced threats.

Happy Holidays! And a blessed new year to all!



The Frustrations….

… having been doing the same thing over and over for years already, and there is this instance where you have done this certain thing, but it does not work..

… people who do not seem to understand what you are trying to do..

… server or computer peripheral failures which are hard to detect and isolate (like network cards?)

… pirated software…

… old operating systems which gives you a hard time installing a certain device driver…

… old processors…

… insufficient memory…

… forgotten password…

… databases which does not seem to properly store and process information…

… trial software which seems to not to handle a certain process when you need them…

… hard disk crash…

… Windows updates which takes forever to load…

… Internet outage…

… new technologies which are not thoroughly tested…

… WiFi access which you cannot access…

and lots more…..


Security: Never Mind the Products or the Solutions, Just Educate the Users

If there is such thing to improve on IT Security, its not on the products, its on the better education and literacy of the users.

By the way threats have been going out now, we have to admit it that we are too naive to recognize these threats. We need to take IT security seriously. We can do so much things at a technological level, but by the time that we have to choose our own passwords, we choose the weak ones. 

Sometimes, we feel that it is better to keep data and information where security products can see it. However, improved user education can only accomplish so much: IT systems developers should also need to make their solutions simplier to use safely.

If you want millions to use a product or a service, it needs to be easy, without the need for them to install more software.

But the obligation isn’t only on customers to learn: it’s also on suppliers to inform. Buyers can’t make educated decisions about how to set up and run their IT infrastructures unless vendors supply them with the necessary information.

Nowhere is that more the case than in the market for cloud computing services, where vendors vaunt the fact that their customers don’t need to know how things work.

We need transparency from vendors and providers. We should know how their systems are organized, and we should know about the people they hire.

She wants to see more transparency in such products and services, and better standards for security practices, so that customers can evaluate service vendors and providers.

If the level of security and transparency is very high, then there is a probability that clients and users are willing to pay more. They do not care about security because they can pay less, but at least, it gives them a choice.

There’s still a lot of work to do on standards and certification” of security practices, but are we willing to pay for it?


When the Techies Go Bad.

There is this IT group* which is very efficient. From the daily humdrums of pulling cables, diagnosing the network and fixing the user’s needs, everything went on smoothly. They even have some regular perks of attending technology symposiums and out of town trips with full allowance.

Until one day, the head of the group received a letter from the Business Software Alliance for software piracy. Further investigation showed that the systems administrator installed a pirated software which was registered over the Internet. Aside from this, the same guy ran a commercial porn site over the corporate server and pulled out around 300 customer credit card accounts from that company’s e-mail server.

When the systems administrator was charged and was put into preemptive suspension, the guy changed all the passwords in all of the company’s network and turned off all of the company’s servers remotely.

Fortunately,  we have only made up this story. But what do we want to imply here?

Bulk of the data loss and sabotage comes from insiders rather than outsiders. And most of these companies just kept quiet to avoid embarassment.

But by keeping quiet does not help and can be a fatal mistake. It does not only weed out the bad apples, but it does not address the problem of spending most of your security budget keeping people out when the biggest problem is already on the inside.

It’s possible to respond internally with extra training on where the ethical line is and how — if you’re a manager — to spot those dancing on the wrong side of it. Handled badly — and it’s a delicate balance — a company ends up sounding like it’s accusing all its employees of dishonesty and not affecting the dirty ones at all.

Simpler in concept but harder in execution is data loss protection, which is designed to identify what data needs protecting and does it  by keeping track of who should be allowed access to which resources, to what extent and when.

Ok.Windows file and security permissions do this. But how can we be so sure that unauthenticated users cannot have access to these files?

But, DLP, as they say, is really not that effective as it should be. Promising as it is, it can be effective per design, but it is not doing its work properly. Why? Some of the problems are of technical nature. But most of the problem is on the behavioral issue. Bulk of these behavioral issues exist because MIS head does not review the policies and the performance of the software. They are assuming that it is there, installed and running and should be doing its work, but in reality, it is not. MIS should regularly review the performance of the software and make adjustments if necessary. It is like paying for an alarm system which is turned off, and worrying about burglars but leaving the door unlocked.

