Computer repair tech AKA Security Expert
-
@Dashrender said:
But I get the feeling that like Microsoft programmers in the 1990's and 2000's, security was/is an after thought for most IT folks today.
Sure, and that's why SMBs are so wildly insecure. The skills and training and time needed to make an environment really secure cannot reasonably be done by a single person nor can it be done by a "security" consultant. What you need is a mindset of considering security from the ground up with buy-in from management. If management doesn't care about security, IT sure isn't going to focus on it.
But there is only one way to get secure - build it into everything. Security isn't a switch or a layer that can be applied later. It has to be involved at every step, with every process. Everyone in the decision chain needs to be thinking "security" as they make their decisions.
Security is just one of the many aspects of being an IT professional.
-
@scottalanmiller said:
It's because it is so important and has to be part of every technical role that you have no need for a special department that does this mythical "security" thing and nothing else.
I'd advocate for a security department where it was primarily for user training, secondary would be dedicated white hat testers
Edit: obviously not a dedicated person needed for this until you're breaking out of SMB
-
Clearly it's not just a problem at SMB - Sony a few years ago... Target last year, etc!
-
@Dashrender said:
Clearly it's not just a problem at SMB - Sony a few years ago... Target last year, etc!
It has to be a problem in the SMB, how can an SMB overcome it?
Companies like Sony, they just don't care. That's a different issue. When you are a company that makes crappy products and your customers keep coming back because your name is trendy, you don't tend to focus on being a good steward for your customers because being a good vendor is not why they like you. How many people stopped using Sony because of that? Just about none, I'm guessing, because Sony's customers just don't care enough.
-
@MattSpeller said:
@scottalanmiller said:
It's because it is so important and has to be part of every technical role that you have no need for a special department that does this mythical "security" thing and nothing else.
I'd advocate for a security department where it was primarily for user training, secondary would be dedicated white hat testers
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
IT security could be a team that checks the designs with the intent of hacking them - the white hat hacker as @MattSpeller said.
-
@Dashrender yup, but primarily user training - gotta secure the weakest links in your chain
-
@MattSpeller said:
I'd advocate for a security department where it was primarily for user training, secondary would be dedicated white hat testers
Dedicating pen testing, sure, there is some call for that and I have seen that in the real world (very, very little.) But it is important to note that that is a testing department. They don't secure you, they just let you know when the people securing you have failed.
User training is really just a training department. Yes, security training is important, but again, just a part of normal operations of "how to be a user."
-
I think this topic has ran it's course as to the OP - Scott's probably right on that an IT security department isn't a real thing. But the other items brought up here are definitely often missing from many if not most companies.
-
@scottalanmiller said:
User training is really just a training department. Yes, security training is important, but again, just a part of normal operations of "how to be a user."
is any company actually rolling with dedicated user trainers on staff? If so that's F*@&# amazing!
-
@Dashrender said:
I think this topic has ran it's course as to the OP - Scott's probably right on that an IT security department isn't a real thing. But the other items brought up here are definitely often missing from many if not most companies.
I always get curious and side track it, we need a dedicated ML thread TL;DR bot.
-
@Dashrender said:
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
IT security could be a team that checks the designs with the intent of hacking them - the white hat hacker as @MattSpeller said.
Could be, but the downside there is that what do you have, generalists? You probably get a lot more mileage looking at that with more pairs of dedicated specialist eyes. If you are building a Windows server, what do you need, some random "security" guy going over your individual system choices (he may not know which ones lead to insecurities specifically) or another Windows specialist that is considering security, performance, ease of use and other IT factors too?
-
@Dashrender said:
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
And that is a big difference between SMBs and the enterprise space. In the enterprise you expect that people are checking on each other, reviewing things, looking over each other's shoulders, etc. In the SMB, you generally assume that it is one person working in a vacuum. You might get to hire someone to review major decisions, but that's rare and only on occasion. In the enterprise, I've seen shops where you have someone looking over your shoulder for every command run in production, every time.
-
@scottalanmiller said:
You don't lock down servers, the server people do that. You don't design a secure network, the network people do that. You don't have anything to do. It's a nonsensical department for all intents and purposes. And hence, probably why they don't exist in the real world. What is a "security expert" really?
I think people think testing what the server and network people did would be a full time job, like the configuration show how would change daily or something
-
@Dashrender said:
is an after thought for most IT folks today.
It vastly depends on the company. It's not for us. We have approx 25 IT staff (We have mostly generalists. I'm the Systems Engineer for the main DC site, which is not at cooperate due to weather/torando's and such ) plus DevOPs to develop our in house software. There is a lot of focus on security but it's not just IT security. Our Parking lots, buildings etc are all gated with armed guard with shacks at every entrance. RFID + PIN are required to get in (at every location, not just this one.)
-
@thecreativeone91 said:
I think people think testing what the server and network people did would be a full time job, like the configuration show how would change daily or something
In theory, in an enormous environment, you might have a few people doing this, in theory. It does not take too many, especially as many environments change very slowly, and often you would want an outside firm doing this just so that there is clear incentive on one side to block them and on the other side to succeed. But this is rare, super expensive and mostly automatable so you don't need a huge team for an amazingly large number of systems.
And what environment is so locked down that they would want to do this? Some, but not many. Most places have known holes and just guess that it is not worth locking them down. In the real world, putting money into securing known issues goes a lot farther than hiring expensive people to sit around full time reminding you that you are paying to know where the holes are rather than having filled the ones you already knew about
But you are completely correct. It seems to be everyone's assumption that it takes an army of specially trained hacker ninjas running around the clock to see if they can break in. As if your environment changes daily and there is always a new way in or a new technique that they just learned about. When in reality, one guy and a script would do 99% of the job.
-
And think about how many things cannot be reasonably secured.... Heartbleed is a great example. You discover you have Heartbleed, so either you wait for a patch and hope for the best or it is available and you patch right away. A security department telling you that things are vulnerable does no good as you would have already known. You just need people to help with the actual patching!