Do people here with Security Qualification work on a contract/ full time or freelance

Hi just wondering if people here work part time/ full time or freelance?

I guess I ask because I figure that once you have done a full security audit with pen testing - you essentially (at least for that moment in time) solve the potential weaknesses and problems of an organization IT system. Does that mean that for the other 80% of the time you just sit around? I mean, if you were employed on a full time basis then surely once you are confident that the IT infrastructure and integrity is solid - then what do you do with the rest of your time?

Thanks

Find more posts tagged with

Comments

paul78

There's a lot to infosec than just pen testing, the practice includes forensics, incident management, sdlc security, etc., etc.. Threat vectors change, bad guys adapt.

contentpros

paul78 wrote: »

There's a lot to infosec than just pen testing, the practice includes forensics, incident management, sdlc security, etc., etc.. Threat vectors change, bad guys adapt.

Paul is spot on. I'm lucky in the respect that our company has fair sized information security and compliance teams. The pen testing is definitely the fun/sexy part of the job but the reporting and documentation is the part of the job most people seem to forget about. We also handle vulnerability scanning, threat/risk analysis and management and validation that the identified risks are remediated by the appropriate teams. We work with the compliance teams to create policy and procedure documents. I work with the training teams to keep our security awareness training current. Then we have to work with the developers for code analysis, testing, beating them with a stick to follow best practices, and teaching them some of the ways we break err test their code. Once that is done we have vendor compliance and assessments to be completed. We do a ton of testing on vendor patches and we submit a number of vendor bug disclosures which have to be tested multiple times and submitted through legal for approval prior to contacting the vendor. Then if you're bored we work as an escalation point for the SOC teams and incident handlers as the need arises. But after all of that the part of the job I really love is when we setup a lab and host a brown bag lunch for the people that want to learn some of the basics of ethical hacking. When you send out the event invite with limited space and 15 minutes later all seats are full is a great feeling. Almost as great as the feeling you get to see the look on the executive assistant's face when he/she gets their first xss message to pop and they realized what they just did. It makes all the long hours totally worth it.

paul78

contentpros wrote: »

It makes all the long hours totally worth it.

That was well described. And if your job involves helping to put away bad guys, it can be satisfying.

For me, I actually spend about 10-20% of my time working with lawyers on the legal side - either with customers, regulators, or other auditors.

the_Grinch

I think you are forgetting the infrastructure does change and new vulnerabilities come out everyday. I really don't believe you will find any company with a dedicated security team come out and say "welp, we're a 100% secure" and then relax for a bit. If so, they'd no longer work for me that's for sure.

tpatt100

When I was focused more on technical audits at my old job it was almost daily and weekly scans and audits to prepare for the monthly report. Since I was working in a SOC that provided security services for several different government sites we went from sitting around after our daily routines in the morning to working full on getting ready for a roll out of new systems.

Usually like I said it was daily weekly preparations for the monthly report showing vulnerabilities that were not corrected and creating a POAM for tracking when the issue was last reported and then phone tagging the admins to get them to correct it within the next 48-72 hours depending on severity.

since systems were always coming online I usually had a group of machines I was working on reports for.

Also like somebody mentioned things change constantly, new versions of OS's, service packs, new versions of software running on systems adds new issues that need to be identified and corrected.

ptilsen

contentpros wrote: »

Paul is spot on. I'm lucky in the respect that our company has fair sized information security and compliance teams. The pen testing is definitely the fun/sexy part of the job but the reporting and documentation is the part of the job most people seem to forget about. We also handle vulnerability scanning, threat/risk analysis and management and validation that the identified risks are remediated by the appropriate teams. We work with the compliance teams to create policy and procedure documents. I work with the training teams to keep our security awareness training current. Then we have to work with the developers for code analysis, testing, beating them with a stick to follow best practices, and teaching them some of the ways we break err test their code. Once that is done we have vendor compliance and assessments to be completed. We do a ton of testing on vendor patches and we submit a number of vendor bug disclosures which have to be tested multiple times and submitted through legal for approval prior to contacting the vendor. Then if you're bored we work as an escalation point for the SOC teams and incident handlers as the need arises. But after all of that the part of the job I really love is when we setup a lab and host a brown bag lunch for the people that want to learn some of the basics of ethical hacking. When you send out the event invite with limited space and 15 minutes later all seats are full is a great feeling. Almost as great as the feeling you get to see the look on the executive assistant's face when he/she gets their first xss message to pop and they realized what they just did. It makes all the long hours totally worth it.

