Are Security Careers Real?

wirestyle22

@scottalanmiller said in Are Security Careers Real?:

@wirestyle22 said in Are Security Careers Real?:

I've seen contracted IT work for 6-month terms but nothing full-time. I think Chase hires a lot of them. I'm sure some other banks do as well.

What kinds of positions? Having worked for those big banks, it's extremely rare. I've seen zero of that internally.

Security Analyst I, II, III etc. Auditing essentially.

scottalanmiller

@wirestyle22 said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@wirestyle22 said in Are Security Careers Real?:

I've seen contracted IT work for 6-month terms but nothing full-time. I think Chase hires a lot of them. I'm sure some other banks do as well.

What kinds of positions? Having worked for those big banks, it's extremely rare. I've seen zero of that internally.

Security Analyst I, II, III etc. Auditing essentially.

Okay, we don't generally consider those to be security OR IT jobs. That would explain it. Yes, I've seen tons of those in the banks. They are secretarial level jobs. The people doing them literally don't know how anything works. We would get questions like "why do we use SSH" or "can we prove Active Directory is useful."

Those are actually great examples of my point.... they appear to be security and/or IT jobs until you actually look and realize that are not actually a part of either discipline (normally.) Auditors are low cost, untrained people who do reports for checkmarking insurance or similar requirements. They are actually enemies to the security team. We've had the auditors try to have us disable security systems before.

IRJ

The IT Security field has blown up recently and yes you can definitely make a career out of security and not be an auditor. I did learn that there are IT security people who essentially Auditors and then you have people like me that do hacking and penetration testing. Penetration Testing takes real skills and real knowledge of various Operating Systems, network devices, and protocols.

SamieWalters

There is a program called CyberPatriot that is teaching kids in middle and high school cyber security. The idea behind this is that we are not creating the correct IT workforce needed to fill these jobs or so the people pitching the program (and LAUSD) say. I would love to hear @scottalanmiller talk to them about what he has seen in the industry.

scottalanmiller

@SamieWalters said in Are Security Careers Real?:

There is a program called CyberPatriot that is teaching kids in middle and high school cyber security. The idea behind this is that we are not creating the correct IT workforce needed to fill these jobs or so the people pitching the program (and LAUSD) say. I would love to hear @scottalanmiller talk to them about what he has seen in the industry.

I think that security training is awesome and that we need tons more of that. But that it needs to be something that everyone does rather than making loads of specific roles around it. As long as security is something that "someone else" does, we won't be very secure.

Dashrender

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

scottalanmiller

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

AdamF

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

I've dealt with similar, where HR wanted to GIVE me their passwords so I could just login and take care of things when they were at meetings.

Dashrender

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

scottalanmiller

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

Which is an identify theft problem.

Dashrender

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

Which is an identify theft problem.

Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.

ChrisL

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

Which is an identify theft problem.

Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.

I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".

scottalanmiller

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

Which is an identify theft problem.

Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.

Um, yeah. That's "intent to defraud" and a variety of other charges before getting the SEC and other agencies involved.

scottalanmiller

@ChrisL said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

Which is an identify theft problem.

Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.

I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".

Yup... let's see how this starts off in court... we can show...

• Intent to steal her identity through forced actions beforehand
• Standard industry documentation that requesting passwords in this way is identify theft and absolutely violates security
• Identity transferred to manager demanding credentials
• HR details exposed
• Wrongdoing happened
• Manager who took identity fires innocent party to cover up his own actions as the owner of the credentials

Um, yeah. Being fired BY the person who made the mistake who set the whole thing up ahead of time? Um....

MattSpeller

@scottalanmiller said in Are Security Careers Real?:

@ChrisL said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

Which is an identify theft problem.

Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.

I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".

Yup... let's see how this starts off in court... we can show...

• Intent to steal her identity through forced actions beforehand
• Standard industry documentation that requesting passwords in this way is identify theft and absolutely violates security
• Identity transferred to manager demanding credentials
• HR details exposed
• Wrongdoing happened
• Manager who took identity fires innocent party to cover up his own actions as the owner of the credentials

Um, yeah. Being fired BY the person who made the mistake who set the whole thing up ahead of time? Um....

#ClimbingTheLadder
#JustCorporateThings
#LoveMyCoworkers
#EqualOpportunity
#DunningKruger

DustinB3403

I'm so confused with the course of this SEC conversation...

What happened / when is this person throwing a party?

IRJ

It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.

Who's job is it to manage an IDS system with very complex rules? Does the IT team have time to do actual penetration testing and keep improving security based on the results?

Sure you could hire 3rd party pen testers, but if you aren't testing internally when will you actually have time to fix all the vulnerabilities?

IMO IT Security is an actual thing. Since I am an IT Security professional that has transitioned from System Administration, I can tell you it is real. It is challenging, and most importantly it is rewarding.

scottalanmiller

@IRJ said in Are Security Careers Real?:

It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.

Really just other roles failing to do their jobs, though.

IRJ

@Carnival-Boy said in Are Security Careers Real?:

@scottalanmiller said:

I know that there are some security specialty shops out there (I've been asked to lead teams for one of them.) But even big ones that I have worked with just use skilled "normal" IT people, not "security" specialists.

I would have thought that a good security guy is a good generalist as you need to have a good understanding of all applications in order to gain a good understanding of where those application vulnerabilities lie. For example, you need a modest understanding of SQL in order to understand SQL vulnerabilities like SQL injection. So if I was forming a crack team of security experts I'd want a SQL guy, a web guy, a Windows guy etc etc. A bit like the A-team, with BA Baracus as my Windows guy.

Or you just need a guy that is a pen tester that understands how to find SQL injection. One professional can do all this from Kali. You can easily find Windows, Linux, and web vulnerabilities using prebuilt tools in Kali. Understanding the actual exploitation takes some knowledge. That is why good security people have a background in System or Network Administration.

IRJ

@scottalanmiller said in Are Security Careers Real?:

@IRJ said in Are Security Careers Real?:

It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.

Really just other roles failing to do their jobs, though.

Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?

You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.