IT Security Career: Technical Vs Governance/Policy

UnixGuy

Which one would you pick?

Pros and Cons of each?


Is it possible or even recommended to be an SME in both policy matters and technical matters?

What's your experience like working with either?

Let's discuss!

TheFORCE

UnixGuy wrote: »

Which one would you pick?

Pros and Cons of each?


Is it possible or even recommended to be an SME in both policy matters and technical matters?

What's your experience like working with either?

Let's discuss!

I have so much to say about this topic but I am heading out to work right now, will post my opinion later, but to start I want to tell you that Governance and GRC are a very hot topic right now. There are so many things that you will like and so many things that you will not like.

You see, Technical roles are all about fixing or improving a service or a process that the users and the application owners see right away, they benefit from it because they see it and use it. The GRC programs on the other hand are all about, policies, restrictions, controls. These things do not help users or the application owners. They view these programs as something negative that is holding back their productivity and because of that it is very tough to get buy ins with management, no one wants to work with you and no one thinks that you are doing something important for them. CTO's CIO's, VP's EVP's etc, people in high positions they want both but they can never find the sweet middle ground that works for all of them.

JoJoCal19

Same as TheFORCE, I've got a bit to say as I've worked on both the GRC and am now in the technical side of security. I'll post more later. One quick thing, with the technical side, it takes a lot more dedication to continually learning new things and keeping up with everything going on. Technical changes at a much faster pace than on the non-technical side.

philz1982

I'm gonna hijack the thread and add some other options:

1. Integration Security SME (someone who is focused on making sure when multiple systems are brought together that the sum of these systems are still secure)
2. Software security champion (someone who isn't a coder but works with coders to introduce security into the SDLC)
3. Pre-sales security (an SME, who works to design system plans and evaluates security and recommends products/solutions and speaks at industry events.

the_Grinch

I work in both and it is definitely an interesting question. Depending on the day I will probably go with the policy side of the house. Very nice to be the person who says "you need to meet x, y, and z requirements" and then let them hash out the finer details on getting it done. In my position we have to work in generalities because the technology changes so rapidly. As an example, a reg was written that said all remote access had to be performed via a dial-in connection. When it was originally written that was the latest and greatest technology. But 20 years later it was hurting the businesses that had to follow the regulation. Changing a reg is a giant pain and is typically a lengthy process that all involved would rather not go through. That being said, when you sit with a team of lawyers and work through the language to make a needed regulation happen it can be pretty amazing.

On the technical side, there is little better then solving a hard problem. To spend errors looking at code or error logs looking for that one thing that will be the difference between success and failure is something that I personally enjoy. Also, if you are lucky enough to be on the investigative side, it is truly awesome weeding through massive amounts of data to see where the compromise occurred, how they did it, the indicators that should have been picked up, and what might have been taken. It's a slow process, but it is amazing to paint the picture with logs and say "this is where it started and what they got."

Ultimately, I tend to think I'd start in the technical realm and then move to the policy world. I enjoy performing audits and making determinations on how things are done. Plus it's nice to see the why of a policy. For a long period of time I was in the "how to do it" side of the policy. People with little or no technical background making decisions that didn't quite make sense, but having no say in it. Now to be on the why and being able to shape that reg/policy is a world of difference.

UnixGuy

Great responses everyone!!!

So the real question for me is...Do you think it's smarter for me to cert up and try to work more on the policy side or the technical side?

I feel that the policy side can lead more to leadership positions and less oncall/after hours. While the positive of technical side is there is plenty of work available and an opportunity to freelance/contract..oh wait, you can do that with policy too!

UnixGuy

philz1982 wrote: »

I'm gonna hijack the thread and add some other options:

1. Integration Security SME (someone who is focused on making sure when multiple systems are brought together that the sum of these systems are still secure)
2. Software security champion (someone who isn't a coder but works with coders to introduce security into the SDLC)
3. Pre-sales security (an SME, who works to design system plans and evaluates security and recommends products/solutions and speaks at industry events.