Every company knows this and has people in HR, management and IT management responsible for managing security risks from both IT and users. Every IT department also knows they have to cover the basics — check the user accounts, please — to have any hope of securing anything, no matter how bulletproof the firewall is.

Most continue not to do it.

So one or two every year shouldn’t be surprised if they walk into some darkened sysadmin lair and find a commercial porn site or DVD with all the customer files since 1987.

For the benefit of the rest of us, though, please don’t keep those cases quiet. Publicizing them might give some other company an example it can use to tighten its own security.

More important, it will give the rest of us something to laugh at.

When you spend days with your head stuck under someone else’s gross desk or in a drop ceiling where you can see rat droppings and hear tiny footsteps behind your head, you need to find some humor somewhere.

Again, the story that we have quoted above is fictional….No need to be alarmed…But it is better to be prepared.





Your Laptop May Be Slowly Killing You

The news that laptops can negatively impact male fertility–even when a cooling pad is used–has been capturing headlines this week. While that is a significant potential consequence of prolonging laptop use, it is not the only adverse impact the laptop can have on one’s health.

We live in an increasingly busy and mobile  where more and more people rely on mobile computing to stay productive anytime and anywhere. Unfortunately, as convenient as laptops may be when it comes to portable computing, there are also some down sides.

Male Infertility. There is a biological reason that the testes are stored in the scrotum–outside of the body. Sperm production requires a lower temperature than the standard internal body temp. Tech gadgets generate heat–a lot of heat in some cases. There are even Android and iPhone apps specifically designed to max the processor and heat the smartphone up to use as a hand warmer in colder climates. A study found that the temperature generated by placing a laptop on your lap–even when using a laptop cooling pad–results in temps that can impact male fertility. Men looking forward to fathering children may want to think twice about using a laptop on their lap.

Hearing Loss. Have you ever been in a quiet house when the power went out. Then you realize just how quiet real silence is. Even when not making any overt sound, the laptop fan is generally spinning away, and there is the general hum of the inner workings of the laptop. This relatively moderate white noise is not a significant health risk, but can result in impairment or partial hearing loss over time. Users who routinely use headphones with the laptop may subject themselves to significantly higher decibels and be at even greater risk.

Vision Strain. Staring at a laptop screen for extended periods of time can strain your eyes. It can result in headaches, or dry and itchy eyes–and over time it could permanently affect your vision. When using a digital device take a break, blink, breathe. Many doctors call this the 20/20/20 rule. Every 20 minutes, take 20 seconds and look at something 20 feet away.

Carpal Tunnel. Carpal tunnel syndrome is a concern for extensive typing in general. However, space is often more cramped when using a laptop, and the ergonomics are not optimal when trying to type while balancing a laptop on your knees. Extended typing on a laptop–especially if your arms and hands are not positioned properly, can result in muscle strains and moderate to sever pain.

Back Pain. Some laptops are quite hefty. At the same time that much smaller netbooks have exploded in popularity, there has also been a rise in massive desktop replacement laptops. In order to pack in processing power, storage, and a display comparable to a desktop PC, these gargantuan laptops can weigh in at six or seven pounds. That isn’t a tremendous amount of weight, but when placed in a brief case or shoulder bag it can put a significant strain on back muscles as you lug it around town.

I am not suggesting that using a laptop will result in you being a sterile, deaf, blind, hunchback–but be warned that it’s possible. Seriously, all of these are real potential health implications of prolonged laptop use, and you should be aware of the risks and take appropriate precautions.


Making your software development project a success: A guide for business clients

It’s always tough to buy services from someone who does necessary, mysterious, and technical things — especially when it costs lots of money. Hiring a web developer is almost as scary as paying for a car mechanic, home insurance, or a dentist. You might be intellectually aware that you need their expertise (it’s what you’re paying for after all).

We want to trust the people we hire. We want to be confident that they will get the job done competently, and that they won’t take advantage of us. One way to do that, of course, is to ask them the right questions in the first place, and give them a clear explanation of what you want to achieve. These suggestions will get you started on the project — but not far beyond that. Explaining your software requirements is just the beginning of the project. To make sure that the project is a success, you need to keep your attention on three things — none of which are technical.

Expect the developer to ask questions.

To learn your needs, the developer may need to spend a non-trivial amount of time with you. Do not be offended. This is a good sign: He wants to learn from you, so he can reflect those requirements in the application he builds.

