http://www.scmagazine.com/shortfall-of-security-pros-increasingly-deliberate-attacks-worry-survey-respondents/article/409402/
Want some more job security? Get into security!
From the article: "To help close the skills gap, ISACA Thursday unveiled seven new Cybersecurity Nexus (CSX) certifications that combine skills-based training with performance-based exams and certifications. Courses will be available starting in the third quarter of 2015."
MOAR CERTS! YESH!
http://www.isaca.org/cyber/Pages/default.aspx
I'll keep my CCNP-Security current, but I'd like to pick up the CSX certs, as well. Anyone here have any knowledge of these, or will I be the first to take the plunge?
Never heard of them before or seen them in job descriptions. Are they widely recognized?
ISACA is pretty well regarded, and recognized. The certs are new so we will see how that works out. However, I am getting frustrated that everyone seems to think offering more certifications in cyber security is the way to increase the work force. We need more people, not the same people with more letters after their names.
-Otanx
These aren't entry-level, either... Tests cost between $500 and $850. Ouch.
But amen to needing people to fill in roles. We're to the point where we'll take a good R&S guy looking for something new, if he'll do security.
I'm wondering if contract opportunities for security get yanked in favor of making them FTE positions, just because that'll be what it takes to get a guy to consider a position.
Quote from: Otanx on April 17, 2015, 10:50:35 AM
ISACA is pretty well regarded, and recognized. The certs are new so we will see how that works out. However, I am getting frustrated that everyone seems to think offering more certifications in cyber security is the way to increase the work force. We need more people, not the same people with more letters after their names.
-Otanx
Wow.. that's a pretty astounding statement. Kudos.
*Disclaimer: I'm not a security guy - just thought your statement was pretty deep, and valid.
I actually have BS in Security and that was my desired area when I was first getting started. In my first real job and about half way through my MBA I said screw this, and jumped back over to R&S. Im still very security minded but its an uphill fight that I just dont want to be a part of.
From what I have experienced, security will always be second (or lower) priority to business. So a perfectly good security plan will always be screwed up by management. Then when something happens you and your team are to blame since you wear the security badge. Nope, no thanks
I know there are exceptions out there.
I have a ton of respect for Sec guys and what yall have to deal with so dont take this as me bashing you. I actually have always gotten along with the security team when others cant.
When folks want to go second rate, I always politely note my concerns. That's a lot nicer than screaming, "YOU'RE ALL FOOLS! FOOOOOLS!" as I storm out of a meeting, tears of passion and betrayal streaming down my face. Also gets better results. Emotional response: "Oh, he's just a prima donna that's bent out of shape because we didn't do things exactly his way."
But the polite note? "Saaaay... this means I don't have plausible deniability if we have a breach, and he documented the concern, so we can't pin it on him not informing us of the risk... maybe we should spend a little more time on thinking this solution through..."
***
As it is, most entry-level security jobs involve setting firewall rules and dealing with questions about whether or not the firewall is blocking things...
:notthefirewall:
Its hard to make a case for avoided risk on something you can't truly justify the cost. At least if you break a law, you have a starting point with fines. If you lose your data center, you can't say this would cost us 1.5 million with any reasonable certainty. This is why security tends to take a back seat. Until there are laws and regulations that must be followed, don't expect it to get better any time soon. In the mean time, companies will continue to cease to exist because economic losses from a data breach, etc is too much to recover from. Would too big to fail apply here too? I think I see the start of the next big recession.
My previous job was mostly R&S and Wireless, which I loved. Lots of travel, hands-on projects and troubleshooting. Currently I'm working in more of a mid-level security role and frankly, most if it is just paperwork, meetings and dealing with all sorts of silly problems.
For example, we are implementing a certain NGFW and the last three weeks we've been burried in all sorts of tickets, ranging from AD problems or wrong credentials to agent installations that went wrong.
Security is definitely a role where having sysadmin skills comes in very, very handy.
Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.
Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.
Those security professionals would be right, but they're only doing half the calculation. You have to balance the need for security against the needs of the business, and in amazon's case, one of their primary needs is to make it as simple as possible for consumers to order product. And it turns out, amazon makes more money--including those costs from fraud--by being less secure.
Risk is the probability of an event times the cost of that event, and this needs to be compared to the cost of the protection.
Quote from: Fred on April 18, 2015, 11:34:13 PM
Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.
Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.
Those security professionals would be right, but they're only doing half the calculation. You have to balance the need for security against the needs of the business, and in amazon's case, one of their primary needs is to make it as simple as possible for consumers to order product. And it turns out, amazon makes more money--including those costs from fraud--by being less secure.
Risk is the probability of an event times the cost of that event, and this needs to be compared to the cost of the protection.
Good post :)
Sent from my iPhone using Tapatalk
That is sad, but true. Most people are too stupid and impatient to actually want security. That's why the best spies are the patient ones.
Quote from: Fred on April 18, 2015, 11:34:13 PM
Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.
Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.
Quote from: jinxer on April 19, 2015, 04:37:42 AM]
Good post :)
Sent from my iPhone using Tapatalk
http://www.businessinsider.com/amazon-hit-with-91000-faa-fine-2014-4 (http://www.businessinsider.com/amazon-hit-with-91000-faa-fine-2014-4)
I'm sure that is the same argument used in this instance. How much can they still make money before they bring down a plane full of people or cargo plane in a city.
A lot of risk management is intangible that still must be factored somehow.
Learned today:
"The hacker *may* show up. The auditor *will* show up."
Quote from: that1guy15 on April 17, 2015, 01:07:56 PM
From what I have experienced, security will always be second (or lower) priority to business. So a perfectly good security plan will always be screwed up by management. Then when something happens you and your team are to blame since you wear the security badge. Nope, no thanks
Yep that about sums it up. Expediency wins every time, until there is a breach, then its security's fault.
Also yeah the mundane side of it is mind numbingly tedious, not to mention exasperating to explain to n00bs (I recall having a long argument with an HP offshore team because they didn't understand the concept of stateful firewalls and kept wanting return ports explicitly opened up, even when i pointed out that the return packet's destination port would not use the 'application port'... even after telling them to google sockets ).
You can't pay me to go over to Sec and believe me recruiters try all the time. Its this CCNP Sec that I've pretty much half forgotten.....
Quote from: hizzo3 on April 20, 2015, 08:05:06 PMhttp://www.businessinsider.com/amazon-hit-with-91000-faa-fine-2014-4 (http://www.businessinsider.com/amazon-hit-with-91000-faa-fine-2014-4)
I'm sure that is the same argument used in this instance. How much can they still make money before they bring down a plane full of people or cargo plane in a city.
A lot of risk management is intangible that still must be factored somehow.
Yep. You have to figure out a way to apply figures to those intangibles. In generally, I find the more intangible, the more the likelihood drops. And I suspect from your article, that the $91,000 they had to pay probably reinforced their decision rather than changing the equation.
Quote from: that1guy15From what I have experienced, security will always be second (or lower) priority to business.
Is the suggestion that security should be the #1 priority to business?
Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.
Lost 100 million accounts? Thank goodness we got 700 million more... but if a hacker shuts down a critical router, it's basically an RMA for a resolution. When a security breach leads to loss of life or destruction of facilities, then it's no longer just a money cost to fix things. Stuxnet has been that threat for Iranian nuclear research facilities, but not much of a news item elsewhere. Even if it's because other Stuxnet is kept hush-hush, then the perception is generally that it's not an issue.
Hit government facilities or specific targets such as power stations or dams, then it's seen as an issue only for those sectors.
