Cyber Security- Growing trend

Anyone else notice a growing trend (For a couple years now) of all these entry level type people trying to start out in IT in the security field? I can't tell you how many posts, etc. I see on Reddit and the like where people ask- How do I get int IT security? I'm 18 and have 0 experience.

I have dealt with a few 3rd party "Pen Testers" that really didn't know WTF they were doing. They asked me questions about my clients but it was clear they did not know basic network architecture or even simple things about normal IT operations. One of the guys even told me- Look man, we just go in and run our software to produce reports.

I don't want to seem like I'm ranting or putting all IT security folks under a bad light. I've just noticed there are a ton of people getting CEH and landing jobs where they don't really understand networks or IT. To me it seems backwards. I think people should start off in helpdesk or a NOC, work their way up, and then get into security. That way you can learn the industry.

Find more posts tagged with

Comments

EANx

You mean like the post in the security area where the guy is starting the OSCP but wants to know if he should use his old laptop or if he can use a VM "in the cloud"? You can't be effective in security without understanding what you're protecting.

I guess you get what you pay for, the provider will hire n00bs if the client will let them. Like any other project, it's important to establish the scope of what you want done.

McxRisley

I think the problem is people acting like security is this all inclusive club that only the elite are allowed into. There is nothing wrong with people who have 0 experience and wanting to jump straight into security. In some cases, it is best to higher these people because they are easier to train than someone who has been in the industry for 10+ years and is stuck in thier ways.

I was one of these people at one point. The only difference is I wasnt really looking to get into security, the job just kinda fell in my lap after only working professionally in IT for 7 months. Now a few years later I have had several different security roles and am now a team lead.

I also get what EANx is saying too, there are some who just have no business being in security, but to not even give someone the time of day based off of them being fresh is just not fair.

Sheiko37

@EANx, so an inexperienced guy asks a question you think is dumb, then your response is to deride them, and at the same time bemoan that there's too many amateurs...

do you see a problem here?

EANx

@Sheiko37: Ah, tell me where I said there are too many amateurs. I'll wait.

IT has always been an industry where people want to move faster than their ability but they forget that firms depend on their expertise. I want to hire someone who can explain the "why". Why something happened, why they did things the way they did. IMO, until you can explain the why, you're a technician (because this document said so). Being able to explain the why makes you an engineer.

You seem a little defensive. Are you able to explain the "why" behind your actions?

Sheiko37

EANx wrote: »

Are you able to explain the "why" behind your actions?

Let's say I can't. What's your solution to this?

NetworkNewb

snokerpoker wrote: »

I have dealt with a few 3rd party "Pen Testers" that really didn't know WTF they were doing. They asked me questions about my clients but it was clear they did not know basic network architecture or even simple things about normal IT operations. One of the guys even told me- Look man, we just go in and run our software to produce reports.

Alot of those people just follow a script of things to do. I think part maybe because they are only allowed to do so much. But after awhile of following the script you lose your other skills/knowledge.

Like in any position there are good people who love to learn and do more and improve themselves, and others who just like to get the work done as quick as possible, don't care about learning more, and go home. Most fit in the second category from my experience.

EANx

Sheiko37 wrote: »

Let's say I can't. What's your solution to this?

People with experience in other areas of IT before getting into the technical side of IT security. How are you supposed to detect or secure the things a user might leave vulnerable if you have no experience with them? How are you supposed to detect or secure the things an admin might leave vulnerable if you've never been an admin? You can depend on pre-built scripts but that's following the 80/20 rule. Anyone can do the 80% by following instructions and clicking a few buttons then copy/paste. The real value in IT security is found in the 20% most people don't strive for.

McxRisley

EANx wrote: »

People with experience in other areas of IT before getting into the technical side of IT security. How are you supposed to detect or secure the things a user might leave vulnerable if you have no experience with them? How are you supposed to detect or secure the things an admin might leave vulnerable if you've never been an admin? You can depend on pre-built scripts but that's following the 80/20 rule. Anyone can do the 80% by following instructions and clicking a few buttons then copy/paste. The real value in IT security is found in the 20% most people don't strive for.

