Are Security Careers Real?
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
When I say internally and externally, I mean internally by the IT department and externally by a 3rd party.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
-
@dafyre said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
Alienvault has alot of false positives and misses alot of stuff out of the box. I think it is a great system, but it requires some hours to get it configured correctly. Not to mention, who is actually testing AlienVault to make sure it is actually flagging stuff? I can run brute force attacks that won't be picked up by AlienVault if I slow my attacks down. How do you know it is actually detecting MIM attacks, and so on?
. Nessus reports are great, but I have noticed that Nessus sometimes ranks threats incorrectly. Which can be confusing for someone who isn't familiar with them.
-
@IRJ said in Are Security Careers Real?:
@dafyre said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
Alienvault has alot of false positives and misses alot of stuff out of the box. I think it is a great system, but it requires some hours to get it configured correctly. Not to mention, who is actually testing AlienVault to make sure it is actually flagging stuff? I can run brute force attacks that won't be picked up by AlienVault if I slow my attacks down. How do you know it is actually detecting MIM attacks, and so on?
. Nessus reports are great, but I have noticed that Nessus sometimes ranks threats incorrectly. Which can be confusing for someone who isn't familiar with them.
There's no tool that's not going to require some configuration or fine tuning. If you're doing this for in-house purposes, turn everything on and turn it (OpenVAS / Alienvault) loose and go over the reports as to what it finds.
You are very much right about Nessus and OpenVAS finding a lot of false positives. But so has every other tool I've seen (some more or less than others).
But the IT team can learn something by investigating the vulnerabilities reported by them as well -- even if they are false positives.
-
@IRJ said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
When I say internally and externally, I mean internally by the IT department and externally by a 3rd party.
Understood. And I would generally agree.
-
Interesting Discussion
-
-
-
Target needs security along with Sony
-
I friend of mine just made the transition to security. He said his pay doubled.
-
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
-
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
And WTF is security?
-
@JaredBusch said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
And WTF is security?
Right? Everyone says it, but what exactly is that job?
-
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
SMB IT makes a good transition to security, actually.
It's something I have preferred over security experience when hiring. You basically want someone to be well versed infrastructure and know how data communications work.
-
@scottalanmiller said in Are Security Careers Real?:
@JaredBusch said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
And WTF is security?
Right? Everyone says it, but what exactly is that job?
You know how a lot of companies put "other duties as assigned" in your job description? That is the entire job
-
@scottalanmiller said in Are Security Careers Real?:
@JaredBusch said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
And WTF is security?
Right? Everyone says it, but what exactly is that job?
Its a cross between IT and compliance. There are different security roles, but they all fall in between those two sides. Some closer to IT, some in the middle, and some that are almost strictly compliance.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@JaredBusch said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
And WTF is security?
Right? Everyone says it, but what exactly is that job?
Its a cross between IT and compliance. There are different security roles, but they all fall in between those two sides. Some closer to IT, some in the middle, and some that are almost strictly compliance.
The biggest problem is that often they are just called "security" and can mean almost anything.
Likewise, the IT jobs are often just labeled "administration" or something and equally mean almost anything.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@JaredBusch said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
And WTF is security?
Right? Everyone says it, but what exactly is that job?
Its a cross between IT and compliance. There are different security roles, but they all fall in between those two sides. Some closer to IT, some in the middle, and some that are almost strictly compliance.
The biggest problem is that often they are just called "security" and can mean almost anything.
Likewise, the IT jobs are often just labeled "administration" or something and equally mean almost anything.
Yeah so like with anything else specialization makes more... Cloud Security for example pays about 30% higher than standard Security roles.
Architecture roles tend to pay a bit more since you are building security architecture and consulting security practices to other teams.
-
When I cook spaghetti, I like to boil it a few minutes past al dente so the noodles are super slippery.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@JaredBusch said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
And WTF is security?
Right? Everyone says it, but what exactly is that job?
Its a cross between IT and compliance. There are different security roles, but they all fall in between those two sides. Some closer to IT, some in the middle, and some that are almost strictly compliance.
The biggest problem is that often they are just called "security" and can mean almost anything.
Likewise, the IT jobs are often just labeled "administration" or something and equally mean almost anything.
Here (a Fortune 100) the IT Security Department is a joke, It's all CYA stuff to limit liability to the company, nothing of real substance is done there, the normal IT department does more security than they do, a Chief Security Officer was hired a few years back, and I might add under the CFO, not the CIO. And they brought a few entry-level helpdesk guys from IT over with him to help the security team. No real experts. The CSO just copy/Pastes NIST documents. The guys on the team just pull emails out and stop a spread after a phishing attack or disables accounts that were compromised etc. Not real security work, it's just to limit legal liability is all.