Excellent list with plenty of opportunity there!

renacido

In my experience working on both sides, good infosec pros understand both sides well...compliance and audit need to understand not just the laws and regulations but the threat environment and effective countermeasures technical and non-technical. Technical infosec pros need to understand the "why" not just the "what" of security controls and policies to find the best solutions to meet the intent, not just the letter of the laws and controls. Both sides need to keep security against threats the overall goal not just compliance. Simple compliance is half-assed security and so is non-compliance. The rules are there for good reason but only a fool thinks they're comprehensive enough no matter how draconian the users may think they are.

The career path to policy jobs usually comes through security operations management or security auditing. You won't go from say network security admin or SOC analyst into identifying which NIST, HIPAA, PCI, SOX, NERC, ISO27002 controls apply and how you will satisfy and audit them.

renacido

Pros and cons of each depend much on your particular interests.

A policy-oriented job will find you in lots of meetings with not just IT but with execs and process owners (managers from the business units), researching a ton on security frameworks, regulations, best practices, and most likely you'll be auditing to ensure that the policies and controls are being met. Best cert I can recommend in this arena is CISA and then CISSP and CISM. Policy consultants (external auditors, gap analysts, etc) may or may not be highly experienced (I've seen guys with 25 years experience and I've seen total freshers who somehow got a CISSP with no experience in these jobs). In-house security program managers and security auditors who work within a company or organization are almost always seasoned auditors or mid-high level infosec managers. Expect lots of conflict with IT operations over your being up in their business and requiring that they don't do stupid things (default passwords, use untested **** freeware, unsecured remote access for convenience, etc) and that they add security provisions to their infrastructure (stonger encryption, PKI, two-factor authentication, data/log retention, audit/vulnerability remediations, privilege use monitoring, common criteria/EAL, etc). Expect flack with execs and users over security measures that detract from usability (policies and security measures that they see as an unnecessary restriction on personal liberty, privilege or just a PITA). Getting executive buy-in is an absolute must have skill for this position as is the ability to stand your ground and call a spade a spade when someone is not complying. Soft skills are very useful and unfortunately not many in these positions have them. Another MUST HAVE for this is the ability to do a proper risk assessment and provide a business analysis for policies or controls that are necessary for security but not mandated by regulators.

Technical infosec roles (in house staff, not consultants) find you constantly dealing with technical problems in an almost constantly resource-constrained environment. You'll be in a constant spy vs spy battle with those attacking your network and at the same time playing whack-a-mole with the insider threats, mainly the users of your network who think their desire to torrent pirated movies or download hard-core **** or VPN to their plex server at home outweighs the necessity of your network security perimeter. At the same time IT Operations will resist your attempts to harden or even assess security (vulnerability scans and internal pentesting) unless you get their manager's buy-in, you can win them over but you need those soft skills again along with solid metrics and threat intelligence. Expect to be constantly studying, training, researching threats and countermeasures, updating your tech skills to keep pace with new OS's, new appliances, new cloud/virual/mobile everything. And of course you'll be constantly researching advances in attack methods, exploits, malware, vulnerabilities, etc. Or rather you SHOULD be. Consultants don't have to deal with the politics within the organization generally, they just color within the lines as directed by the client. And depending on the situation, market, and skillset, consultants can make a good deal more money. But it's not a stable gig where you work and invest and develop long-term relationships and see large efforts through and of course there is a lot of satisfaction in those things.

There's lot to love in each...more to love in one or the other based on your personality and interests. A fundamental understanding of both is required to be a good Infosec practitioner.

the_Grinch

I had a buddy put it to me this way. You can be the greatest RHCE in the world, eventually you will max out and go no further. It's the policy side of the house that leads to higher salaries and higher up the ladder. So being technical in the beginning will put you in an excellent place for the policy side of things and that is where ultimately the money will be. That's my two cents.

philz1982

I would just challenge everyone here to think outside the box. I know first hand that with hard work you can completly bypass traditional "paths". Look, I I didn't know what a sub-net was before 2012 and now I am running the EA practice for a Fortune 100 (building some of the most complex Layer 1 to 7 designs out there) and building integrations using C#, .net, and various other languages, add to the top of this that I am conducting the IT audits and RA's for our partners software. I do not say this to brag but rather to challenge.