While I agree with this, you are talking about very specific roles in Security. Not all security roles involve doing all of those things. Here we have some people that just run Nessus scans and apply patches most of the time. A brain dead monkey can do that job, but it gives entry level people some exposure to the technologies and a chance to grow thier skillset. Thats where I started.

paul78

Great topic! I had been noticing that myself as well. It's kinda interesting because I know a lot of software engineers and devops engineers who are very seasoned who have zero interest in moving into security. In fact, most actively despise the work. And several of the non-tech security people that I know would rather move into risk management or compliance.

Anecdotally, I have a few colleagues and friends who are excellent pen testers with decades of experience. And several of them have gotten out of pent testing because they didn't like it any more. The blue team folks that I know do tend to stay in security a bit longer, but they eventually move out to non-tech security like grc work.

I guess there is probably a perception that security work is more exciting.

DatabaseHead

paul78 wrote: »

I had been noticing that myself as well. It's kinda interesting because I know a lot of software engineers and devops engineers who are very seasoned who have zero interest in moving into security. In fact, most actively despise the work. And several of the non-tech security people that I know would rather move into risk management or compliance.

Paul, interesting you brought this up.... I work with devops and work in a data engineering group and these are my findings as well. Most want to stay in this space and not branch out. From my perspective I can't think of one scenario where these engineers made the jump.

All the people I know in security started low level, EG the desk and moved up gradually while obtaining certification. None of which were good developers or at scripting.

McxRisley

paul78 wrote: »

I guess there is probably a perception that security work is more exciting.

I would second this, but can attest that is not really the case lol. I like my job but I would hardly call it exciting lol

PC509

Remember the late 90's, early 00's? The radio ads "Get your MCSE/CCNA and make $100K+!". We had a LOT of people switching careers or just starting their career, going to what was pretty much a boot camp, getting their MCSE or CCNA and actually getting some of those net admin jobs with zero practical experience. It caused some certification burnout for a while where employers didn't trust an MCSE/CCNA/others. They were those "paper certs".

Cybersecurity is the new buzzword, the new hot stuff, and it's got a lot of attention. Ads are everywhere to get a quick "cert and break into the exciting field of cybersecurity and ethical HACKING!" and show a picture that looks like a Mr. Robot set. I almost expect a similar burnout on security certs and employment opportunities.

volfkhat

McxRisley wrote: »

I think the problem is people acting like security is this all inclusive club that only the elite are allowed into. There is nothing wrong with people who have 0 experience and wanting to jump straight into security. In some cases, it is best to higher these people because they are easier to train than someone who has been in the industry for 10+ years and is stuck in thier ways.

Dios Mio!

No No No.
Security can not be somewhere that you start; it has to be somewhere you go after you have attained a solid foundational base.

At the MSP i just left,
the Security team was made of former Linux folk, and Windows folk (ironically, no network folks, but whatever).
Anyway, these were people who were pretty good at what they did... and decided to transition into Security.
okay Great. no problem.

Fast forward a few years.. new management... New Philosophy:
Now all you need to be promoted up to the SOC is a Security+.
Seriously,
they started pulling people off the helpdesk who mainly reset passwords all day;
"Congratulations! you are now a SOC engineer."

A few of them don't know how to wipe/reload their own laptops.
They honestly can't explain the difference between a Switch & a Router.
They really don't understand the difference between TCP & UDP.
Hell, they probably can't spell Linux correctly.

And yet, the company gave them full access to the firewalls.

/facepalm

You gotta Walk before you Run folks....

McxRisley

volfkhat wrote: »

Dios Mio!

No No No.
Security can not be somewhere that you start; it has to be somewhere you go after you have attained a solid foundational base.

