Information Security Lessons Learned

dustervoice

Hi All, I'm interested in knowing what are some the major lessons you've learned being in the field for some time. I'll list a few of mine.

1. Never make assumptions or jump to conclusions too early without understanding business requirements.
- I've had an experience where i needed to give advice on a remote access systems and the current process the company had in place was shocking at first; i almost fell off my chair when i was told how the company allowed VPN access. However, when someone explained to me the reason why its done that way then it all made sense and it wasn't that bad after all.

2. Learning how to prioritize Risks.
- My first few years in infosec, i wanted to remediate all vulnerabilities within the company. only to speak to senior managers about them and find out not everything is a big deal.

3. Never say NO!
- My first reactions to users request to connect devices, new software solutions, etc was no as i considered the security risks too high. after a few months, i realized that users will connect those devices or install the application anyway creating (shadow IT) so now I just say YES and work together to find a way to do it securely.

4. Make Security Personal
- Users will never take security serious if you don't make it personal. communicating security matters as a business/organization interest will go through one ear and come out the other. Tell them don't click on unknown links because it will empty out their bank accounts or reduce pension to a few pennies then they will get the point.

JoJoCal19

Learn Linux
Not learning linux earlier in my career has handicapped me late in my career. It seems there's always at least one Linux box. There's also a lot of security tools that are Linux based. As well, some major vendors' products require Linux boxes. And also a lot of cloud security and security engineering roles require it. So now I'm actually studying for the Linux+.

Mike7

People, Process, Technology
Infosec is not just technology.
Understand the company culture, business priorities, and risk appetite.

Acceptable Risk
Your objective is not to eliminate risk. It is to reduce risk to acceptable level.
To do this, refer to previous point.

dustervoice

JoJoCal19 wrote: »

Learn Linux
.

Linux is quite popular here in the UK mainly (Redhat, Ubuntu) but now im seeing a bit of Suse in the mix. I was shocked when i first moved here to find out so many companies run their infrastructure on that platform. I thought it was only an OS that geeks played around with.

TeKniques

JoJoCal19 wrote: »

Learn Linux
Not learning linux earlier in my career has handicapped me late in my career. It seems there's always at least one Linux box. There's also a lot of security tools that are Linux based. As well, some major vendors' products require Linux boxes. And also a lot of cloud security and security engineering roles require it. So now I'm actually studying for the Linux+.

Yes, 100% ... I remember my first IT job, it was heavy Unix based (FreeBSD mostly) and I had 0 experience with it. My IT Manager at the time told me "you really need to learn Linux, it was my first OS and you learn more about how computers really work". I blew that off and went and got my MCSE instead. Fast forward 12 years later and my current Security Engineer role is a TON of Linux. So ... add me to that lessons learned crowd

wes allen

Learn how to do simple scripting with Python and PowerShell. Learn Powershell in and of itself as well.

Learn how APIs/REST/JSON/XML work.

Learn how to use / represent data in a meaningful way with charts and tables.

Work toward defensible vs. "secure".

636-555-3226

Stock Up
Our infrastructure is way more fragile than anybody knows. An accident, pissed off knowledgeable kid, or a very mean nation-state can ruin your life very easily if they ever wanted to. Most likely threat vectors arethe person on the other end (who might work for that nation state) accidentally hits the wrong button or is mad his girlfriend just broke up with him and wants to destroy the world. If that happens, and hope it never does, 50% of the people you know will be dead within 90 days and 80% within a year.

Sorry to ruin the tone of the thread, but I'm really starting to believe that the deeper I go into this world. It isn't getting better yet, that's for sure.... Let's turn that tide around!

Rumblr33

INVEST IN YOUR EMPLOYEES

This is self explanatory. The more you educate and train employees. The knowledgeable they are, the more likely your company will not be exposed to a data breach. This isn't just security professionals either.

dustervoice

636-555-3226 wrote: »

Stock Up
If that happens, and hope it never does, 50% of the people you know will be dead within 90 days and 80% within a year.

Sorry to ruin the tone of the thread, but I'm really starting to believe that the deeper I go into this world. It isn't getting better yet, that's for sure.... Let's turn that tide around!

I'm really lost here dude. What are you talking about?

TheFORCE

dustervoice wrote: »

I'm really lost here dude. What are you talking about?

