Information Security Lessons Learned
dustervoice
Member Posts: 877 ■■■■□□□□□□
in Off-Topic
Hi All, I'm interested in knowing what are some the major lessons you've learned being in the field for some time. I'll list a few of mine.
1. Never make assumptions or jump to conclusions too early without understanding business requirements.
- I've had an experience where i needed to give advice on a remote access systems and the current process the company had in place was shocking at first; i almost fell off my chair when i was told how the company allowed VPN access. However, when someone explained to me the reason why its done that way then it all made sense and it wasn't that bad after all.
2. Learning how to prioritize Risks.
- My first few years in infosec, i wanted to remediate all vulnerabilities within the company. only to speak to senior managers about them and find out not everything is a big deal.
3. Never say NO!
- My first reactions to users request to connect devices, new software solutions, etc was no as i considered the security risks too high. after a few months, i realized that users will connect those devices or install the application anyway creating (shadow IT) so now I just say YES and work together to find a way to do it securely.
4. Make Security Personal
- Users will never take security serious if you don't make it personal. communicating security matters as a business/organization interest will go through one ear and come out the other. Tell them don't click on unknown links because it will empty out their bank accounts or reduce pension to a few pennies then they will get the point.
1. Never make assumptions or jump to conclusions too early without understanding business requirements.
- I've had an experience where i needed to give advice on a remote access systems and the current process the company had in place was shocking at first; i almost fell off my chair when i was told how the company allowed VPN access. However, when someone explained to me the reason why its done that way then it all made sense and it wasn't that bad after all.
2. Learning how to prioritize Risks.
- My first few years in infosec, i wanted to remediate all vulnerabilities within the company. only to speak to senior managers about them and find out not everything is a big deal.
3. Never say NO!
- My first reactions to users request to connect devices, new software solutions, etc was no as i considered the security risks too high. after a few months, i realized that users will connect those devices or install the application anyway creating (shadow IT) so now I just say YES and work together to find a way to do it securely.
4. Make Security Personal
- Users will never take security serious if you don't make it personal. communicating security matters as a business/organization interest will go through one ear and come out the other. Tell them don't click on unknown links because it will empty out their bank accounts or reduce pension to a few pennies then they will get the point.
Comments
-
JoJoCal19 Mod Posts: 2,835 ModLearn Linux
Not learning linux earlier in my career has handicapped me late in my career. It seems there's always at least one Linux box. There's also a lot of security tools that are Linux based. As well, some major vendors' products require Linux boxes. And also a lot of cloud security and security engineering roles require it. So now I'm actually studying for the Linux+.Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
Mike7 Member Posts: 1,114 ■■■■■□□□□□People, Process, Technology
Infosec is not just technology.
Understand the company culture, business priorities, and risk appetite.
Acceptable Risk
Your objective is not to eliminate risk. It is to reduce risk to acceptable level.
To do this, refer to previous point. -
dustervoice Member Posts: 877 ■■■■□□□□□□Learn Linux
. -
TeKniques Member Posts: 1,262 ■■■■□□□□□□Learn Linux
Not learning linux earlier in my career has handicapped me late in my career. It seems there's always at least one Linux box. There's also a lot of security tools that are Linux based. As well, some major vendors' products require Linux boxes. And also a lot of cloud security and security engineering roles require it. So now I'm actually studying for the Linux+.
Yes, 100% ... I remember my first IT job, it was heavy Unix based (FreeBSD mostly) and I had 0 experience with it. My IT Manager at the time told me "you really need to learn Linux, it was my first OS and you learn more about how computers really work". I blew that off and went and got my MCSE instead. Fast forward 12 years later and my current Security Engineer role is a TON of Linux. So ... add me to that lessons learned crowd -
wes allen Member Posts: 540 ■■■■■□□□□□Learn how to do simple scripting with Python and PowerShell. Learn Powershell in and of itself as well.
Learn how APIs/REST/JSON/XML work.
Learn how to use / represent data in a meaningful way with charts and tables.
Work toward defensible vs. "secure". -
636-555-3226 Member Posts: 975 ■■■■■□□□□□Stock Up
Our infrastructure is way more fragile than anybody knows. An accident, pissed off knowledgeable kid, or a very mean nation-state can ruin your life very easily if they ever wanted to. Most likely threat vectors arethe person on the other end (who might work for that nation state) accidentally hits the wrong button or is mad his girlfriend just broke up with him and wants to destroy the world. If that happens, and hope it never does, 50% of the people you know will be dead within 90 days and 80% within a year.
Sorry to ruin the tone of the thread, but I'm really starting to believe that the deeper I go into this world. It isn't getting better yet, that's for sure.... Let's turn that tide around! -
Rumblr33 Member Posts: 99 ■■□□□□□□□□INVEST IN YOUR EMPLOYEES
This is self explanatory. The more you educate and train employees. The knowledgeable they are, the more likely your company will not be exposed to a data breach. This isn't just security professionals either. -
dustervoice Member Posts: 877 ■■■■□□□□□□636-555-3226 wrote: »Stock Up
If that happens, and hope it never does, 50% of the people you know will be dead within 90 days and 80% within a year.