At the MSP i just left,
the Security team was made of former Linux folk, and Windows folk (ironically, no network folks, but whatever).
Anyway, these were people who were pretty good at what they did... and decided to transition into Security.
okay Great. no problem.

Fast forward a few years.. new management... New Philosophy:
Now all you need to be promoted up to the SOC is a Security+.
Seriously,
they started pulling people off the helpdesk who mainly reset passwords all day;
"Congratulations! you are now a SOC engineer."

A few of them don't know how to wipe/reload their own laptops.
They honestly can't explain the difference between a Switch & a Router.
They really don't understand the difference between TCP & UDP.
Hell, they probably can't spell Linux correctly.

And yet, the company gave them full access to the firewalls.

/facepalm

You gotta Walk before you Run folks....

Again, you guys are refering to higher level jobs. I am talking about security jobs for ENTRY LEVEL people. See my previous post above for an example.

volfkhat

Which post is that?
the one about Monkeys running Nessus scans?
Maybe.

But Those same monkeys can reset passwords all day...
Does that mean they also have entry-level M$ experience?

/shrug

I get where you're coming from bud.... but i still disagree lol.
I think your 7-month journey is the exception to the rule; but it shouldn't be seen as the rule.

But hey, it's just my opinion; i have a lot of them... and most are probably ill-advised :]

LeBroke

paul78 wrote: »

Great topic! I had been noticing that myself as well. It's kinda interesting because I know a lot of software engineers and devops engineers who are very seasoned who have zero interest in moving into security. In fact, most actively despise the work. And several of the non-tech security people that I know would rather move into risk management or compliance.

That's because security work from our perspective is 90% paperwork 5% slightly fun technical stuff and maybe 5% that's actually fun.

I can do that or I can build stuff where it's fun 80% of the time, and my manager deals with 80% of the paperwork.

Also pays more

paul78 wrote: »

Anecdotally, I have a few colleagues and friends who are excellent pen testers with decades of experience. And several of them have gotten out of pent testing because they didn't like it any more. The blue team folks that I know do tend to stay in security a bit longer, but they eventually move out to non-tech security like grc work.

I guess there is probably a perception that security work is more exciting.

Which is weird because IMO only consulting is fun. Mostly because you're never doing the exact same thing every day and there's a social element.

yoba222

1. It's glamorized in popular media these days
2. It's actively being promoted as a great career choice in high schools
3. The market isn't yet saturated with cyber security professionals, so salaries aren't dirt cheap, and this is a bad thing for corporations

kaiju

Take the high road and mentor some the new people in the field. This would not only build a stronger CyberSec field but it would also garner more respect for the mentor.

The caveat: If the person does not seem to be a good fit PLEASE advise them to chose a job field that meets their ability to succeed.
Not a good fit = cannot comprehend the methodology; cannot retain the knowledge; needs CONSTANT supervision; .... so forth.

But I will agree, a good CyberSec professional needs to have a good grasp of both the OS and networking fields.

Syntax

snokerpoker wrote: »

Anyone else notice a growing trend (For a couple years now) of all these entry level type people trying to start out in IT in the security field? I can't tell you how many posts, etc. I see on Reddit and the like where people ask- How do I get int IT security? I'm 18 and have 0 experience.

I have dealt with a few 3rd party "Pen Testers" that really didn't know WTF they were doing. They asked me questions about my clients but it was clear they did not know basic network architecture or even simple things about normal IT operations. One of the guys even told me- Look man, we just go in and run our software to produce reports.

I don't want to seem like I'm ranting or putting all IT security folks under a bad light. I've just noticed there are a ton of people getting CEH and landing jobs where they don't really understand networks or IT. To me it seems backwards. I think people should start off in helpdesk or a NOC, work their way up, and then get into security. That way you can learn the industry.

I agree with you, and I actually came from the IT systems and network admin side, but I've also heard and have been told the opposite. That you need security experience to work in security, and while IT experience may be a plus, the main concern is having ever used a SIEM. I finally landed a security job, on the GRC side, just to gain security experience but was turned down many times over when I applied for security engineer and more technical infosec jobs.