He is talking about stocking up to be ready for a post -apocalyptic world lol, like get ready to live the same way people live in those movies.

dustervoice

TheFORCE wrote: »

He is talking about stocking up to be ready for a post -apocalyptic world lol, like get ready to live the same way people live in those movies.

Ok thanks now i get it.. Just to let everyone know i do have a copy of the book of Eli and an Ipod in preparation.

UnixGuy

Learning Windows.

Not even joking...I can't seem to get past 2nd round of interviews because I can't answer questions about Active Directory, MDMs, SharePoint...and other beautiful Microsoft products.

Yeah you can't win...

PJ_Sneakers

Keep your skill set relevant, no matter what. That one bit me hard.

dustervoice

UnixGuy wrote: »

Learning Windows.

Not even joking...I can't seem to get past 2nd round of interviews because I can't answer questions about Active Directory, MDMs, SharePoint...and other beautiful Microsoft products.

Yeah you can't win...

Yes because 90% of vulnerabilities in IT solutions are found in Microsoft products!:D

GSXR750K2

wes allen wrote: »

Learn Powershell in and of itself as well.

I remember looking at it when it first came out and thought "meh". Now I use it every day and wonder how much time it would have saved me these past eight years or so.

ITSpectre

Learn to build on the basics. Don't be afraid to step out of your comfort zone and try something new related to the field. Keep one foot in the door and the other one out... Pay no attention to those that do not uplift you, encourage you, or inspire you... because misery loves company... and most importantly....

Never step away from your PC without locking it... you will be the joke of the office for a day

ITSpectre

dustervoice wrote: »

Yes because 90% of vulnerabilities in IT solutions are found in Microsoft products!:D

Computers are like air conditioners..... they stop working if you open windows!!!!

ba dum dissssssss

GSXR750K2

ITSpectre wrote: »

Never step away from your PC without locking it... you will be the joke of the office for a day

We played a prank many years ago on a guy at work once who went to smoke and didn't lock his computer. Took a screenshot of his desktop and made it his background then deleted many of the commonly used shortcuts on his desktop.

He finally had to ask if anyone else had noticed that only some of their desktop icons worked.

Remedymp

GSXR750K2 wrote: »

We played a prank many years ago on a guy at work once who went to smoke and didn't lock his computer. Took a screenshot of his desktop and made it his background then deleted many of the commonly used shortcuts on his desktop.

He finally had to ask if anyone else had noticed that only some of their desktop icons worked.

One place I worked used CCTV to correct this "CTRL-ALT-DEL" game that many like to play.

GSXR750K2

Remedymp wrote: »

One place I worked used CCTV to correct this "CTRL-ALT-DEL" game that many like to play.

It was when I worked at Walmart's ISD. Lots of CCTV, but just too much real estate to watch everything. Plus it taught the guy a valuable lesson in policy compliance.

beads

@dustervoice;

dustervoice wrote: »

3. Never say NO!
- My first reactions to users request to connect devices, new software solutions, etc was no as i considered the security risks too high. after a few months, i realized that users will connect those devices or install the application anyway creating (shadow IT) so now I just say YES and work together to find a way to do it securely.

I disagree but with clarification. Feel free to say no when merited. There is nothing to saying yes to everything without thought or reason. For example. "I agree. We should never update Cisco firmware because no one is trying to hack those boxes..." Wrong. Or yes, you should be able to surf every questionable if not down illegal site you want. Child p? Sure! Have at it.

My most basic rule is and has been for many years is that if it makes me an accessory to a crime - its either not happening or its being reported to the appropriate authorities.

Also learn to be discrete when dealing with your census or end user population. You develop a reputation over time and its easily destroyed by simply gossiping with the wrong person at the wrong time. Blow steam off to your security co-worker whose in the know or your spouse but never a non-security employee. I have seen people destroy themselves doing silly things like this over the years and end up leaving an organization because no one trusts that person.

In security your reputation is your honor.

Good idea for a thread though.

- b/eads

fullcrowmoon

Always be prepared before talking to your users. You not only have to understand what's going on and why it's important (which, obviously, you do because you're the security guy), but you have to be able to explain it in terms that your users can understand and fit into their world view. It really doesn't do any good to shriek "DON'T CLICK THE THING!" if they don't understand why THE THING is a big deal. It requires some creativity to get users invested enough in security to actually stop doing stupid things.

dustervoice

Thanks for all the response here.