If malware could actually transfer ownership of a company from a group of shareholders to an anonymous foreign identity, basically pulling off a *corporate* identity theft, then security would move to a #1 spot. I suppose other death knells would be a hijacking of the purchasing invoice system, sending out orders to a zillion vendors all at once. If vendors are part of the scam, then they would demand payment or file a suit claiming the company is in default on its obligations, which would create a credit nightmare for that firm, and that can shut its doors. The "vendors" would exist not to do business, but to be shell companies to participate in the takedown of a rival.
Did you see the article about being able to hack into a plane while it's in flight? That's not scary at all :'(
http://www.dailymail.co.uk/news/article-3046272/Security-Researcher-banned-United-flight-tweeted-systems-hacked.html
That's the sort of thing that, for now, stays academic. Honestly, why a nutcase extremist organization hasn't taken to stuff like this absolutely amazes me.
Consider: this guy was known only because he tweeted about it. Imagine if [DISCUSSION OF CLANDESTINE CRIMINAL ACTIVITY - I self-edited this - but it's quite ingenious if I say so myself], well that creates a huge safety concern that could be a signal of a very rough time for that airline.
What to do with that information for the hacking group attacking the airline is then their next question. If they want to take credit, then they should also publish how they did it so that all airlines around the world are faced with either instantly securing all their flight systems or banning use of all electric devices - employing EM sweepers to see if any are on. Even a shielded device would reveal itself with wireless communications, so that would be highly effective. It would also be highly annoying. Recall that smoking wasn't banned on flights until after computers made an entrance... so imagine NYC-LA six-hour flights with no smoking and no electronic devices... inflight entertainment would have to be kept shut off so that the EM sweeper could make proper report of threats. No texting on the tarmac, either. You get to use your device once you're in the airport, not a minute sooner.
If the group does not take credit, then they can keep doing those kinds of moves until caught. Then, do as above. Big reveal, neener neener neener, airline industry takes a huge whack.
At any rate, devices are made to work, not to be secure. That is a huge hole and it will bit us hard in the backside one day when someone figures out exactly what to do with that hole.
Perhaps the hacking money is better in organized crime, which has an interest in keeping hosts alive while they leech profits off of them.
One thing that bothers me in general about airport security is how [ANOTHER DISCUSSION OF CRIMINAL ACTIVITY, THIS TIME OVERT]. I mean, all a group of guys has to do is [CONTINUED DISCUSSION OF CRIMINAL ACTS] and then every flight at that airport would be grounded, all because of a couple of guys in pickup trucks with [ILLEGAL STUFF HERE, TOO]. Conversely, a guy could show up with [I REALLY SHOULD STOP DISCUSSING CRIMINAL ACTIVITY IF I DON'T WANT TO WIND UP BANNING MYSELF] and that's all she wrote for the [REALLY SHOULDN'T MENTION THIS PART, EITHER].
I leave unsaid things that could threaten forum members' security clearances, but I make redacted reference to them to show that there is a huge difference between actual security and security theater - acts that are done to make us think we're secure. I once entered the Holocaust Museum in Paris and faced a security check way more stringent than any airport screening. That was some serious business security. I know that many companies probably go for the appearance of security first and then worry about spending enough for actual security as an afterthought.
Quote from: deanwebb on April 27, 2015, 11:56:55 AM
Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.
And I honestly see it going the other way. We are going to make it so that security breaches aren't as big a cost for business, and security will take a further backseat.
Make it traceable and retractable. It almost is already. A
huge amount of fraudulent transactions are currently stopped before anybody has actually gained anything. This is what's going to get stronger: detection and response. Prevention is a loser's game: the good guys have to plug every hole, while the bad guys only have to find one. To stop this, we need to have recourse after the bad guys found it.
Companies have already looked into an purchased a variety of cyber policies.
Quote from: hizzo3 on April 29, 2015, 03:56:34 PM
Companies have already looked into an purchased a variety of cyber policies.