UnixGuy

I can spot people who lack experience within 30 seconds, it's not even funny.

I have no problem with people wanting to start in 'security', as long as:

1) They're not cringe-y.
2) They admit they lack the knowledge in other areas and SEEK help when needed
3) They're humble and have people skills (know how to interact with others)

There are ways to get more networking/OS knowledge, but nothing beats hands-on experience build over years using multiple technologies...it's not needed but it makes a huge difference.

UnixGuy

McxRisley wrote: »

..Here we have some people that just run Nessus scans and apply patches most of the time....

quickest way to lose credibility is to go to System admins with a list of recommended patches/fixes from Nessus report without knowing what they mean. Some system admins will eat the poor security analyst alive if they're don't know what they're asking. I've seen Security teams lose credibility this way, go to sysadmins and give them a list of fixes that are not applicable to their systems

paul78

LeBroke wrote: »

Which is weird because IMO only consulting is fun. Mostly because you're never doing the exact same thing every day and there's a social element.

Agreed - I try to keep it varied for myself. These guys that were burned-out on pent testing just got disillusioned after a while.

UnixGuy wrote:

3) They're humble and have people skills (know how to interact with others)

Well said - that's really an important attribute for anyone that wants to be in security for the long haul. To be effective, a security practitioner really has to be able to articulate security issues in a way that isn't offensive by calling the baby ugly. When I think back, trying to be diplomatic and getting traction on improving security posture at my employer or client was always one of the hardest thing for me.

mikey88

I agree with both sides on this. It's ideal to have fundamentals of sys/networking before pursuing a job in security, but at the same time, 5yrs of engineering experience is not needed to land an entry level SOC role.

I'd rather see posts of driven individuals seeking advice to advance their careers than a post asking how to get out of helpdesk after several years.

Sheiko37

I'm hearing strong adversarial attitudes to whom should be your peers.

How can you skilfully secure an environment if you've never administered one... or maybe, how can you skilfully administer an environment if you have no understanding of security?

There's no need to hold either of these views. It's not helpful nor representative of the real world, and it's not realistic to say individuals should just be proficient in all domains.

You think others aren't rolling their eyes at your own knowledge gaps? Why cultivate that attitude?

McxRisley

UnixGuy wrote: »

quickest way to lose credibility is to go to System admins with a list of recommended patches/fixes from Nessus report without knowing what they mean. Some system admins will eat the poor security analyst alive if they're don't know what they're asking. I've seen Security teams lose credibility this way, go to sysadmins and give them a list of fixes that are not applicable to their systems

This is why our analysts who perform those duties work with the sys admins (or in some cases they are the sys admins) so that they can figure out what can and cant be patched. If something cant be patched, they would just POAM it.

You guys are so stuck on the elitist mentality that you cant even think logically on this issue.

kaiju

McxRisley wrote: »

This is why our analysts who perform those duties work with the sys admins (or in some cases they are the sys admins) so that they can figure out what can and cant be patched. If something cant be patched, they would just POAM it.

You guys are so stuck on the elitist mentality that you cant even think logically on this issue.

That is my biggest issue with POA&M. Many " seasoned professionals" use it as a fix-all band-aid instead of actually mitigating the weakness. Getting a bit OT but most people do not realize how much happens before actions are taken. In a proper environment, the Cybersecurity department should consult with the sys admin and/or network department(s) prior to implementing a mitigating action along with change management. But we all know, this rarely happens in emergency situations. I have seen too many instances were a POA&M is thrown on a weakness just to get past C&A and then they forget about it leaving a glaring hole in the system.

Therefore, an entry-level Cybersecurity analyst who possesses an aptitude for the field but does not have a strong overall IT background should spend time with sys admin and network departments while performing his/her entry level Cyber responsibilities before being given more rights.

