Are Security Careers Real?
-
@Carnival-Boy said in Are Security Careers Real?:
@scottalanmiller said:
I know that there are some security specialty shops out there (I've been asked to lead teams for one of them.) But even big ones that I have worked with just use skilled "normal" IT people, not "security" specialists.
I would have thought that a good security guy is a good generalist as you need to have a good understanding of all applications in order to gain a good understanding of where those application vulnerabilities lie. For example, you need a modest understanding of SQL in order to understand SQL vulnerabilities like SQL injection. So if I was forming a crack team of security experts I'd want a SQL guy, a web guy, a Windows guy etc etc. A bit like the A-team, with BA Baracus as my Windows guy.
Or you just need a guy that is a pen tester that understands how to find SQL injection. One professional can do all this from Kali. You can easily find Windows, Linux, and web vulnerabilities using prebuilt tools in Kali. Understanding the actual exploitation takes some knowledge. That is why good security people have a background in System or Network Administration.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
-
@MattSpeller said in Are Security Careers Real?:
Security I thought was a real golden ticket at first, then you realize that if someone wants in they'll win eventually, no matter what you do. I don't like to lose and that'd be a struggle for me.
That isn't the best ideology. The same thing goes for your house. If somebody really wants in your house they are going to get in no matter what you do.
99% of the time you aren't a specific target, you get scoped out then hit with an attack. Scoping out a network is kind of like scoping out a house. It isn't exactly illegal to walk by a house, look at the windows , doors, etc to see how easy it is to get in. If you have no locks and keep your door open you are going to be robbed more often than someone who has their doors locked and has a guard dog.
-
@Dashrender said in Are Security Careers Real?:
@thecreativeone91 said:
And most companies do not care about security unless it costs them a lot, but then they still don't care about it or your data; They just care about the financial implications of it.
Ain't this the gal darn truth!
Security is entirely to inconvenient, and until it really starts costing them due to things like breaches, most just can't be bothered with the inconvenience.
True, but it is becoming less true today. With all these network breaches making top news, we are seeing medium size businesses develop a real concern for cyber security.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
So do you go back and build it again from the ground up or do you fix things as you find them. Then going forward you configure things the right way.
-
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure. In reality, most IT professionals didn't build their network from the ground up. They were thrown into a mess of a reality and aren't even given the amount of time they should have to keep business going. Let alone go back and tighten things up.
It's not just going back and tightening things up either. Because it is highly unlikely you will know all the security holes with not knowing how to find them.
Then you have prevention to worry about going forward. Are you documenting new devices on the network, are you monitoring for brute force attacks, Man in the middle attacks, etc. The list goes on and on.
-
@IRJ said in Are Security Careers Real?:
It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there.
I don't think this can ever be true. It's always the person at the top of the IT food chains fault.
Example - IT manager tells IT staff that they can't afford backup software, IT cobbles things together, but it has a poor track record (yeah yeah, just leave it at this). New IT manager takes over, problem happens and IT can't restore because the backups didn't work.
Who's fault is this? really it's the old IT manager's fault - but it's also the new one's as well.
-
@Dashrender said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there.
I don't think this can ever be true. It's always the person at the top of the IT food chains fault.
Example - IT manager tells IT staff that they can't afford backup software, IT cobbles things together, but it has a poor track record (yeah yeah, just leave it at this). New IT manager takes over, problem happens and IT can't restore because the backups didn't work.
Who's fault is this? really it's the old IT manager's fault - but it's also the new one's as well.
The IT manager may not even know all the backdoor passwords. It is very possible there are extra user accounts added that he may not know about on various devices and servers. It's not like every time you login to a server, you check file permissions, user accounts, or run a dictionary attack against it.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
When I say internally and externally, I mean internally by the IT department and externally by a 3rd party.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
-
@dafyre said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
Alienvault has alot of false positives and misses alot of stuff out of the box. I think it is a great system, but it requires some hours to get it configured correctly. Not to mention, who is actually testing AlienVault to make sure it is actually flagging stuff? I can run brute force attacks that won't be picked up by AlienVault if I slow my attacks down. How do you know it is actually detecting MIM attacks, and so on?
. Nessus reports are great, but I have noticed that Nessus sometimes ranks threats incorrectly. Which can be confusing for someone who isn't familiar with them.
-
@IRJ said in Are Security Careers Real?:
@dafyre said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
Alienvault has alot of false positives and misses alot of stuff out of the box. I think it is a great system, but it requires some hours to get it configured correctly. Not to mention, who is actually testing AlienVault to make sure it is actually flagging stuff? I can run brute force attacks that won't be picked up by AlienVault if I slow my attacks down. How do you know it is actually detecting MIM attacks, and so on?
. Nessus reports are great, but I have noticed that Nessus sometimes ranks threats incorrectly. Which can be confusing for someone who isn't familiar with them.
There's no tool that's not going to require some configuration or fine tuning. If you're doing this for in-house purposes, turn everything on and turn it (OpenVAS / Alienvault) loose and go over the reports as to what it finds.
You are very much right about Nessus and OpenVAS finding a lot of false positives. But so has every other tool I've seen (some more or less than others).
But the IT team can learn something by investigating the vulnerabilities reported by them as well -- even if they are false positives.
-
@IRJ said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
When I say internally and externally, I mean internally by the IT department and externally by a 3rd party.
Understood. And I would generally agree.
-
Interesting Discussion
-