This should be moved to the joke thread. :banana:
Quote from: Fred on April 28, 2015, 10:38:46 PM
Quote from: deanwebb on April 27, 2015, 11:56:55 AM
Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.
And I honestly see it going the other way. We are going to make it so that security breaches aren't as big a cost for business, and security will take a further backseat.
Make it traceable and retractable. It almost is already. A huge amount of fraudulent transactions are currently stopped before anybody has actually gained anything. This is what's going to get stronger: detection and response. Prevention is a loser's game: the good guys have to plug every hole, while the bad guys only have to find one. To stop this, we need to have recourse after the bad guys found it.
I am not sure what you mean by "make it so that security breaches aren't as big a cost for business" how do you do that? The only thing I can come up with is cyber insurance, or regulation. Cyber insurance just helps in part of the cost to business, and as the cyber insurance industry grows the insurance companies are going to require some level of security and audits which will actually help secure companies. Regulation or laws on limiting liability that companies face because of a breach also only cover part of the cost. You still have the loss of reputation, etc. which will lead to loss of customers.
On your second paragraph I agree detection and response is the important part, and prevention can never be perfect. However, prevention should not be ignored. You still need to patch known vulnerabilities, encrypt data at rest, and in transit, two factor authentication, etc. To get better at detection and response however there needs to be sharing of data. If company A gets hit by an attack the detection gets easier if they tell companies B, C, and D how the attack happened. Right now there is no incentive for company A to release that information. Especially if companies B, C, and D are competitors. That just gives them an advantage over company A, and so it is actually in the best interest of company A to not share that data, and hope the other companies get hit, and also have to pay for the cost of recovery. I am not even getting into the weeds and talk about the lack of a good framework on sharing threat information that could be used to automate detection/response.
-Otanx
Quote from: Otanx on April 30, 2015, 09:43:56 AM
Quote from: Fred on April 28, 2015, 10:38:46 PM
Quote from: deanwebb on April 27, 2015, 11:56:55 AM
Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.
And I honestly see it going the other way. We are going to make it so that security breaches aren't as big a cost for business, and security will take a further backseat.
Make it traceable and retractable. It almost is already. A huge amount of fraudulent transactions are currently stopped before anybody has actually gained anything. This is what's going to get stronger: detection and response. Prevention is a loser's game: the good guys have to plug every hole, while the bad guys only have to find one. To stop this, we need to have recourse after the bad guys found it.
I am not sure what you mean by "make it so that security breaches aren't as big a cost for business" how do you do that? The only thing I can come up with is cyber insurance, or regulation. Cyber insurance just helps in part of the cost to business, and as the cyber insurance industry grows the insurance companies are going to require some level of security and audits which will actually help secure companies. Regulation or laws on limiting liability that companies face because of a breach also only cover part of the cost. You still have the loss of reputation, etc. which will lead to loss of customers.
On your second paragraph I agree detection and response is the important part, and prevention can never be perfect. However, prevention should not be ignored. You still need to patch known vulnerabilities, encrypt data at rest, and in transit, two factor authentication, etc. To get better at detection and response however there needs to be sharing of data. If company A gets hit by an attack the detection gets easier if they tell companies B, C, and D how the attack happened. Right now there is no incentive for company A to release that information. Especially if companies B, C, and D are competitors. That just gives them an advantage over company A, and so it is actually in the best interest of company A to not share that data, and hope the other companies get hit, and also have to pay for the cost of recovery. I am not even getting into the weeds and talk about the lack of a good framework on sharing threat information that could be used to automate detection/response.
-Otanx
Cyber insurance... sounds like you just came up with a new business!
Quote from: AspiringNetworker on April 30, 2015, 10:30:56 AM
Cyber insurance... sounds like you just came up with a new business!
I wish. It has been around for a few years. It got a big boost after the Target, Home Depot, Sony, etc. breaches.
-Otanx
Quote from: Otanx on April 30, 2015, 09:43:56 AM
I am not sure what you mean by "make it so that security breaches aren't as big a cost for business" how do you do that?