I personally know of a former military guy who changed from a non-IT job with no path for growth to a IT service support position (imaging and delivering equipment) to helpdesk and then on to Tier II CyberSecurity in two years. How did he do it? The people around him acknowledged his desire to learn and mentored him. He went from a person with personal computer experience and A+ and Sec+ (needed to get the service support job) to being dedicated IT professional with MCSE (Win10, 2012R2, Office 365), CCNA RS, ITIL and CASP who knows how to put the certs to use. He did not **** any of the certs. He learned how to build his own lab and shadowed any person who was willing to pass along some knowledge. He is currently working on CISSP, CEH, CCNA security and Linux so that he can move up to Tier III in a couple years. And guess what!! He himself has started to mentor other entry level personnel. This is the way it should work instead of thumbing his nose to them.

A couple weeks ago I made a post in OT about funny/silly IT stories. The person to whom I was referring would get insulted if you attempted to pass knowledge to him or show him a better way to perform an action.

In closing, we are all ignorant until we are able to gain the knowledge and experience that proves otherwise so please pass the knowledge!

McxRisley

kaiju wrote: »

That is my biggest issue with POA&M. Many " seasoned professionals" use it as a fix-all band-aid instead of actually mitigating the weakness. Getting a bit OT but most people do not realize how much happens before actions are taken. In a proper environment, the Cybersecurity department should consult with the sys admin and/or network department(s) prior to implementing a mitigating action along with change management. But we all know, this rarely happens in emergency situations. I have seen too many instances were a POA&M is thrown on a weakness just to get past C&A and then they forget about it leaving a glaring hole in the system.

Well I know some places don't actually follow the POAM process but here we actually do. Depending upon the category of the finding, you have a certain amount of time to fix the issue. Also, C&A is a whole separate team here and they do not accept phoney or bogus POAM reasons. There is always a meeting held with the POCs and sys admins to address the findings and thier reasons for not being able to patch. I know the issues you are talking about exist, I have experienced them myself. I consider myself lucky to work at one place that actually follows the rules.

TechGromit

McxRisley wrote: »

I think the problem is people acting like security is this all inclusive club that only the elite are allowed into. There is nothing wrong with people who have 0 experience and wanting to jump straight into security.

If you want to hire someone with no experience to pen test you network, good luck with that. Personally I'll stick with someone know knows enough that if they get in they are not going to screw up my production environment. Security isn't "an inclusive club", but I see nothing wrong with asking for some experience in other areas of IT before jumping right into security.

kaiju

TechGromit wrote: »

If you want to hire someone with no experience to pen test you network, good luck with that. Personally I'll stick with someone know knows enough that if they get in they are not going to screw up my production environment. Security isn't "an inclusive club", but I see nothing wrong with asking for some experience in other areas of IT before jumping right into security.

If an entry level person is hired to do pentesting, the hiring authority is the one to blame. Even Pentesting has entry level positions who should be supervised until they provide that they can functioning by themselves. We all know people who have "professional" certs but lack the experience and expertise to actually perform their required duties.

cyberguypr

I also work at one of those mythical places were policies and processes work as designed and are followed. Using POAMs as band aids and getting away with it it's an issue of governance. If I try that crap at my $dayjob there would be a LOT of explaining to do.

In regards to experience I think you guys are seeing it too much as black or white. The answer is somwehre in the middle. As a security leader, do I prefer people like me who have been through desktop>network>servers>cloud, etc? You bet I do! To kaiju's point, do I take people fresh off college and train them in the simpler tasks that don't require such an extensive IT/IS background? Of course I do. This doesn't mean my newbie will be doing pentesting, forensics, etc. Not every single security task requires experienced engineers . Maybe is the fact that my area has a wide range of responsibilties ranging from basic (metrics, reporting, access reviews) to very advanced (dev, sec analytics, threat hunting), but there's a place for all levels in my team regardless of experience. You have to keep that pipeline healthy.