You don't have to do the ops path, it makes me cringe thinking of folks sitting in a SOC, or doing analyst work because they think they have to do that in order to get into infosec. All you need is the persistence to stay up until midnight each night reading, studying, going to school, volunteering to do testing for non-profits, ect. Hardwork will beat talent and experience almost every time.

Look, in 2007 I was replacing air filters and programming air conditioning units and now here I am. You can do it as well, you do not need to take the traditional path!

Look, get the certs, get the education, volunteer to build your skills. You will pass up the others who don't work as hard as you!

Now let me say if you like working in a SOC or analyst more power to you, there is NOTHING wrong with that, but I want folks to know you don't have to follow the NOC->SOC-> Ect path...

renacido

philz1982 wrote: »

I would just challenge everyone here to think outside the box. I know first hand that with hard work you can completly bypass traditional "paths". Look, I I didn't know what a sub-net was before 2012 and now I am running the EA practice for a Fortune 100 (building some of the most complex Layer 1 to 7 designs out there) and building integrations using C#, .net, and various other languages, add to the top of this that I am conducting the IT audits and RA's for our partners software. I do not say this to brag but rather to challenge.

You don't have to do the ops path, it makes me cringe thinking of folks sitting in a SOC, or doing analyst work because they think they have to do that in order to get into infosec. All you need is the persistence to stay up until midnight each night reading, studying, going to school, volunteering to do testing for non-profits, ect. Hardwork will beat talent and experience almost every time.

Look, in 2007 I was replacing air filters and programming air conditioning units and now here I am. You can do it as well, you do not need to take the traditional path!

Look, get the certs, get the education, volunteer to build your skills. You will pass up the others who don't work as hard as you!

Now let me say if you like working in a SOC or analyst more power to you, there is NOTHING wrong with that, but I want folks to know you don't have to follow the NOC->SOC-> Ect path...

You can certainly do as you appear to have done and come to infosec from a different angle. Security operations is one of many disciplines of infosec. You appear to have come from a background of software engineering for industrial automation systems. That's the impression I get from your Linkedin anyway . And it appears you saw opportunity and became a security SME in that space. Studied TOGAF, got a couple of other certs to make you marketable as a consultant for EA and RA. Very cool and bravo sir.

Most guys don't find themselves in an industry with specialized institutional knowledge that is suddenly at risk of being hacked. Those who are will find themselves with a golden opportunity provided they realize it and work hard, as you did. Anyone working with industrial control systems (SCADA, PCD, etc) I hope you're reading this, if you are get your ducks in a row because if you know how to prevent the variants of Stuxnet and other similar attacks from compromising those systems you'll be in very high demand in the next 5-10 years if not sooner.

Most companies depend heavily on "traditional enterprise IT" and there is a massive shortage in trained and experienced security analysts to deal with the ever-increasing and ever-evolving threats.

Security operations may not pay as well as sales engineering or consulting, but for those with a passion for security who can afford to live on salary in the low six-figures like I do, running sec ops it not a bad job. But we need smart people in the other areas of infosec too, as many as we can get. Go where your interest and opportunity takes you and whatever that may be do it with excellence.

philz1982

And that is exactly what I have done, however, I would challenge that ICS is the only sector. Take a look at this http://www.shodanhq.com/search?q=tridium

Tridium is one of the more popular building automation systems (BAS) on the market, and there are 1,500 exposed live systems. Many of which are running a software version that is vulnerable to this CVE-2012-4701 : Directory traversal vulnerability in Tridium Niagara AX 3.5, 3.6, and 3.7 allows remote attackers to read sensitive file . Heck the first Tridium system that comes up in the search is 3.6.50.1 and belongs to a large school system.

