Not everyone who gets involved in security gets there because it was the
primary objective. The implication I was trying to make was that some
people get pushed down the security road. If they actually go down that
road they will focus on practical security, and start to learn more, but it
takes something to push them down that road.
well ok then they are in the security field, but it doesnt make them
"professionals".
not everyone with a CISSP is a professional and its simply to show off to
bosses and people which arent familiar with the IT security filed.
I'm into security since +11 years, i surely know what i am talking about.
Yes, I do. At least to 19-21 year olds at community colleges. I regularly
speak to students about to head out into the field after taking courses to
learn about networking or information security courses to let them know
what the real world is like. I use the security guard analogy and it
clarifies
alot of things. Most of the people in these courses recognize the lack of
respect for mall security guards they had only a few years earlier, and at
the
same time the enhanced (generally speaking) respect a person has for
someone driving an armored car. It is not a perfect example, but as an
analogy it clarifies things fairly well.
ok fair enough, but you talk on a list where people have tons of certs and
are security professionals, so no need to be so basic.
I disagree with this. Someone who is really interested in security who
does not have experience in the field, or at least knowledge of business
process will do more harm than good. At least to pass the CISSP you need
to understand the basics of networking and some formalized
knowledge. It is not a good cert, but there is a minimum 'you must have
memorized at least this much' threshold to finish the exam.
i'm not talking about a complete moron. i mean someone who already
understands the ins and outs of a network and is familiar with
administration,
but then goes into the security field and keeps learning. he soon will be
way more skilled as anyone with a CISSP.
someone whos not familiar with different operating systems,administrating
those and a fair understanding of networks wont be able to go far in the
security field anyway...
Compare that to someone who has read a few papers on security and follows
best practices (whose? why? etc). Small businesses can't afford to
hire expensive consultants, but they deserve better than budding hackers to
help them. Furthermore, if there is an incident the business can be held
liable for, pointing at a CISSP and saying he helped set it up can go along
way to proving that at the very least some due diligence was shown.
Pointing at timmy down the block who sets up wireless is not going to have
the same value from a business perspective.
sure this makes sense, but i was not talking about some kid in the basement,
but an professional administrator or even better a programmer
going into the security field out of interest. then again, as i said, a
small company will outsource security.
In the real world this can cost as much as $1000 CAD an hour, for a cheap
consultant. Ongoing support is unrealistic for many businesses.
i know its not like i work on the moon you know :P but i dont talk about
constant support. a small company doesnt need that anyway.
once in a while, maybe once a year have a real security audit of the
network. with good administrators this is enough as if they are told whats
wrong with
the network in first place (i.e. when the company starts) and then taking
the advices and work based on those, a small company should be fine
if they keep updating their software (what they will be told most likely by
the security team that does the audit). well but this isnt the topic really
so nevermind.
I know of a few that go out of the way to only hire IT guys that have a
security background. But they are definately exceptions to the rule.
yes, surely they do as some boss will obviously look at certs, but thats
where we come to my original topic, those certs dont proove anything so
the CEO may think he hired a good security consultant and feels save, but
his trade secrets go out of the network all day unnoticed as the security
guy
has no idea whats really going on as most of them sit on their certs and
think thats it, but without constantly learning your going nowhere.
they spend all their working time on their high paid asses and brag on some
forums or mailinglists on how skilled they are.
Real world information security is about risk. It is an insurance policy.
You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won't
happen. Until you convince business that ideal security (not perfect, as
we agree perfect is impossible) should be the objective, not risk
mitigation,
businesses will not improve spending.
yes its about risk, but this 1,000,000 $ or more costs after a security
breach only applies to very large networks. most of the time its just that
expensive
because companies have to hire expensive security professionals while the
actual work wouldnt cost much at all.
To convince businesses that ideal security is better, we need to have
legislation that holds business owners accountable for security failures
that impact
individuals other than shareholders.
most of the time you can only convince a CEO to pay more for security after
they have been compromised, but thats life...
This is the unfortunate reality that security researchers and the talented
security professionals live in. This is not a world that hackers live in.
Hackers
live in an academic world that lets them posit scenarios where SHA-1 breaks
are a legitimate threat (it will be soon, but it is not a realistic or
credible
threat *right now*). Hackers, regardless of their motivations, live in a
world where the only limits are their imagination, dedication, and
willingness to
overcome ethical 'challenges' to gain access to facilities and resources
they require to push the boundaries of security.
well i agree somehow, but then again many many real hackers work in the
professional security field and even sometimes hold such courses
for certs as they know exactly that noone is a professional after such a
cert, but they get paid for it well so why shouldnt they exploit that
opportunity.
i remember some text that vH from THC wrote "hackers go cooperate" or
something ..might be a nice read for you :-)
so well i just want to say that a security professional should be someone
who is really professional and CISSP doesnt make you one.
-sk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/