Options

Information Security Lessons Learned

dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
Hi All, I'm interested in knowing what are some the major lessons you've learned being in the field for some time. I'll list a few of mine.

1. Never make assumptions or jump to conclusions too early without understanding business requirements.
- I've had an experience where i needed to give advice on a remote access systems and the current process the company had in place was shocking at first; i almost fell off my chair when i was told how the company allowed VPN access. However, when someone explained to me the reason why its done that way then it all made sense and it wasn't that bad after all.

2. Learning how to prioritize Risks.
- My first few years in infosec, i wanted to remediate all vulnerabilities within the company. only to speak to senior managers about them and find out not everything is a big deal.

3. Never say NO!
- My first reactions to users request to connect devices, new software solutions, etc was no as i considered the security risks too high. after a few months, i realized that users will connect those devices or install the application anyway creating (shadow IT) so now I just say YES and work together to find a way to do it securely.

4.
Make Security Personal
- Users will never take security serious if you don't make it personal. communicating security matters as a business/organization interest will go through one ear and come out the other. Tell them don't click on unknown links because it will empty out their bank accounts or reduce pension to a few pennies then they will get the point.

Comments

  • Options
    JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Learn Linux
    Not learning linux earlier in my career has handicapped me late in my career. It seems there's always at least one Linux box. There's also a lot of security tools that are Linux based. As well, some major vendors' products require Linux boxes. And also a lot of cloud security and security engineering roles require it. So now I'm actually studying for the Linux+.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • Options
    Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    People, Process, Technology
    Infosec is not just technology.
    Understand the company culture, business priorities, and risk appetite.

    Acceptable Risk
    Your objective is not to eliminate risk. It is to reduce risk to acceptable level.
    To do this, refer to previous point.
  • Options
    dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    JoJoCal19 wrote: »
    Learn Linux
    .
    Linux is quite popular here in the UK mainly (Redhat, Ubuntu) but now im seeing a bit of Suse in the mix. I was shocked when i first moved here to find out so many companies run their infrastructure on that platform. I thought it was only an OS that geeks played around with.
  • Options
    TeKniquesTeKniques Member Posts: 1,262 ■■■■□□□□□□
    JoJoCal19 wrote: »
    Learn Linux
    Not learning linux earlier in my career has handicapped me late in my career. It seems there's always at least one Linux box. There's also a lot of security tools that are Linux based. As well, some major vendors' products require Linux boxes. And also a lot of cloud security and security engineering roles require it. So now I'm actually studying for the Linux+.

    Yes, 100% ... I remember my first IT job, it was heavy Unix based (FreeBSD mostly) and I had 0 experience with it. My IT Manager at the time told me "you really need to learn Linux, it was my first OS and you learn more about how computers really work". I blew that off and went and got my MCSE instead. Fast forward 12 years later and my current Security Engineer role is a TON of Linux. So ... add me to that lessons learned crowd :)
  • Options
    wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    Learn how to do simple scripting with Python and PowerShell. Learn Powershell in and of itself as well.

    Learn how APIs/REST/JSON/XML work.

    Learn how to use / represent data in a meaningful way with charts and tables.

    Work toward defensible vs. "secure".
  • Options
    636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    Stock Up
    Our infrastructure is way more fragile than anybody knows. An accident, pissed off knowledgeable kid, or a very mean nation-state can ruin your life very easily if they ever wanted to. Most likely threat vectors arethe person on the other end (who might work for that nation state) accidentally hits the wrong button or is mad his girlfriend just broke up with him and wants to destroy the world. If that happens, and hope it never does, 50% of the people you know will be dead within 90 days and 80% within a year.

    Sorry to ruin the tone of the thread, but I'm really starting to believe that the deeper I go into this world. It isn't getting better yet, that's for sure.... Let's turn that tide around!
  • Options
    Rumblr33Rumblr33 Member Posts: 99 ■■□□□□□□□□
    INVEST IN YOUR EMPLOYEES

    This is self explanatory. The more you educate and train employees. The knowledgeable they are, the more likely your company will not be exposed to a data breach. This isn't just security professionals either.
  • Options
    dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    Stock Up
    If that happens, and hope it never does, 50% of the people you know will be dead within 90 days and 80% within a year.

    Sorry to ruin the tone of the thread, but I'm really starting to believe that the deeper I go into this world. It isn't getting better yet, that's for sure.... Let's turn that tide around!

    I'm really lost here dude. What are you talking about? :)
  • Options
    TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    I'm really lost here dude. What are you talking about? :)

    He is talking about stocking up to be ready for a post -apocalyptic world lol, like get ready to live the same way people live in those movies.
  • Options
    dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    TheFORCE wrote: »
    He is talking about stocking up to be ready for a post -apocalyptic world lol, like get ready to live the same way people live in those movies.
    Ok thanks now i get it.. Just to let everyone know i do have a copy of the book of Eli and an Ipod in preparation. :)
  • Options
    UnixGuyUnixGuy Mod Posts: 4,564 Mod
    Learning Windows. icon_silent.gif

    Not even joking...I can't seem to get past 2nd round of interviews because I can't answer questions about Active Directory, MDMs, SharePoint...and other beautiful Microsoft products.

