lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Dec  6 17:54:32 2005
From: srenna at lcssecuritygroup.com (Scott Renna)
Subject: IT security professionals in demand in 2006

The certs get you in the door

Being crappy at your job and showcasing your shortcomings will show you 
out the door.

sk wrote:
>>Not everyone who gets involved in security gets there because it was the
> 
> primary objective.  The implication I was trying to make was that some
> 
>>people get pushed down the security road.  If they actually go down that
> 
> road they will focus on practical security, and start to learn more, but it
> 
>>takes something to push them down that road.
> 
> 
> well ok then they are in the security field, but it doesnt make them
> "professionals".
> not everyone with a CISSP is a professional and its simply to show off to
> bosses and people which arent familiar with the IT security filed.
> I'm into security since +11 years, i surely know what i am talking about.
> 
> 
>>Yes, I do.  At least to 19-21 year olds at community colleges.  I regularly
> 
> speak to students about to head out into the field after taking courses to
> 
>>learn about networking or information security courses to let them know
> 
> what the real world is like.  I use the security guard analogy and it
> clarifies
> 
>>alot of things.  Most of the people in these courses recognize the lack of
> 
> respect for mall security guards they had only a few years earlier, and at
> the
> 
>>same time the enhanced (generally speaking) respect a person has for
> 
> someone driving an armored car.  It is not a perfect example, but as an
> 
>>analogy it clarifies things fairly well.
> 
> 
> ok fair enough, but you talk on a list where people have tons of certs and
> are security professionals, so no need to be so basic.
> 
> 
>>I disagree with this.  Someone who is really interested in security who
> 
> does not have experience in the field, or at least knowledge of business
> 
>>process will do more harm than good.  At least to pass the CISSP you need
> 
> to understand the basics of networking and some formalized
> 
>>knowledge.  It is not a good cert, but there is a minimum 'you must have
> 
> memorized at least this much' threshold to finish the exam.
> 
> i'm not talking about a complete moron. i mean someone who already
> understands the ins and outs of a network and is familiar with
> administration,
> but then goes into the security field and keeps learning. he soon will be
> way more skilled as anyone with a CISSP.
> someone whos not familiar with different operating systems,administrating
> those and a fair understanding of networks wont be able to go far in the
> security field anyway...
> 
> 
>>Compare that to someone who has read a few papers on security and follows
> 
> best practices (whose? why? etc).  Small businesses can't afford to
> 
>>hire expensive consultants, but they deserve better than budding hackers to
> 
> help them.  Furthermore, if there is an incident the business can be held
> 
>>liable for, pointing at a CISSP and saying he helped set it up can go along
> 
> way to proving that at the very least some due diligence was shown.
> 
>>Pointing at timmy down the block who sets up wireless is not going to have
> 
> the same value from a business perspective.
> 
> sure this makes sense, but i was not talking about some kid in the basement,
> but an professional administrator or even better a programmer
> going into the security field out of interest. then again, as i said, a
> small company will outsource security.
> 
> 
>>In the real world this can cost as much as $1000 CAD an hour, for a cheap
> 
> consultant.  Ongoing support is unrealistic for many businesses.
> 
> i know its not like i work on the moon you know :P but i dont talk about
> constant support. a small company doesnt need that anyway.
> once in a while, maybe once a year have a real security audit of the
> network. with good administrators this is enough as if they are told whats
> wrong with
> the network in first place (i.e. when the company starts) and then taking
> the advices and work based on those, a small company should be fine
> if they keep updating their software (what they will be told most likely by
> the security team that does the audit). well but this isnt the topic really
> so nevermind.
> 
> 
>>I know of a few that go out of the way to only hire IT guys that have a
> 
> security background.  But they are definately exceptions to the rule.
> 
> yes, surely they do as some boss will obviously look at certs, but thats
> where we come to my original topic, those certs dont proove anything so
> the CEO may think he hired a good security consultant and feels save, but
> his trade secrets go out of the network all day unnoticed as the security
> guy
> has no idea whats really going on as most of them sit on their certs and
> think thats it, but without constantly learning your going nowhere.
> they spend all their working time on their high paid asses and brag on some
> forums or mailinglists on how skilled they are.
> 
> 
>>Real world information security is about risk.  It is an insurance policy.
> 
> You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won't
> 
>>happen.  Until you convince business that ideal security (not perfect, as
> 
> we agree perfect is impossible) should be the objective, not risk
> mitigation,
> 
>>businesses will not improve spending.
> 
> 
> yes its about risk, but this 1,000,000 $ or more costs after a security
> breach only applies to very large networks. most of the time its just that
> expensive
> because companies have to hire expensive security professionals while the
> actual work wouldnt cost much at all.
> 
> 
>>To convince businesses that ideal security is better, we need to have
> 
> legislation that holds business owners accountable for security failures
> that impact
> 
>>individuals other than shareholders.
> 
> 
> most of the time you can only convince a CEO to pay more for security after
> they have been compromised, but thats life...
> 
> 
>>This is the unfortunate reality that security researchers and the talented
> 
> security professionals live in.  This is not a world that hackers live in.
> Hackers
> 
>>live in an academic world that lets them posit scenarios where SHA-1 breaks
> 
> are a legitimate threat (it will be soon, but it is not a realistic or
> credible
> 
>>threat *right now*).  Hackers, regardless of their motivations, live in a
> 
> world where the only limits are their imagination, dedication, and
> willingness to
> 
>>overcome ethical 'challenges' to gain access to facilities and resources
> 
> they require to push the boundaries of security.
> 
> well i agree somehow, but then again many many real hackers work in the
> professional security field and even sometimes hold such courses
> for certs as they know exactly that noone is a professional after such a
> cert, but they get paid for it well so why shouldnt they exploit that
> opportunity.
> i remember some text that vH from THC wrote "hackers go cooperate" or
> something ..might be a nice read for you :-)
> 
> so well i just want to say that a security professional should be someone
> who is really professional and CISSP doesnt make you one.
> 
> -sk
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