Developers are not expected to know everything about your business or department or its needs. You are the expert at your job; the developer knows her technology. To create the best possible software for you, she needs to understand how your business works — and she can only do that if she asks a bunch of “obvious” questions to learn all about those tasks.

Bringing in a specialist doesn’t mean you won’t need to have lots of conversations with the developer. But it should imply that the business-specific developer knows more about your type of business than a technology- or solution-specific developer.

Good software is iterative. Expect and encourage regular communication.

The communication shouldn’t be only up-front. Unless your software needs are very simple (and “simple” isn’t measured by budget alone), it’s likely that your project will be released in multiple phases. These might be defined by functionality (that is, “First, we’ll get the inventory system working; then we’ll connect it to the e-commerce features”), or they may be broken up with other criteria.

Throughout the entire project, you should expect that the relationship includes frequent communication. “Call it Agile, call it iterative; the labels don’t matter. The point is to collaborate with each other throughout the process, with multiple checkpoints to review and ensure you’re on the same page — from idea to requirements to prototype to functional product to finished product.

Because most software is done in phases, expect features to emerge based on the priority list you work out with the developer.  Always keep in mind the business goal you set, way back at the beginning. Is that goal being met?

Get it in writing.

At some point, you and the developer will decide that you both understand what is to be done.

But in even the most trivial cases, it’s important to create some sort of a written agreement that states what the result will look like, what phases will happen, who is responsible, and the expected budget. The document might be called a “statement of work” or “software requirements” or “business proposal” but it could have another name entirely. Read it. Compare what-is-delivered against this document at every project phase.

I must repeat that: read it. If the developer presents any documentation, including a design, for review and approval, review it carefully and ask any questions that may arise. If the documentation or design is unclear, say so. Realize that approving the design is giving the final go-ahead to build the product, and changes will be very difficult to make after this point. And if it is difficult, it always mean expensive.

The design docs that the developer produces describe what he is supposed to give you in the end. Make sure that you actually check them against your needs and expectations. If you change your mind midstream, if you ask for any feature not agreed to beforehand, if you want something not in the design docs; you will have to tell the developer about it and accept that such changes may require the sacrifice of other features to meet the budget/timeline or may require an extended budget/timeline.

Both you and the developer need to be wary of new tasks or requirements that get bolted onto the original design. Expect that any change or suggestion or “oh one little thing…” will cost time and money.


The root issue in a project’s success is almost always communication and, specifically communication in relation to scope. Every project has three things — schedule, scope, and budget — that have to be managed to be a success. The high failure rates tend to be measured in the project being delivered late or running over budget, but inevitably the root cause is because the understanding of the scope was off.






IT Certifications

Choosing a professional to manage your company’s network, hardware, and software is no easy task. How can you tell whether the skills listed in a person’s résumé reflect the tech expertise your business needs?

To the uninformed, the hundreds of tech-related certifications that IT pros use to sell their services amount to an alphabet soup of incomprehensible acronyms.

Most computer certification programs don’t require a college degree, and they can give help-desk professionals and network managers a competitive advantage and an earnings boost. For example, businesses will typically pay a 10% premium for someone who has earned one of its entry-level certifications, and individuals with higher-level certifications can command a 40% mark-up.

But are those credentials worth the extra cost? Though pay rates vary widely, they normally range from Php 5,000.00 an hour to Php 15,000.00 an hour for consultants who possess specialized knowledge.

Below are the most common IT Certifications. I did not include here Six Sigma and ITIL for they are more focused on the business and processes side, not on IT.

Microsoft (MCSE, MCITP, MCTS)

Few businesses get along without a hearty helping of Microsoft-powered equipment, and the company offers a raft of specialized training programs for those who service its products. Among Microsoft’s most popular certifications are Microsoft Certified Systems Engineer (MCSE), Microsoft Certified Technology Specialist (MCTS), and the relatively entry-level Microsoft Certified IT Professional (MCITP).

The requirements for MCSE certification are one to two years of experience in designing, installing, configuring, and troubleshooting network systems, and a passing mark on an the test which costs around Php 40,000.00

CompTIA (A+, Network+, Security+, Linux+)

The nonprofit Computing Technology Industry Association offers popular vendor-neutral certifications–a good option if you’re seeking a consultant who has a mix of experience beyond a single brand. Among the certification options, the basic A+ requires 400 hours of hands-on experience.

