InfoSec and Security - not that glamorus of a field people - Wake up!

TheFORCE · July 2015

Just wanted to say something about the Info sec and the security field as it stands right now and from my observations from the recent threads and posts on this forum. Info-sec and IT Security is not that glamorous of a field - Wake up!

So many posts and threads recently about Info-sec and IT Security, people asking what certs to take, where to start, what materials to read, what tools to use some of these people are completely out of sync with reality, really and seriously! In my honest opinion Info-sec requires years of training and understanding of many different concepts along with a special ability and a nack of IT Security.

People read Info-sec and they see stars or dollar signs depending on the situation. They hear and read Info-sec articles and watch a few movies and their mind goes directly to the "grey hat", "white hat" hackers. They think info-sec is a hacker's competition of some sort.

Info-sec is not hacking people! In fact, you will probably not do any hacking for your company unless you work for a company specializing in pen testing, and even then you will have to write reports, documentations, resolutions and basically still require to write. In info-sec there are so many different job titles and positions all bundled into one word it is not even funny.

To describe the infosec word with an analogy, it is like college football or college basketball. Few make it to the NFL or NBA as players(true infosec people) the rest of us do other things, still relevant and still in info-sec. The lesson, always have a backup plan, don't go all in, many will not make their desired salary, position, title or fame.

It's always funny, when people ask me what my job is and i tell them, i work in IT Security, right away their response is "oh so you know how to hack stuff" and my answer is "No i don't, but even if i did, i wouldn't tell anyone" and then i finish with " Nah, I work on the governance side of IT security, I just look at reports" And then you see the disappointment on their face.

So seriously, wake up, info-sec is not all about testing code, patching vulnerabilities and responding to security incidents. Before you claim to want to get into info-sec do something else IT related, it probably falls within info-sec too.

Danielm7 · July 2015

Well, I partially agree with you. I see lots of people asking here, reddit and other forums. Most of them have zero IT experience and think it just sounds cool and the constant bombardment of "negative unemployment in security!" is pushing that. I got in security with 10+ years in IT already and all of that experience has been very useful, you need a broad skill set for sure.

As for the hacking part, some people are full time pen testers, I know a number of them through a local security group I'm part of. Sure, there is a ton of documentation, no job is ever like the movies. But, they are closer to the idea of hacking as a job than anyone. Granted, it sounds like they are 20-25% testing, 75-80% documentation but once you have templates it doesn't sound as bad.

You mentioned you work in governance, which to be fair sounds like the most meeting/policy/writing heavy part of the large security umbrella of jobs. I work more of an analytics/engineering role where we do lots of testing, working with the right teams to get things patched, responding to incidents, etc. For me, it's really interesting, but like you mentioned, it's not like a movie where I'm hacking a system on the back of a motorcycle while people shoot at me so I can save the world again.

E Double U · July 2015

Makes me think of the time I had a help desk guy excited to have me show him the firewall. When I logged in he said, "this is it?". When I asked what was he expecting he responded that he didn't know, but he expected more.

The physical security part of my job can be exciting because I have to pull camera footage in the event of a bank robbery, but it isn't like I've seen shootouts and guys taking hostages. Just someone slipping a note to a teller and even a break-in.

the_Grinch · July 2015

It's exactly like law enforcement. When you watch TV you see doors being kicked in and high speed chases. Reality? 99% is the paperwork and the normal everyday stuff. But on those rare occasions it is pretty exciting. Same with IT security. I agree you need that foundation before you get into it, but I think most people know that it isn't "Mr. Robot" or any number of movies you see.

bpenn · July 2015

E Double U wrote: »

Makes me think of the time I had a help desk guy excited to have me show him the firewall. When I logged in he said, "this is it?". When I asked what was he expecting he responded that he didn't know, but he expected more.

My wife says this all the time. Except she isnt referring to a firewall.

BlackBeret · July 2015

bpenn wrote: »

My wife says this all the time. Except she isnt referring to a firewall.