    Yeah you can't win...
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • Options
    PJ_SneakersPJ_Sneakers Member Posts: 884 ■■■■■■□□□□
    Keep your skill set relevant, no matter what. That one bit me hard.
  • Options
    dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    UnixGuy wrote: »
    Learning Windows. icon_silent.gif

    Not even joking...I can't seem to get past 2nd round of interviews because I can't answer questions about Active Directory, MDMs, SharePoint...and other beautiful Microsoft products.

    Yeah you can't win...


    Yes because 90% of vulnerabilities in IT solutions are found in Microsoft products!:D
  • Options
    GSXR750K2GSXR750K2 Member Posts: 323 ■■■■□□□□□□
    wes allen wrote: »
    Learn Powershell in and of itself as well.

    I remember looking at it when it first came out and thought "meh". Now I use it every day and wonder how much time it would have saved me these past eight years or so.
  • Options
    ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    Learn to build on the basics. Don't be afraid to step out of your comfort zone and try something new related to the field. Keep one foot in the door and the other one out... Pay no attention to those that do not uplift you, encourage you, or inspire you... because misery loves company... and most importantly....

    Never step away from your PC without locking it... you will be the joke of the office for a day icon_lol.gif
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • Options
    ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    Yes because 90% of vulnerabilities in IT solutions are found in Microsoft products!:D

    Computers are like air conditioners..... they stop working if you open windows!!!!

    ba dum dissssssss icon_lol.gif
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • Options
    GSXR750K2GSXR750K2 Member Posts: 323 ■■■■□□□□□□
    ITSpectre wrote: »
    Never step away from your PC without locking it... you will be the joke of the office for a day icon_lol.gif

    We played a prank many years ago on a guy at work once who went to smoke and didn't lock his computer. Took a screenshot of his desktop and made it his background then deleted many of the commonly used shortcuts on his desktop.

    He finally had to ask if anyone else had noticed that only some of their desktop icons worked. :)
  • Options
    RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    GSXR750K2 wrote: »
    We played a prank many years ago on a guy at work once who went to smoke and didn't lock his computer. Took a screenshot of his desktop and made it his background then deleted many of the commonly used shortcuts on his desktop.

    He finally had to ask if anyone else had noticed that only some of their desktop icons worked. :)


    One place I worked used CCTV to correct this "CTRL-ALT-DEL" game that many like to play.
  • Options
    GSXR750K2GSXR750K2 Member Posts: 323 ■■■■□□□□□□
    Remedymp wrote: »
    One place I worked used CCTV to correct this "CTRL-ALT-DEL" game that many like to play.

    It was when I worked at Walmart's ISD. Lots of CCTV, but just too much real estate to watch everything. Plus it taught the guy a valuable lesson in policy compliance. :)
  • Options
    beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    @dustervoice;


    3. Never say NO!
    - My first reactions to users request to connect devices, new software solutions, etc was no as i considered the security risks too high. after a few months, i realized that users will connect those devices or install the application anyway creating (shadow IT) so now I just say YES and work together to find a way to do it securely.

    I disagree but with clarification. Feel free to say no when merited. There is nothing to saying yes to everything without thought or reason. For example. "I agree. We should never update Cisco firmware because no one is trying to hack those boxes..." Wrong. Or yes, you should be able to surf every questionable if not down illegal site you want. Child p? Sure! Have at it.

    My most basic rule is and has been for many years is that if it makes me an accessory to a crime - its either not happening or its being reported to the appropriate authorities.

    Also learn to be discrete when dealing with your census or end user population. You develop a reputation over time and its easily destroyed by simply gossiping with the wrong person at the wrong time. Blow steam off to your security co-worker whose in the know or your spouse but never a non-security employee. I have seen people destroy themselves doing silly things like this over the years and end up leaving an organization because no one trusts that person.

    In security your reputation is your honor.

    Good idea for a thread though.

    - b/eads
  • Options
    fullcrowmoonfullcrowmoon Member Posts: 172
    Always be prepared before talking to your users. You not only have to understand what's going on and why it's important (which, obviously, you do because you're the security guy), but you have to be able to explain it in terms that your users can understand and fit into their world view. It really doesn't do any good to shriek "DON'T CLICK THE THING!" if they don't understand why THE THING is a big deal. It requires some creativity to get users invested enough in security to actually stop doing stupid things.
    "It's so stimulating being your hat!"
    "... but everything changed when the Fire Nation attacked."
  • Options
    dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    Thanks for all the response here.
Sign In or Register to comment.