Are Security Careers Real?
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It never ceases to amaze me how many IT professionals think they know security, but they become the worse offenders. Dictionary passwords and excel password spreadsheets are much more common than you think.
Really just other roles failing to do their jobs, though.
Yes, but it is so common. Then when it does happen, finger get pointed. Is it the network guy's fault for setting insecure passwords on switches without telling anyone? Is it the desktop guy's fault for setting insecure passwords or not disabling UNC to other machines, is it the System Admin's fault for not using strict password policies, or is it the director's fault for not knowing what is going on or caring?
You need someone to find the weaknesses. It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there. They could also be so understaffed that they could never have the time to do the scanning and take the necessary training.
The problem that with that security approach, though, is that is focuses on fixing things that are being missed, rather than focusing on not missing things.
So do you go back and build it again from the ground up or do you fix things as you find them. Then going forward you configure things the right way.
-
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure. In reality, most IT professionals didn't build their network from the ground up. They were thrown into a mess of a reality and aren't even given the amount of time they should have to keep business going. Let alone go back and tighten things up.
It's not just going back and tightening things up either. Because it is highly unlikely you will know all the security holes with not knowing how to find them.
Then you have prevention to worry about going forward. Are you documenting new devices on the network, are you monitoring for brute force attacks, Man in the middle attacks, etc. The list goes on and on.
-
@IRJ said in Are Security Careers Real?:
It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there.
I don't think this can ever be true. It's always the person at the top of the IT food chains fault.
Example - IT manager tells IT staff that they can't afford backup software, IT cobbles things together, but it has a poor track record (yeah yeah, just leave it at this). New IT manager takes over, problem happens and IT can't restore because the backups didn't work.
Who's fault is this? really it's the old IT manager's fault - but it's also the new one's as well.
-
@Dashrender said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
It is also possible that is isn't anyone's fault because they may not know what bad passwords are out there.
I don't think this can ever be true. It's always the person at the top of the IT food chains fault.
Example - IT manager tells IT staff that they can't afford backup software, IT cobbles things together, but it has a poor track record (yeah yeah, just leave it at this). New IT manager takes over, problem happens and IT can't restore because the backups didn't work.
Who's fault is this? really it's the old IT manager's fault - but it's also the new one's as well.
The IT manager may not even know all the backdoor passwords. It is very possible there are extra user accounts added that he may not know about on various devices and servers. It's not like every time you login to a server, you check file permissions, user accounts, or run a dictionary attack against it.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
-
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
When I say internally and externally, I mean internally by the IT department and externally by a 3rd party.
-
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
-
@dafyre said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
Alienvault has alot of false positives and misses alot of stuff out of the box. I think it is a great system, but it requires some hours to get it configured correctly. Not to mention, who is actually testing AlienVault to make sure it is actually flagging stuff? I can run brute force attacks that won't be picked up by AlienVault if I slow my attacks down. How do you know it is actually detecting MIM attacks, and so on?
. Nessus reports are great, but I have noticed that Nessus sometimes ranks threats incorrectly. Which can be confusing for someone who isn't familiar with them.
-
@IRJ said in Are Security Careers Real?:
@dafyre said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
The question these days isn't really who should run it... There are a number of tools that can be automated to send reports (Alienvault,OpenVAS, Nessus)...
The question is really who should be reviewing the reports...
I would argue that it should be reviewed by the entire IT team. So they can talk about the issues that are found.
Alienvault has alot of false positives and misses alot of stuff out of the box. I think it is a great system, but it requires some hours to get it configured correctly. Not to mention, who is actually testing AlienVault to make sure it is actually flagging stuff? I can run brute force attacks that won't be picked up by AlienVault if I slow my attacks down. How do you know it is actually detecting MIM attacks, and so on?
. Nessus reports are great, but I have noticed that Nessus sometimes ranks threats incorrectly. Which can be confusing for someone who isn't familiar with them.
There's no tool that's not going to require some configuration or fine tuning. If you're doing this for in-house purposes, turn everything on and turn it (OpenVAS / Alienvault) loose and go over the reports as to what it finds.
You are very much right about Nessus and OpenVAS finding a lot of false positives. But so has every other tool I've seen (some more or less than others).
But the IT team can learn something by investigating the vulnerabilities reported by them as well -- even if they are false positives.
-
@IRJ said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller said in Are Security Careers Real?:
@IRJ said in Are Security Careers Real?:
@scottalanmiller I think you assume that most IT professionals are doing everything they can to be secure.
No, I don't. I just assume that that is the place to fix the problem. Likewise, you are assuming most people in security roles are secure, but they are not either. Often they are worse than the non-security IT people. I've had security consultants cause some pretty major security holes for customers that IT would never have done. The problem with people being insecure extends to the security people, sadly. So the issue with "people are insecure" is universal. So fixing the problem instead of bandaiding it is a better approach.
That logic is sound, but is generally not practical. From my experience with penetration testing is that there is always at least one glaring weakness that hasn't been identified by the IT department. Many times it is much more than one glaring weakness.
Out of all the IT professionals here, who has actually built their current network from the ground up? not many. Most have inherited something else.
I don't rule out pen testing. The question would more be "who should run it?"
And that is a fair question. Pen testing should be done both internally and externally IMO.
When I say internally and externally, I mean internally by the IT department and externally by a 3rd party.
Understood. And I would generally agree.
-
Interesting Discussion
-
-
-
Target needs security along with Sony
-
I friend of mine just made the transition to security. He said his pay doubled.
-
@VoIP_n00b said in Are Security Careers Real?:
I friend of mine just made the transition to security. He said his pay doubled.
What did he transition from?