What if we could find ways to make sure that the person who uses a credit card can be affirmatively identified? Then it doesn't matter who steals my credit card, that person is going to be caught. This would also make the stolen credit card worthless. That's another tough and expensive problem, but it may be an easier and cheaper one than preventing every possible method by which a credit card could be stolen.
Even if there's full validation of who is the right person to use the card, card readers can be hacked to have more than one reading "bump" in them, with the second reader leeching power from the main device and sending info to a Raspberry Pi box on the local guest network.
PROTIP: Before you run your card through a self-swipe scanner, make sure there's only one bump in the card reading slot. If there's more than one, you just saw something, so say something.
Back on topic, we *still* need people to fill in security roles. While I like to think of security as a good entry-level opportunity for people I know that are getting started in networking, I'm not thrilled that security roles are going to be going to lots of entry-level people for some time to come. I know that's the only way to get seasoned professionals, if they start somewhere, but that's just it. There's either a vacancy or a new kid in a lot of security roles, and that means there are lots of firms out there that are getting compromised good and hard. I just hope I don't do business with them... but I probably do...
It is going to be hard for a few years on the security front. There are a few ways to handle this. One is to train from the ground up. This is the longest path, but probably the easiest. There are a lot of new IT guys who want to do security because it is seen as a high paying growth sector of IT. You just have to weed out the ones who are not really interested, and just want a pay check. The speed of change in security is too fast for the 9 to 5 guy to keep up with. If you don't want to learn off the clock you will fall behind. Another way to address the shortage is to get seasoned IT guys who want to move to security. They can have any background, network, systems, DBA, anything. Give them some training on security, and adjust how they think from "make it work" to "make it secure". Of course these guys will want bigger pay checks, and changing the mind set of working over security may be hard. However, this lets you jump over the entry level, and get some mid range security pros quickly. The real answer is a mix of both of those, and probably other methods I have not even thought of.
-Otanx
I read the SANS ISC web site almost every day. I like security and all, but they go deep sometimes, to places I wouldn't want to go as a professional. It takes a special mindset to get waist deep in the security trenches, and I can't see any entry level security professionals going there, at least without significant training.
True, true. But that may be what we have to do, given how there's such a massive demand... and it's not like lots of money attracts people to a job. There are unfilled jobs in R&S, just as in security, but people leave off of a networking career because "it's hard" and "there seems to be lots of math".
Quote from: deanwebb on May 05, 2015, 11:17:36 AM
True, true. But that may be what we have to do, given how there's such a massive demand... and it's not like lots of money attracts people to a job. There are unfilled jobs in R&S, just as in security, but people leave off of a networking career because "it's hard" and "there seems to be lots of math".
so rather than it's being hard, they are going to reverse engineer some malware, to determine what it's actually doing?
is that _not hard_? I've never done it. so I don't know if it's hard or not. Ya really gotta be a detective and really good at puzzles. I See the demand, I also see the workload, for myself I don't want to go down that road.
I'm quite happy working with Cisco announcements, CVE's, Nessus scans, to determine vulnerabilities on my devices, analyzing the announcements, and verifying devices and configs to determine if the device is actually vulnerable, looking at services, mitigating, or reading release notes, doing bug searches, downloading, testing, staging new code, scheduling outages, sending notifications, performing IOS upgrades, and verifying that the device is no longer vulnerable. This keeps me quite busy. It one of my major tasks here where I work, by default, because nobody else wants to do it. but I enjoy it. but that's as deep into security as I really desire to go. it's alot of work, especially these days with the number of Cisco advisories that are being updated every few days. But this is a great way for someone to get their feet wet, before moving into the hardcore security analyst position.
'
Quote
because nobody else wants to do it
Honestly, I wonder how much I can get away with because it'll be so hard finding my replacement... but my sense of professional pride keeps me from exploring that temptation.