All you Infosec folks are guarding your firewalls and watching your IPS/IDS. While attackers can exploit dual-homed publicly exposed machines that have serious privilege escalation issues and to make it worse are normally excluded from IPS/IDS because no traffic signatures exist for malicious data.

A BAS can be in a school, office building, stadium, airport, it's not just industrial sites.

the_Grinch

philz nailed it on the head. One of the largest issues I see is that the traditional training does not prepare you for the real world. Heck, I even go as far as to say that the corporate world and experience doesn't prepare you. I am fortunate that I have a few friends at (or formerly with) some three letter agencies. These guys are seeing things that haven't hit the mainstream yet. When they say they are 10 years ahead of the curve they are really more like 15 years (if not more). If your goal is security start reviewing as much material on APT (their methods) so that you can see how to detect them. Anymore you need to think "I'm already compromised" now how do I find out where and what they have.

I'd point out that if a company like Kaspersky can literally be spied on for months (if not longer) without their knowledge, then we know that an IDS or IPS isn't going to save you. Hunt teams are where this industry is going. Google started one awhile ago and the financial industry is following suit. Former govies are being gobbled up for their knowledge. Read the Duqu 2.0 analysis and you'll see what you're up against.

philz1982

Lol,

As I dig deeper, Rutgers, USC, and U of Rhode Island (**** man that's just the first page) all running antiquated Control Systems that allow you to utilize CVE-2012-4701 : Directory traversal vulnerability in Tridium Niagara AX 3.5, 3.6, and 3.7 allows remote attackers to read sensitive file to grab their login credentials. Oh, schnap that's really nasty, USC's system is a Phoenix System. Phoenix is a lab ventilation system used to control lab airflow. Man what kind of nastiness could someone cause if they used CVE-2012-4701 : Directory traversal vulnerability in Tridium Niagara AX 3.5, 3.6, and 3.7 allows remote attackers to read sensitive file to compromise that system?

Do you think I should contact these Universities and tell them that they might want to upgrade their systems?

-Phil

philz1982

This is an interesting one:

Showing results 1 - 1 of 1
205.204.171.75
Commonwealth of KentuckyDepartment of Information
Added on 2015-05-13 17:42:12 GMT
United States, Frankfort
Details

Instance ID: 1000Object Name: WinchesterOET_1000Location: unknownVendor Name: TridiumApplication Software: Tridium 3.2.16Firmware: 3.2.16Model Name: NiagaraAX StationDescription: Local BACnet Device object

renacido

Phil, yeah contacting the exposed entities would be the "white hat" thing to do. Or you could put on a grey hat and send them a proposal to remediate the vulnerability for the appropriate fee.

philz1982

I like money but I also really do want to improve the security of my sector. I think draft up an email and shoot it over to a few of these places.

-Phil

renacido

Looking at Shodan is like taking the red pill. And I absolutely agree that there are some huge security holes in places most people wouldn't dare to or be capable of contemplating.

Maybe I should walk away from my corporate gig and get paid hardening the entry control systems at the local police stations and sewage treatment plants?

No ips don't save anyone. But if we didn't have them we'd sure as hell need them. Besides the tools are only as good as the people employing them.

renacido

Before you slam those of us who stare at IDS keep in mind that the threats you deal with in your sector in your environment are not universal. In my world IPS is essential to protecting our assets from the threats we face, though it is far from the only tool and traffic analysis is just one of many activities we do.

renacido

philz1982 wrote: »

I like money but I also really do want to improve the security of my sector. I think draft up an email and shoot it over to a few of these places.

-Phil

If they're smart they'll send you an RFP anyway

philz1982

Not intending to slam anyone, just stating that quite a few Infosec SOC's use Firewalls and IPS as the main perimeter not knowing that BAS systems which can bypass their security are in every building larger than 30k sq ft. My goal is simply to share the knowledge of what I know and to carve out a niche for myself as the ICS/BAS Security Guru.

renacido

I fundamentally agree with you on how people often get a false sense of security by relying on the tools or compliance with some regulations (not just in the SOC by the way, CISOs and auditors can be the worst offenders).

