WE NEED SECURITY PROS ZOMGWTFBBQ

Started by deanwebb, April 17, 2015, 09:23:11 AM

Previous topic - Next topic

deanwebb

http://www.scmagazine.com/shortfall-of-security-pros-increasingly-deliberate-attacks-worry-survey-respondents/article/409402/

Want some more job security? Get into security!

From the article: "To help close the skills gap, ISACA Thursday unveiled seven new Cybersecurity Nexus (CSX) certifications that combine skills-based training with performance-based exams and certifications. Courses will be available starting in the third quarter of 2015."

MOAR CERTS! YESH!

http://www.isaca.org/cyber/Pages/default.aspx

I'll keep my CCNP-Security current, but I'd like to pick up the CSX certs, as well. Anyone here have any knowledge of these, or will I be the first to take the plunge?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Never heard of them before or seen them in job descriptions. Are they widely recognized?

Otanx

ISACA is pretty well regarded, and recognized. The certs are new so we will see how that works out. However, I am getting frustrated that everyone seems to think offering more certifications in cyber security is the way to increase the work force. We need more people, not the same people with more letters after their names.

-Otanx

deanwebb

These aren't entry-level, either... Tests cost between $500 and $850. Ouch.

But amen to needing people to fill in roles. We're to the point where we'll take a good R&S guy looking for something new, if he'll do security.

I'm wondering if contract opportunities for security get yanked in favor of making them FTE positions, just because that'll be what it takes to get a guy to consider a position.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

Quote from: Otanx on April 17, 2015, 10:50:35 AM
ISACA is pretty well regarded, and recognized. The certs are new so we will see how that works out. However, I am getting frustrated that everyone seems to think offering more certifications in cyber security is the way to increase the work force. We need more people, not the same people with more letters after their names.

-Otanx

Wow.. that's a pretty astounding statement.  Kudos.
*Disclaimer:  I'm not a security guy - just thought your statement was pretty deep, and valid.
Engineer by day, DJ by night, family first always

that1guy15

I actually have BS in Security and that was my desired area when I was first getting started. In my first real job and about half way through my MBA I said screw this, and jumped back over to R&S. Im still very security minded but its an uphill fight that I just dont want to be a part of.

From what I have experienced, security will always be second (or lower) priority to business. So a perfectly good security plan will always be screwed up by management. Then when something happens you and your team are to blame since you wear the security badge. Nope, no thanks

I know there are exceptions out there.

I have a ton of respect for Sec guys and what yall have to deal with so dont take this as me bashing you. I actually have always gotten along with the security team when others cant.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

deanwebb

When folks want to go second rate, I always politely note my concerns. That's a lot nicer than screaming, "YOU'RE ALL FOOLS! FOOOOOLS!" as I storm out of a meeting, tears of passion and betrayal streaming down my face. Also gets better results. Emotional response: "Oh, he's just a prima donna that's bent out of shape because we didn't do things exactly his way."

But the polite note? "Saaaay... this means I don't have plausible deniability if we have a breach, and he documented the concern, so we can't pin it on him not informing us of the risk... maybe we should spend a little more time on thinking this solution through..."

***

As it is, most entry-level security jobs involve setting firewall rules and dealing with questions about whether or not the firewall is blocking things...

:notthefirewall:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

hizzo3

Its hard to make a case for avoided risk on something you can't truly justify the cost. At least if you break a law, you have a starting point with fines. If you lose your data center, you can't say this would cost us 1.5 million with any reasonable certainty. This is why security tends to take a back seat. Until there are laws and regulations that must be followed, don't expect it to get better any time soon. In the mean time, companies will continue to cease to exist because economic losses from a data breach, etc is too much to recover from. Would too big to fail apply here too? I think I see the start of the next big recession.

SimonV

#8
My previous job was mostly R&S and Wireless, which I loved. Lots of travel, hands-on projects and troubleshooting. Currently I'm working in more of a mid-level security role and frankly, most if it is just paperwork, meetings and dealing with all sorts of silly problems.

For example, we are implementing a certain NGFW and the last three weeks we've been burried in all sorts of tickets, ranging from AD problems or wrong credentials to agent installations that went wrong.

deanwebb

Security is definitely a role where having sysadmin skills comes in very, very handy.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Fred

Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.

Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.

Those security professionals would be right, but they're only doing half the calculation. You have to balance the need for security against the needs of the business, and in amazon's case, one of their primary needs is to make it as simple as possible for consumers to order product. And it turns out, amazon makes more money--including those costs from fraud--by being less secure.

Risk is the probability of an event times the cost of that event, and this needs to be compared to the cost of the protection. 

jinxer


Quote from: Fred on April 18, 2015, 11:34:13 PM
Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.

Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.

Those security professionals would be right, but they're only doing half the calculation. You have to balance the need for security against the needs of the business, and in amazon's case, one of their primary needs is to make it as simple as possible for consumers to order product. And it turns out, amazon makes more money--including those costs from fraud--by being less secure.

Risk is the probability of an event times the cost of that event, and this needs to be compared to the cost of the protection.

Good post :)


Sent from my iPhone using Tapatalk

deanwebb

That is sad, but true. Most people are too stupid and impatient to actually want security. That's why the best spies are the patient ones.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

hizzo3



Quote from: Fred on April 18, 2015, 11:34:13 PM
Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.

Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.



Quote from: jinxer on April 19, 2015, 04:37:42 AM]

Good post :)


Sent from my iPhone using Tapatalk

http://www.businessinsider.com/amazon-hit-with-91000-faa-fine-2014-4
I'm sure that is the same argument used in this instance. How much can they still make money before they bring down a plane full of people or cargo plane in a city.
A lot of risk management is intangible that still must be factored somehow.

deanwebb

Learned today:

"The hacker *may* show up. The auditor *will* show up."
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.