Sorry to ruin the tone of the thread, but I'm really starting to believe that the deeper I go into this world. It isn't getting better yet, that's for sure.... Let's turn that tide around!
I'm really lost here dude. What are you talking about? -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□dustervoice wrote: »I'm really lost here dude. What are you talking about?
He is talking about stocking up to be ready for a post -apocalyptic world lol, like get ready to live the same way people live in those movies. -
dustervoice Member Posts: 877 ■■■■□□□□□□He is talking about stocking up to be ready for a post -apocalyptic world lol, like get ready to live the same way people live in those movies.
-
UnixGuy Mod Posts: 4,570 ModLearning Windows.
Not even joking...I can't seem to get past 2nd round of interviews because I can't answer questions about Active Directory, MDMs, SharePoint...and other beautiful Microsoft products.
Yeah you can't win... -
PJ_Sneakers Member Posts: 884 ■■■■■■□□□□Keep your skill set relevant, no matter what. That one bit me hard.
-
dustervoice Member Posts: 877 ■■■■□□□□□□Learning Windows.
Not even joking...I can't seem to get past 2nd round of interviews because I can't answer questions about Active Directory, MDMs, SharePoint...and other beautiful Microsoft products.
Yeah you can't win...
Yes because 90% of vulnerabilities in IT solutions are found in Microsoft products!:D -
GSXR750K2 Member Posts: 323 ■■■■□□□□□□Learn Powershell in and of itself as well.
I remember looking at it when it first came out and thought "meh". Now I use it every day and wonder how much time it would have saved me these past eight years or so. -
ITSpectre Member Posts: 1,040 ■■■■□□□□□□Learn to build on the basics. Don't be afraid to step out of your comfort zone and try something new related to the field. Keep one foot in the door and the other one out... Pay no attention to those that do not uplift you, encourage you, or inspire you... because misery loves company... and most importantly....
Never step away from your PC without locking it... you will be the joke of the office for a dayIn the darkest hour, there is always a way out - Eve ME3 :cool:
“The measure of an individual can be difficult to discern by actions alone.” – Thane Krios -
ITSpectre Member Posts: 1,040 ■■■■□□□□□□dustervoice wrote: »Yes because 90% of vulnerabilities in IT solutions are found in Microsoft products!:D
Computers are like air conditioners..... they stop working if you open windows!!!!
ba dum dissssssssIn the darkest hour, there is always a way out - Eve ME3 :cool:
“The measure of an individual can be difficult to discern by actions alone.” – Thane Krios -
GSXR750K2 Member Posts: 323 ■■■■□□□□□□Never step away from your PC without locking it... you will be the joke of the office for a day
We played a prank many years ago on a guy at work once who went to smoke and didn't lock his computer. Took a screenshot of his desktop and made it his background then deleted many of the commonly used shortcuts on his desktop.
He finally had to ask if anyone else had noticed that only some of their desktop icons worked. -
Remedymp Member Posts: 834 ■■■■□□□□□□We played a prank many years ago on a guy at work once who went to smoke and didn't lock his computer. Took a screenshot of his desktop and made it his background then deleted many of the commonly used shortcuts on his desktop.
He finally had to ask if anyone else had noticed that only some of their desktop icons worked.
One place I worked used CCTV to correct this "CTRL-ALT-DEL" game that many like to play. -
GSXR750K2 Member Posts: 323 ■■■■□□□□□□One place I worked used CCTV to correct this "CTRL-ALT-DEL" game that many like to play.
It was when I worked at Walmart's ISD. Lots of CCTV, but just too much real estate to watch everything. Plus it taught the guy a valuable lesson in policy compliance. -
beads Member Posts: 1,533 ■■■■■■■■■□@dustervoice;dustervoice wrote: »
3. Never say NO!
- My first reactions to users request to connect devices, new software solutions, etc was no as i considered the security risks too high. after a few months, i realized that users will connect those devices or install the application anyway creating (shadow IT) so now I just say YES and work together to find a way to do it securely.
I disagree but with clarification. Feel free to say no when merited. There is nothing to saying yes to everything without thought or reason. For example. "I agree. We should never update Cisco firmware because no one is trying to hack those boxes..." Wrong. Or yes, you should be able to surf every questionable if not down illegal site you want. Child p? Sure! Have at it.
My most basic rule is and has been for many years is that if it makes me an accessory to a crime - its either not happening or its being reported to the appropriate authorities.
Also learn to be discrete when dealing with your census or end user population. You develop a reputation over time and its easily destroyed by simply gossiping with the wrong person at the wrong time. Blow steam off to your security co-worker whose in the know or your spouse but never a non-security employee. I have seen people destroy themselves doing silly things like this over the years and end up leaving an organization because no one trusts that person.
In security your reputation is your honor.
Good idea for a thread though.
- b/eads -
fullcrowmoon Member Posts: 172Always be prepared before talking to your users. You not only have to understand what's going on and why it's important (which, obviously, you do because you're the security guy), but you have to be able to explain it in terms that your users can understand and fit into their world view. It really doesn't do any good to shriek "DON'T CLICK THE THING!" if they don't understand why THE THING is a big deal. It requires some creativity to get users invested enough in security to actually stop doing stupid things."It's so stimulating being your hat!"
"... but everything changed when the Fire Nation attacked."