Bazinga!

BlackBeret · July 2015

I agree that it's never like the movies, and a lot of people need a wakeup call in regards to their expectations. That being said, I wanted to get in to the fun part of security, and I enjoy my job. I'm not a pen tester yet, but their team is on the other side of the cubicle wall and I'll get there because it's what I want to do. Once people realize how much they need to know, how they have to work their way towards it, and put in time and effort a lot don't want it anymore. You just have to be willing to work for it. I was offered a governance type role with a higher salary and turned it down to stay more technical. I knew if I went that way I would be stuck and hate life. A little less money to enjoy work and stay on my path is worth it, and completely doable.

Next time someone seems excited about security and wants to know how they can get in it, tell them hard work, determination, and perseverance. I know a lot of people aren't used to that anymore, but that's all it takes. Don't learn "security" at first, learn Windows in depth, learn Linux in depth, learn networking in deep depth, learn some high level scripting. Then start learning everything the security world has to offer.

markulous · July 2015

I'd think the majority of people on this forum probably do not have the impression that IT Security means "OMG he's a hacker!". There's obviously so many facets of IT Security.

kurosaki00 · July 2015

What I'm interested @ in InfoSec is traffic analysis. Reverse engineering and logs for legal evidence, tracking, create reports...
Some people may find it boring, but I could spend the whole day looking at raw logs and digesting data. Did that for two years with Cent OS, Java **** and .asp and got hooked.

I get what you mean of newbies thinking InfoSecs is like Angelina Joley in Hackers, or you will be some kind of Neo. It used to be like that when I started college (comp science). Everyone thought it would be a blast, they will create video games, world of warcraft...
Two semester later 70% switched to other degree.

Mitechniq · July 2015

I'm interested in knowing why the big rant, it's common for people to generalize based on their experience. If a typical person only sees what's on TV, then to them IT Security is 'Hacking'. No different than people approaching me in an Air Force uniform and naturally asking 'oh are you a pilot?' Could I easily go, the Air Force is not what you think it is. It is not this glamorous fighter pilot world most people believe, which is true to me but not true in general. You simply have not had the privilege to be in the world of Cyber Defense, Operations and Intel. In fact, I have an interview with a very well-known Defense Contractor this week to Pen-Test simulated military networks and provide reports to the DOD on our findings, not live stuff but pretty close. If a member is in pursuit of knowledge and is excited about joining Info-Sec, I would not discourage them. We need all the bright minds we can get.

kohr-ah · July 2015

Well even then Pen Testing isn't a "HACK THE PLANET" job either.

Yes it is testing the vulnerabilities of systems and sites in a hacking manner but at the end of it you are going to have to write a big write up of what you found, where you found it, and what can be done to fix it.

NetworkNewb · July 2015

TheFORCE wrote: »

So many posts and threads recently about Info-sec and IT Security, people asking what certs to take, where to start, what materials to read, what tools to use some of these people are completely out of sync with reality, really and seriously!

Everyone has to start somewhere...

I know I've made threads asking for other people's advice about what they use, how they got to where they are, and I've been in IT for 4-5 years. I figure that is what this forum is for.

gespenstern · July 2015

bpenn wrote: »

My wife says this all the time. Except she isnt referring to a firewall.

LOL, made my day

TheFORCE · July 2015

Just to clarify this is not a rant, just an observation. Like Blackberet said, before you get into InfoSec you need to have a broad knowledge of IT system and then focus on a specific area. My point was that a lot of people currently by pass all the foundations and think they will make it in infosec straight out of college with no experience. Sure there are some gifted individuals out there but for the majority it takes years of studying and dedication as it has already been mentioned. Many then find themselves in lower levels of IT and doing a disservice to themselves because they set too high expectations to begin with. I'm not saying they should not go for their dreams and aim high, but have realistic expectations at the same time.

beads · July 2015

@TheFORCE;

Completely agree but I'll make two quick observations that should help.

