Are Security Careers Real?
-
@ChrisL said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.
I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".
Yup... let's see how this starts off in court... we can show...
- Intent to steal her identity through forced actions beforehand
- Standard industry documentation that requesting passwords in this way is identify theft and absolutely violates security
- Identity transferred to manager demanding credentials
- HR details exposed
- Wrongdoing happened
- Manager who took identity fires innocent party to cover up his own actions as the owner of the credentials
Um, yeah. Being fired BY the person who made the mistake who set the whole thing up ahead of time? Um....
-
@scottalanmiller said in Are Security Careers Real?:
@ChrisL said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.
I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".
Yup... let's see how this starts off in court... we can show...
- Intent to steal her identity through forced actions beforehand
- Standard industry documentation that requesting passwords in this way is identify theft and absolutely violates security
- Identity transferred to manager demanding credentials
- HR details exposed
- Wrongdoing happened
- Manager who took identity fires innocent party to cover up his own actions as the owner of the credentials
Um, yeah. Being fired BY the person who made the mistake who set the whole thing up ahead of time? Um....
#ClimbingTheLadder
#JustCorporateThings
#LoveMyCoworkers
#EqualOpportunity
#DunningKruger -
I'm so confused with the course of this SEC conversation...
What happened / when is this person throwing a party?
-
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Who's job is it to manage an IDS system with very complex rules? Does the IT team have time to do actual penetration testing and keep improving security based on the results?
Sure you could hire 3rd party pen testers, but if you aren't testing internally when will you actually have time to fix all the vulnerabilities?
IMO IT Security is an actual thing. Since I am an IT Security professional that has transitioned from System Administration, I can tell you it is real. It is challenging, and most importantly it is rewarding.
-
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
-
@Carnival-Boy said in Are Security Careers Real?:
@scottalanmiller said:
I know that there are some security specialty shops out there (I've been asked to lead teams for one of them.) But even big ones that I have worked with just use skilled "normal" IT people, not "security" specialists.
I would have thought that a good security guy is a good generalist as you need to have a good understanding of all applications in order to gain a good understanding of where those application vulnerabilities lie. For example, you need a modest understanding of SQL in order to understand SQL vulnerabilities like SQL injection. So if I was forming a crack team of security experts I'd want a SQL guy, a web guy, a Windows guy etc etc. A bit like the A-team, with BA Baracus as my Windows guy.
Or you just need a guy that is a pen tester that understands how to find SQL injection. One professional can do all this from Kali. You can easily find Windows, Linux, and web vulnerabilities using prebuilt tools in Kali. Understanding the actual exploitation takes some knowledge. That is why good security people have a background in System or Network Administration.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
-
@MattSpeller said in Are Security Careers Real?:
Security I thought was a real golden ticket at first, then you realize that if someone wants in they'll win eventually, no matter what you do. I don't like to lose and that'd be a struggle for me.
That isn't the best ideology. The same thing goes for your house. If somebody really wants in your house they are going to get in no matter what you do.
99% of the time you aren't a specific target, you get scoped out then hit with an attack. Scoping out a network is kind of like scoping out a house. It isn't exactly illegal to walk by a house, look at the windows , doors, etc to see how easy it is to get in. If you have no locks and keep your door open you are going to be robbed more often than someone who has their doors locked and has a guard dog.
-
@Dashrender said in Are Security Careers Real?:
@thecreativeone91 said:
And most companies do not care about security unless it costs them a lot, but then they still don't care about it or your data; They just care about the financial implications of it.
Ain't this the gal darn truth!
Security is entirely to inconvenient, and until it really starts costing them due to things like breaches, most just can't be bothered with the inconvenience.
True, but it is becoming less true today. With all these network breaches making top news, we are seeing medium size businesses develop a real concern for cyber security.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
So do you go back and build it again from the ground up or do you fix things as you find them. Then going forward you configure things the right way.
-
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure. In reality, most IT professionals didn't build their network from the ground up. They were thrown into a mess of a reality and aren't even given the amount of time they should have to keep business going. Let alone go back and tighten things up.
It's not just going back and tightening things up either. Because it is highly unlikely you will know all the security holes with not knowing how to find them.
Then you have prevention to worry about going forward. Are you documenting new devices on the network, are you monitoring for brute force attacks, Man in the middle attacks, etc. The list goes on and on.
-
@IRJ said in Are Security Careers Real?:
It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there.
I don't think this can ever be true. It's always the person at the top of the IT food chains fault.
Example - IT manager tells IT staff that they can't afford backup software, IT cobbles things together, but it has a poor track record (yeah yeah, just leave it at this). New IT manager takes over, problem happens and IT can't restore because the backups didn't work.
Who's fault is this? really it's the old IT manager's fault - but it's also the new one's as well.
-
@Dashrender said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there.
I don't think this can ever be true. It's always the person at the top of the IT food chains fault.
Example - IT manager tells IT staff that they can't afford backup software, IT cobbles things together, but it has a poor track record (yeah yeah, just leave it at this). New IT manager takes over, problem happens and IT can't restore because the backups didn't work.
Who's fault is this? really it's the old IT manager's fault - but it's also the new one's as well.
The IT manager may not even know all the backdoor passwords. It is very possible there are extra user accounts added that he may not know about on various devices and servers. It's not like every time you login to a server, you check file permissions, user accounts, or run a dictionary attack against it.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
When I say internally and externally, I mean internally by the IT department and externally by a 3rd party.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.