I have to say... This sounds just plain awesome.

swild

contentpros wrote: »

Paul is spot on. I'm lucky in the respect that our company has fair sized information security and compliance teams. The pen testing is definitely the fun/sexy part of the job but the reporting and documentation is the part of the job most people seem to forget about. We also handle vulnerability scanning, threat/risk analysis and management and validation that the identified risks are remediated by the appropriate teams. We work with the compliance teams to create policy and procedure documents. I work with the training teams to keep our security awareness training current. Then we have to work with the developers for code analysis, testing, beating them with a stick to follow best practices, and teaching them some of the ways we break err test their code. Once that is done we have vendor compliance and assessments to be completed. We do a ton of testing on vendor patches and we submit a number of vendor bug disclosures which have to be tested multiple times and submitted through legal for approval prior to contacting the vendor. Then if you're bored we work as an escalation point for the SOC teams and incident handlers as the need arises. But after all of that the part of the job I really love is when we setup a lab and host a brown bag lunch for the people that want to learn some of the basics of ethical hacking. When you send out the event invite with limited space and 15 minutes later all seats are full is a great feeling. Almost as great as the feeling you get to see the look on the executive assistant's face when he/she gets their first xss message to pop and they realized what they just did. It makes all the long hours totally worth it.

I have to say, this is the job I want. Who wouldn't like pen testing? But, I think I would really like vulnerability scanning and threat analysis; and by tempering it with teaching best practices and actually seeing my work pay off with a better informed userbase would fulfill my desire to make everyone's job easier through proper use of technology. No one really likes all of the bureaucratic paperwork, but that comes with every job to a degree. I also think creating policy and procedure docs would be fun.

Seeing things like this helps me to know that I am heading down the right track. IT Sec is definitely the field for me. Now, all I have to do is finish my degree, get a couple more certs, and GTFO of this JOAT position.

sexion8

lister wrote: »

Hi just wondering if people here work part time/ full time or freelance?

I guess I ask because I figure that once you have done a full security audit with pen testing - you essentially (at least for that moment in time) solve the potential weaknesses and problems of an organization IT system. Does that mean that for the other 80% of the time you just sit around? I mean, if you were employed on a full time basis then surely once you are confident that the IT infrastructure and integrity is solid - then what do you do with the rest of your time?

Thanks

Security auditing and penetration testing are two completely separate tasks as is vulnerability assessing and penetration testing.

Once upon a time, penetration testing was an art form. Those in the industry needed to understand a lot of different areas in the industry to be successful. One needed to really understand networking at LEAST on a CCNA level to understand subnetting, broad/multi/etccasting, VLANs (VLAN hopping). They needed to understand systems all around - meaning, those with systems administration (Solaris, Windows, BSD, Linux) were likely to be better pentesters since they often understood systems as a whole. The candidate needed a bit of programming experience and so forth. The last decade has brought forth too many "point and click" hackers who believe that running metasploit auto_pwn is a pentest. The kind who believe that Nessus, Rapid7, Core Impact and Canvas on a network constitute a pentest.

Pentesting used to be sexy. Nowadays, companies don't want outright pentesting. Most want vulnerability assessments from "hacker tools" like metasploit, but metasploit is only as good as the individual using the application. Most people I have seen who quote on quote "know" metasploit know little more than 5-6 commands. Enough to pull off staged exploits that make non-security folks drool. These "tool drones" have saturated the market with zero knowledge of real world exploitation. Real world exploitation meaning, take away their favorite tools, throw them on a network with zero of their tools and let's see how much they truly know.

I had and have been asked time and time again for advice getting into this career hence me writing my "Pentesting 101" document. It was aimed at someone taking the time to learn enough about the scopes of the OSI and how they relate to Pentesting. I truly believe that anyone following it would be a sharp/strong pentester. Moreso than doing the same re-hashed staged exploitation via metasploit or any other tool.

Anyhow, enough rambling. I suggest you read the following lister: http://www.infiltrated.net/pentesting101.html it lays out a solid foundation to build on.

swild

sexion8 wrote: »

... quote on quote "know" ...

Grammar **** Warning:

Sorry, but you just hit on a pet peeve. 1) it's "quote, unquote" 2)there is no reason to write out "quote, unquote" when you can write out the punctuation.

I just can't let otherwise intellegently sounding people make these kinds of mistakes.

sexion8

quote on quote - I write what and how I feel, don't like it don't read it. Instead of you wasting your time trying to correct your own OCD based pet peeve, you could have added to the discussion. Einstein, DaVinci, Edison... All had dyslexia (care to correct my three dots 2? or would the 2 in this sentence also irk you too)

JDMurray

Thread veering off topic alert...