First, security is really technical audit when you boil it all down: A careful examination of records. Look it up. Its the cross between business and the technical aspects of IT. That's why BlackBeret and others stress the broad background in IT FIRST. You need to understand whole lots of stuff, both on the business and IT side before heading off to security. I have a bunch of security freshers with shiny new degrees that are more dangerous than helpful at the moment.

Security also moves 10 times faster than IT. We are down to watching the field move at the speed of twitter. For those of you who dream of a fat salary, cushy job where you take the CISSP and are set for life? Prepare to have a short and disappointing security career. Most "good" security people are at least a little ADD, compulsive-obsessive information junkies with a good bit of competitive learning spirit thrown in. We also eat our young when weak and don't appear to have the instincts to thrive. So, its not always the most welcoming place for the naive.

Anyone care to refute?

- b/eads

Second... Oh look! A squirrel! Sorry, it will come back to me - had a console alert and now I forgot what it was I was thinking. LOL. Hey, it happens.

goatama · July 2015

Several years ago, I thought the C|EH was the coolest thing since sliced bread. I could get that and *be* a hacker (I was naive and the salespitch was really good). Everything I did in my career for a long time positioned me to be able to get to that point. Granted, since the cost of the class and the exam was outside of my budget, I did a lot of stuff on my own: read books, setup labs, broke stuff, fixed stuff, played with tools, studied more. Then I finally took the class (through Skillport at my last job), passed the test, and went "Well @#$%, that's it?" Fortunately, along the way I did a lot more to help myself than I realized and the stuff on the C|EH was almost second nature by then.

Not gonna lie, I still want to be a pentester professionally at some point. The thrill of pwning a box is a heady thing. Even more so when you have an actual "opponent", legally speaking. I do some pentesting in my job now, but not nearly as much as I would like. Security *can* be glamorous, if your idea of glamor is solving puzzles by sifting through metric tons of data to find key pieces of data.

beads is right, there's definitely some ADD with a little OCD thrown in for good measure to actually be good at security. People looking to "break in" to security right off the bat are dangerous. I spent 15 years coming through all levels of tech: from phone support, to desktop support, to sysadmin, to VMware/storage/network support, to security. I don't think I'd be anywhere near as competent in security as I am without that journey. And I'm nowhere near as competent as a lot of folks. It helps that I have a "security mindset". Bruce Schneier tells a story about when he was a boy and he and his brother read how they could get ants delivered for an ant farm, and he immediately thought that it meant he could send ants to anyone he wants. That's the mentality you need to be truly successful. Always thinking about systems, any systems, and their inherent weaknesses, and the ways they can be exploited. That doesn't mean you exploit them, but that you understand how.

/rant

ITHokie · July 2015

TheFORCE wrote: »

Just wanted to say something about the Info sec and the security field as it stands right now and from my observations from the recent threads and posts on this forum. Info-sec and IT Security is not that glamorous of a field - Wake up!

...

It's always funny, when people ask me what my job is and i tell them, i work in IT Security, right away their response is "oh so you know how to hack stuff" and my answer is "No i don't, but even if i did, i wouldn't tell anyone" and then i finish with " Nah, I work on the governance side of IT security, I just look at reports" And then you see the disappointment on their face.

I'm not sure people are chasing a "glamorous" field as much as they are chasing money and opportunity. But even if they are, there are plenty of fascinating roles to be found - just not in IA where you work and it's going to grow. The only problem is that technical skills required for these positions aren't entry level.

ITHokie · July 2015

beads wrote: »

@TheFORCE;

First, security is really technical audit when you boil it all down: A careful examination of records.

That's an aspect of security - other components of security include continuous monitoring, pen testing (are the controls actually doing what they are supposed to?), architecture, engineering, reverse engineering malware, incident response, etc.

I agree that broad IT experience is needed.

E Double U · July 2015

beads wrote: »

For those of you who dream of a fat salary, cushy job where you take the CISSP and are set for life? Prepare to have a short and disappointing security career.

