Are Security Careers Real?
-
@SamieWalters said in Are Security Careers Real?:
There is a program called CyberPatriot that is teaching kids in middle and high school cyber security. The idea behind this is that we are not creating the correct IT workforce needed to fill these jobs or so the people pitching the program (and LAUSD) say. I would love to hear @scottalanmiller talk to them about what he has seen in the industry.
I think that security training is awesome and that we need tons more of that. But that it needs to be something that everyone does rather than making loads of specific roles around it. As long as security is something that "someone else" does, we won't be very secure.
-
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
-
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
-
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
I've dealt with similar, where HR wanted to GIVE me their passwords so I could just login and take care of things when they were at meetings.
-
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
-
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
-
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.
-
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.
I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".
-
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.
Um, yeah. That's "intent to defraud" and a variety of other charges before getting the SEC and other agencies involved.
-
@ChrisL said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.
I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".
Yup... let's see how this starts off in court... we can show...
- Intent to steal her identity through forced actions beforehand
- Standard industry documentation that requesting passwords in this way is identify theft and absolutely violates security
- Identity transferred to manager demanding credentials
- HR details exposed
- Wrongdoing happened
- Manager who took identity fires innocent party to cover up his own actions as the owner of the credentials
Um, yeah. Being fired BY the person who made the mistake who set the whole thing up ahead of time? Um....
-
@scottalanmiller said in Are Security Careers Real?:
@ChrisL said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@Dashrender said in Are Security Careers Real?:
A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.
I wanna say she said it was Ameritrade, but I could be wrong.
Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.
To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.
Which is an identify theft problem.
Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.
I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".
Yup... let's see how this starts off in court... we can show...
- Intent to steal her identity through forced actions beforehand
- Standard industry documentation that requesting passwords in this way is identify theft and absolutely violates security
- Identity transferred to manager demanding credentials
- HR details exposed
- Wrongdoing happened
- Manager who took identity fires innocent party to cover up his own actions as the owner of the credentials
Um, yeah. Being fired BY the person who made the mistake who set the whole thing up ahead of time? Um....
#ClimbingTheLadder
#JustCorporateThings
#LoveMyCoworkers
#EqualOpportunity
#DunningKruger -
I'm so confused with the course of this SEC conversation...
What happened / when is this person throwing a party?
-
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Who's job is it to manage an IDS system with very complex rules? Does the IT team have time to do actual penetration testing and keep improving security based on the results?
Sure you could hire 3rd party pen testers, but if you aren't testing internally when will you actually have time to fix all the vulnerabilities?
IMO IT Security is an actual thing. Since I am an IT Security professional that has transitioned from System Administration, I can tell you it is real. It is challenging, and most importantly it is rewarding.
-
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
-
@Carnival-Boy said in Are Security Careers Real?:
@scottalanmiller said:
I know that there are some security specialty shops out there (I've been asked to lead teams for one of them.) But even big ones that I have worked with just use skilled "normal" IT people, not "security" specialists.
I would have thought that a good security guy is a good generalist as you need to have a good understanding of all applications in order to gain a good understanding of where those application vulnerabilities lie. For example, you need a modest understanding of SQL in order to understand SQL vulnerabilities like SQL injection. So if I was forming a crack team of security experts I'd want a SQL guy, a web guy, a Windows guy etc etc. A bit like the A-team, with BA Baracus as my Windows guy.
Or you just need a guy that is a pen tester that understands how to find SQL injection. One professional can do all this from Kali. You can easily find Windows, Linux, and web vulnerabilities using prebuilt tools in Kali. Understanding the actual exploitation takes some knowledge. That is why good security people have a background in System or Network Administration.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
-
@MattSpeller said in Are Security Careers Real?:
Security I thought was a real golden ticket at first, then you realize that if someone wants in they'll win eventually, no matter what you do. I don't like to lose and that'd be a struggle for me.
That isn't the best ideology. The same thing goes for your house. If somebody really wants in your house they are going to get in no matter what you do.
99% of the time you aren't a specific target, you get scoped out then hit with an attack. Scoping out a network is kind of like scoping out a house. It isn't exactly illegal to walk by a house, look at the windows , doors, etc to see how easy it is to get in. If you have no locks and keep your door open you are going to be robbed more often than someone who has their doors locked and has a guard dog.
-
@Dashrender said in Are Security Careers Real?:
@thecreativeone91 said:
And most companies do not care about security unless it costs them a lot, but then they still don't care about it or your data; They just care about the financial implications of it.
Ain't this the gal darn truth!
Security is entirely to inconvenient, and until it really starts costing them due to things like breaches, most just can't be bothered with the inconvenience.
True, but it is becoming less true today. With all these network breaches making top news, we are seeing medium size businesses develop a real concern for cyber security.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
So do you go back and build it again from the ground up or do you fix things as you find them. Then going forward you configure things the right way.