Cisco (CCNP, CCNA, CCiE)

Among the most popular certifications in the industry, the basic Cisco Certified Network Associate (CCNA) covers installing and managing medium-size networks. It requires a passing mark on a Php 15,000.00 exam, and certification lasts for three years.

Information Systems Security Certification Consortium (CISSP)

If your company deals with proprietary information and has deep security needs, Certified Information Systems Security Professional (CISSP) certification is known to be rigorous. People who qualify for it must have worked for at least five years in areas such as security architecture and design, and then must pass a Php 30,000.00 exam and pay an annual renewal fee.

Apple (ACSP, ACTC)

A help-desk pro with Microsoft skills may not know how to manage Macs. For shops that rely on Apple products or use a mix of operating systems, Apple Certified Support Professional (ACSP) and Apple Certified Technical Coordinator (ACTC) cover basic support skills as evidenced by passing marks on tests. I still have not encountered such certification here under Apple in the Philippines as of this time, so I really do not have any idea on how this goes.

Information Systems Audit and Control Association (ISACA)

This advanced certification is reserved for IT security consultants and auditors with five years’ experience.

Project Management Professional (PMP)

This well-respected certification is for people with some college education and at least three years of project management experience.

Certified Ethical Hacker (C|EH)

For individuals who are responsible for securing (or testing the security of) computer networks. Covers common exploits, vulnerabilities, and countermeasures. You must pass the Certified Ethical Hacker exam, which costs around Php 15,000.00 and record two years of information security related work experience endorsed by your employer. A corresponding 5 day course is available, though not required. Before you can attend the course you will have to sign an agreement stating that you will not use the newly acquired knowledge for illegal or malicious purposes. Only students attending training conducted at EC Council Accredited Training Centers and EC Council approved self study applicants are eligible for the CEH certification.

Certified Hacking and Forensics Investigator (C|HFI)

For individuals who wish to demonstrate their expertise in detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.

You must pass the CHFI exam (around Php 15,000). A corresponding course is available and recommended, though not required. If you do not take the associated training from the EC-Council, you must complete an eligibility form before you can take the exam.

Red Hat Certified Engineer (RHCE)

For individuals who configure networking services and security on servers running a Red Hat OS. RHCE is an advanced-level Linux certification for experienced Linux professionals. You must pass a 3.5 hour hands-on exam (around Php 40,000.00). A passing score of 70% is required. Training is available but not required.

Which Do You Need?

If 90% of the tech tools that your office uses come from a single vendor, it makes sense to seek an IT pro with certification from that brand. But as more companies use technology from an array of vendors, and as more employees bring and use their own smartphones and tablets to work, that scenario is becoming less common.

“One of the challenges people run into is the circle of finger-pointing,” “Was it the HP printer or the drivers on that Apple machine?”

Complicating matters, the certification programs for major brands are often run by a marketing arm of the company. Some programs require examinees to jump through multiple hoops, such as real-world testing and years of experience in the field, but others ask little more than mastery of a pass-fail exam.

Beyond Certifications

A credential alone doesn’t guarantee real-world job skills, but it increases the odds that the person is competent. Look for a well rounded consultant with a deep Rolodex of contacts in the tech world; knowledge of multiple systems and brands can be better than a deep understanding of Windows alone.

As more companies try to do more with smaller budgets, the research firm finds, they turn to cloud computing and other technologies that reduce the need for IT staff. As a result, the market for IT professionals now emphasizes hybrid skills. Not only must they understand the equipment, but they must solve business problems creatively.

Don’t take someone’s experience, training, and certification at face value. Ask what they had to do to get a certification. Hands-on lab work in addition to an exam is a good sign.

When reviewing a person’s education, whether it culminated in a nursing degree, a food technology degree, or a business degree, ask about the curriculum. If you’re unsure about credentials, read between the lines. Lay out a real-life IT problem that you recently encountered, and ask how the candidate would solve it. If the task is too daunting, you can hire a consultant to interview IT job candidates.

The classic mistake most people make is they’re looking for somebody to solve the crisis. You’re looking to manage a relationship over time. The best time to do this is when you’re not having problems.