You have me intrigued. My company doesn't have much exposure via publicly-facing systems of any kind (remote network access notwithstanding) but now I'm going to give it a closer look to be sure. We keep the attack surface very small but a deeper dive won't hurt. Thanks.

philz1982

renacido wrote: »

I fundamentally agree with you on how people often get a false sense of security by relying on the tools or compliance with some regulations (not just in the SOC by the way, CISOs and auditors can be the worst offenders).

You have me intrigued. My company doesn't have much exposure via publicly-facing systems of any kind (remote network access notwithstanding) but now I'm going to give it a closer look to be sure. We keep the attack surface very small but a deeper dive won't hurt. Thanks.

No worries,

What I often see is it's not even the fault of the IT group. Facilities will go and setup a system and will sneak it in some how, sometimes dual homing the system through the public WiFi. I've literally seen client's bypass IT by building their own Zigbee networks in the 2.4 15/20 channel gap.

renacido

philz1982 wrote: »

No worries,

What I often see is it's not even the fault of the IT group. Facilities will go and setup a system and will sneak it in some how, sometimes dual homing the system through the public WiFi. I've literally seen client's bypass IT by building their own Zigbee networks in the 2.4 15/20 channel gap.

Good point. We call that "shadow IT" and we have to maintain constant vigilance to find that sort of thing and mitigate the vulnerabilities that come with it.

philz1982

Oh, you also have to watch out for the smaller BAS installers. They will go and get a internet connection setup by a local cable/dsl company and connect it to a dual homed BAS and unless your running SNMP traps on the BAS servers you'd never see it as most IDS/IPS don't track internal BAS data flows.

UnixGuy

Excellent input guys!

Just so we can make it practical for me and everyone else who might read this thread, what practical steps should I take?

Get another degree? But we know that academia can be detached from reality.

Stay in SOC? Move away from SOC?

Cert up? What certs? More policy oriented certs (CISM/CISA/CISSP) or More technical ones (OSCP, GPEN,..) ? Or Both?

Get experience in which area? Or just get experience with whatever you can?

Work for vendors? financial institution? Government? 3-letter govt organizations? Best places to get the right experience?

Contracting and job hopping every few months?

I know this is hard to summarise, but I think we can come up with something here. A concrete action plan.

philz1982

UnixGuy wrote: »

Excellent input guys!

Just so we can make it practical for me and everyone else who might read this thread, what practical steps should I take?

Get another degree? But we know that academia can be detached from reality.

Stay in SOC? Move away from SOC?

Cert up? What certs? More policy oriented certs (CISM/CISA/CISSP) or More technical ones (OSCP, GPEN,..) ? Or Both?

Get experience in which area? Or just get experience with whatever you can?

Work for vendors? financial institution? Government? 3-letter govt organizations? Best places to get the right experience?

Contracting and job hopping every few months?

I know this is hard to summarise, but I think we can come up with something here. A concrete action plan.

Well brother, what do you want to do? Which area do you want to go into? Tell me that and I will tell you a plan. The more specific the better.

I want to be working at a X company in X years doing X role making X $, working from X, on X.

Is better than I like Pentesting.

UnixGuy

To rephrase, doing more policy work vs doing more technical work, which one leads to better career prospects, leadership, freedom (time management). And If working on the technical side or the policy or both, best to approach that? I know it's general but I think it'll benefit a lot of people reading this

Mike-Mike

UnixGuy wrote: »

To rephrase, doing more policy work vs doing more technical work, which one leads to better career prospects, leadership, freedom (time management). And If working on the technical side or the policy or both, best to approach that? I know it's general but I think it'll benefit a lot of people reading this

my plan is do technical work to learn the mechanics, then move on to policy work. I think that has the higher ceiling

UnixGuy

@Mike-Mike: Solid plan. I think I've got a nice plan for myself now. I'll post a thread about my next step. I will work on a strong foundation in pentesting and forensics, and take it from there!