Computer repair tech AKA Security Expert
-
@Dashrender yup, but primarily user training - gotta secure the weakest links in your chain
-
@MattSpeller said:
I'd advocate for a security department where it was primarily for user training, secondary would be dedicated white hat testers
Dedicating pen testing, sure, there is some call for that and I have seen that in the real world (very, very little.) But it is important to note that that is a testing department. They don't secure you, they just let you know when the people securing you have failed.
User training is really just a training department. Yes, security training is important, but again, just a part of normal operations of "how to be a user."
-
I think this topic has ran it's course as to the OP - Scott's probably right on that an IT security department isn't a real thing. But the other items brought up here are definitely often missing from many if not most companies.
-
@scottalanmiller said:
User training is really just a training department. Yes, security training is important, but again, just a part of normal operations of "how to be a user."
is any company actually rolling with dedicated user trainers on staff? If so that's F*@&# amazing!
-
@Dashrender said:
I think this topic has ran it's course as to the OP - Scott's probably right on that an IT security department isn't a real thing. But the other items brought up here are definitely often missing from many if not most companies.
I always get curious and side track it, we need a dedicated ML thread TL;DR bot.
-
@Dashrender said:
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
IT security could be a team that checks the designs with the intent of hacking them - the white hat hacker as @MattSpeller said.
Could be, but the downside there is that what do you have, generalists? You probably get a lot more mileage looking at that with more pairs of dedicated specialist eyes. If you are building a Windows server, what do you need, some random "security" guy going over your individual system choices (he may not know which ones lead to insecurities specifically) or another Windows specialist that is considering security, performance, ease of use and other IT factors too?
-
@Dashrender said:
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
And that is a big difference between SMBs and the enterprise space. In the enterprise you expect that people are checking on each other, reviewing things, looking over each other's shoulders, etc. In the SMB, you generally assume that it is one person working in a vacuum. You might get to hire someone to review major decisions, but that's rare and only on occasion. In the enterprise, I've seen shops where you have someone looking over your shoulder for every command run in production, every time.
-
@scottalanmiller said:
You don't lock down servers, the server people do that. You don't design a secure network, the network people do that. You don't have anything to do. It's a nonsensical department for all intents and purposes. And hence, probably why they don't exist in the real world. What is a "security expert" really?
I think people think testing what the server and network people did would be a full time job, like the configuration show how would change daily or something
-
@Dashrender said:
is an after thought for most IT folks today.
It vastly depends on the company. It's not for us. We have approx 25 IT staff (We have mostly generalists. I'm the Systems Engineer for the main DC site, which is not at cooperate due to weather/torando's and such ) plus DevOPs to develop our in house software. There is a lot of focus on security but it's not just IT security. Our Parking lots, buildings etc are all gated with armed guard with shacks at every entrance. RFID + PIN are required to get in (at every location, not just this one.)
-
@thecreativeone91 said:
I think people think testing what the server and network people did would be a full time job, like the configuration show how would change daily or something
In theory, in an enormous environment, you might have a few people doing this, in theory. It does not take too many, especially as many environments change very slowly, and often you would want an outside firm doing this just so that there is clear incentive on one side to block them and on the other side to succeed. But this is rare, super expensive and mostly automatable so you don't need a huge team for an amazingly large number of systems.
And what environment is so locked down that they would want to do this? Some, but not many. Most places have known holes and just guess that it is not worth locking them down. In the real world, putting money into securing known issues goes a lot farther than hiring expensive people to sit around full time reminding you that you are paying to know where the holes are rather than having filled the ones you already knew about
But you are completely correct. It seems to be everyone's assumption that it takes an army of specially trained hacker ninjas running around the clock to see if they can break in. As if your environment changes daily and there is always a new way in or a new technique that they just learned about. When in reality, one guy and a script would do 99% of the job.
-
And think about how many things cannot be reasonably secured.... Heartbleed is a great example. You discover you have Heartbleed, so either you wait for a patch and hope for the best or it is available and you patch right away. A security department telling you that things are vulnerable does no good as you would have already known. You just need people to help with the actual patching!