BRB

In 2003, as soon as we moved to Brasília and I started working at BRB, I was assigned to the team responsible for maintaining and supporting the bank’s firewall infrastructure. The team took care of the firewalls, servers, and switches that made up that environment. The setup had been in place for some time and was pretty stable, requiring little day-to-day effort. When problems did arise, though, they tended to be hard to debug.
The first important point was the network architecture: it was a back-to-back DMZ. That meant the DMZ, or demilitarized zone, was placed between two separate firewall devices. In BRB’s case, the DMZ servers had two network connections: one going to the external firewall and the other to the internal firewall. There was no direct connection between the two firewalls. To leave the internal network and access the internet, you had to first connect to a server in the DMZ and, from there, start a new connection to the outside world. That setup was considered one of the most secure at the time, but it also brought additional complexity. Internet protocols, in general, are designed for end-to-end connections, where a client communicates directly with a server. The model adopted at BRB broke that assumption and made connections more susceptible to problems.
Another striking feature of BRB’s network was that internal users’ computers had no internet access whatsoever. Anyone who needed to access the internet had to get up from their desk and go to a specific area, where there were computers connected to a separate network, with external access enabled. The idea was to keep total segregation between the internal network and the internet. Once again, it was a decision driven by strict security criteria. However, by that time people were already starting to become heavily dependent on the internet, especially professionals like developers and IT teams. Access to manuals, documentation, and knowledge bases was much more convenient via the web. For developers, for instance, sites like Stack Overflow were becoming part of their daily workflow, bringing together questions and answers about technical problems that had often already been faced by other people.
Work at BRB, in general, wasn’t very demanding. The network was stable and managers tended to avoid changes and new things, which further reduced the occurrence of incidents. Add to that the lack of internet access, and it was common to spend long periods at the office with not much to do. Aside from the rare moments of crisis, a large part of the time was filled with conversations among colleagues, studying, or reading books (or even a nap). Even so, there was learning. I had closer contact with Cisco equipment and with firewalls from Aker, a Brasília-based company specialized in that kind of solution.
It was also during my time at BRB that I began to get closer to the information security professional communities. I can’t say whether the market in Brasília was more dynamic or whether it was a cultural difference compared to BMS, but the fact is that I took part in several local events and met more people in the area. An important discovery of that period was the CISSPBR mailing list. Initially created by a group of Brasília professionals as a study group for the CISSP certification, the list ended up expanding its scope and turning into a virtual meeting point for security professionals from all over Brazil. I started actively participating in the email discussions and, over time, I met several of the participants in person, including the founders, who ended up becoming my friends.
Since the work at BRB was relatively stagnant and I didn’t see much room for growth there, I started thinking about changing jobs. Influenced in part by the discussions on the CISSPBR list, but also by the perception that certifications help you get past the first resume filter, I decided I would take the CISSP certification exam. Taking part in the list helped, but wasn’t enough. I bought the best-known book at the time and started studying on my own. I took advantage of the quiet periods at work — which were frequent — and also studied a bit at home. The book was extensive, but I got to the end ready to take the exam.
At the time, the certification exam wasn’t offered in Brasília. So I scheduled the exam in São Paulo, bought tickets, arranged lodging, and kept studying until the scheduled date. A few days before the trip, however, when I accessed the site, I discovered the exam date had been changed without any notification. It was a hassle to rebook the trip and deal with fees and airline ticket changes, but I managed to get to São Paulo on the new date, take the exam, and, weeks later, I got confirmation that I had passed. All that mess left me with a certain resentment toward the organization responsible for the certification. They ran events and activities, but it took me many years to get over that bad impression and try to get close again. Every now and then I still try, but it never really clicked, as happened with other communities in the field.
After getting the certification, I started looking for a new job. In Brasília, the most common path is to focus on public-service exams. I had already had the experience of being a public servant in Lavras and, at that point, didn’t have much interest in going back to the public sector. So I directed my search toward private companies. I did some interviews until I came into contact with the company that ended up hiring me, but that’s already a story for another chapter.