Guilty as charged

TheFORCE · July 2015

ITHokie wrote: »

That's an aspect of security - other components of security include continuous monitoring, pen testing (are the controls actually doing what they are supposed to?), architecture, engineering, reverse engineering malware, incident response, etc.

I agree that broad IT experience is needed.

Just watched on CNN, Upfront with Erin B - There is a need for code breakers apparently as many terrorist organizations are using encrypted channels and sophisticated end-to-end encrypted communications that even the FBI or CIA (they did not mentions NSA) cannot crack. So they were asking the encryption keys from big corporations. Needless to say, that didnt go so well with the companies and the public.
The issue though still remains. Watch in the next few years there will be a certificate about how to break different types of encryption and people wont even remember what the CISSP was.

UnixGuy · July 2015

beads wrote: »

@TheFORCE;

Completely agree but I'll make two quick observations that should help.

First, security is really technical audit when you boil it all down: A careful examination of records. Look it up. Its the cross between business and the technical aspects of IT. //.

It is, but I want to elaborate. Technical audit and MUCH more. It's a long journey and a process, and I catch myself being frustrated at times, but then I realise that I don't have all the skills required yet.

There are certain problems(challenges) that I'd like to be able to tackle one day.

Example: A complex ISP network all over the world, how do you secure that? Architect that, you need to know the business ins and out, you need to know where to place sniffers, setup forensics, know governance, information loss prevention (efficiently). Being able to take this responsibility is something worth pursuing. It takes time and determination.

Example: a breach in a complex banking network. How do you start? where to look? would you be able to do iphone/android forensics as well? What about those custom financial apps? Sure you might need a team to do that, but can you tackle this problem? Some people can. This is worthwhile.

Example: Governance, how can you protect a bank from Information Leakage? What to look for? Sure you can be a compliance ninja and just do a mediocre job and just get ISO certified or whatever it is, but how about genuinly knowing everything that's there to know about the banking system and designing a (viable) solution to protect that? Now that's badass.

TheFORCE · July 2015

UnixGuy wrote: »

It is, but I want to elaborate. Technical audit and MUCH more. It's a long journey and a process, and I catch myself being frustrated at times, but then I realise that I don't have all the skills required yet.

There are certain problems(challenges) that I'd like to be able to tackle one day.

Example: A complex ISP network all over the world, how do you secure that? Architect that, you need to know the business ins and out, you need to know where to place sniffers, setup forensics, know governance, information loss prevention (efficiently). Being able to take this responsibility is something worth pursuing. It takes time and determination.

Example: a breach in a complex banking network. How do you start? where to look? would you be able to do iphone/android forensics as well? What about those custom financial apps? Sure you might need a team to do that, but can you tackle this problem? Some people can. This is worthwhile.

Example: Governance, how can you protect a bank from Information Leakage? What to look for? Sure you can be a compliance ninja and just do a mediocre job and just get ISO certified or whatever it is, but how about genuinly knowing everything that's there to know about the banking system and designing a (viable) solution to protect that? Now that's badass.

Unixguy - i know what you mean, and i agree with you, those are some serious ninja skills. Fortunately or unfortunately, depending who you ask. All the tasks you mention, especially the last example, have been automated and now you can buy software solutions that will give you all that information with the click of a button. Still, i agree, we need people that understand the complexity behind the massive data that we generate and people will not simply become savvy if they do not start from the basics. Many IT Security "professionals" cringe any time you mention best practices or the compliance word because they do not get it.

Mike-Mike · July 2015

Mitechniq wrote: »

No different than people approaching me in an Air Force uniform and naturally asking 'oh are you a pilot?'

When I was younger, I had a friend who was in the Air Force and was a programmer. He was huge, like a football player, but just a computer nerd. Every time anything military came up, or we met new people or whatever, I would go, "oh yeah, he's in the Air Force, dude's a fighter pilot" or something absurd and over the top. Peoples faces would light up like, "oh really!?" and he would just awkwardly go, "no, I'm a computer programmer" and you could just see the disappointment wash over their face... and I would laugh and laugh..

...we're not friends anymore..

UnixGuy · July 2015

TheFORCE wrote: »

... Fortunately or unfortunately, depending who you ask. All the tasks you mention, especially the last example, have been automated and now you can buy software solutions that will give you all that information with the click of a button. ....

This is the confusion right. It's simply not possible for a software to do that! I work in a very complex network (banking), and as an example, we have a Data leakage prevention system in place. It's extremely complex, and we face unique problems that the vendor can't simply solve. You need a team of people who understand so much about different banking applications to even begin to integrate the solution within our existing system. How can you prevent an employee from leaking credit cards information? Scan their laptop? What about their iphone? Do you have permission? What about that encrypted Oracle database? What about web browsing...wait isn't there a proxy? Isn't the traffic load balanced between the proxy? Where exactly should you place your ICAP server? Your architect put that Intercepter somewhere but it slowed the entire network down...why? Pushing a button simply won't work, you need to do network traffic analysis, you have to know how (and why) each device work?

Sure you can be the analyst guy who looks at screen all day, but you can also be the guy who design and implement things, or even better, the guy who troubleshoot and fixes those performance problems or breaches. Your choice, there is a room to grow and there is a market for each skill.

TheFORCE · July 2015

Unixguy, we work in the same industry, yes it's absolutely tough and critical but as mentioned earlier you also need the right tools to empower your IT security team. Otherwise they will get swampped and burned out, not to mention the C level people want to run on a tight budged ao they don't want big teams, but properly trained ones.

LeBroke · July 2015

I really enjoy incident response. Literally, the most fun I've had in IT in months was auditing our corporate site that still inexplicably uses Wordpress after it got pwned by an enterprising script kiddie from China seeking to make a quick buck off of referral and redirect traffic.

Long term, I am a lot more interested in the architecture/management/governance part of security than I am in pentesting. Why? I've done pentesting, ironically at the very beginning of my career. Mostly constrained to ***** work like running Nessus scans and compiling reports from stuff actual pentesters at my company found since I have pretty good English skills. Even when you're a high level pentester, writing reports is like 95% of what you do.

BerkshireHerd · July 2015

I enjoy the investigative part of my job. I get alerts then it my job to dig in and figure out it it is normal course of business or something more...

colemic · July 2015

TheFORCE wrote: »

Unixguy, we work in the same industry, yes it's absolutely tough and critical but as mentioned earlier you also need the right tools to empower your IT security team. Otherwise they will get swampped and burned out, not to mention the C level people want to run on a tight budged ao they don't want big teams, but properly trained ones.

Same industry as well, and totally agree w/ both.

UnixGuy · July 2015

Interesting article, I think it's somehow relevant:
Does My Job Even Matter? A Dose of InfoSec Career Perspective | The State of Security

TheFORCE · July 2015

UnixGuy wrote: »

Interesting article, I think it's somehow relevant:
Does My Job Even Matter? A Dose of InfoSec Career Perspective | The State of Security

Good Article, Completely agree. Social engineering is easy to pull off nowadays, even IT people can be fooled.

Shdwmage · July 2015

I get to monitor the SIEM logs every day. It is very boring. When I find something wrong I have to submit it to my boss. Then he writes a report. Very rarely do we even have to fix anything. I don't even work in IT security per say and looking at these reports has made me more aware of things I need to do to keep things secure, but I don't want to do security for a living.

That being said, I think all IT roles should have a brush with InfoSec. Not so much to do the work, but because I've seen a great many techs (my past self included) that didn't give a rats behind about security because they just didn't know. The worst part is the programmers that don't care.

So I agree that its not a glamorous job, but I think all aspects of IT should be exposed to the fundamentals of it to help make things better across the board.

InfoSec and Security - not that glamorus of a field people - Wake up!

Comments