Security Staff Acquisition & Development

My Last Rant of the Year and New Year Wishes

I would like today in my birthday and the day before the start of a new year not to give my predictions but share my personal opinions about the security industry in general and share some of the ideas I have to improve some of the areas of it.

Professionals

All of us in the security industry that do take our work seriously or do it as a hobby in the hopes to be able to work doing security full time love what we do, we love the technical challenges and believe that we can make a difference and improve the situation of the systems out there. I see the people I have interacted in this field as follows:

The Professional – Works on technology he likes, where he is good at what he does and gets a paycheck for it. He may be involved in Open Source projects and knows how to sell, market and deliver his work to each of the different levels in a customer. He always strives to be up top date not only on his main focus area of work but on other areas that can influence his work and make him better.

The Attention Addict – He who is always shouting to the world in IRC and Twitter how many shells he has gotten, summits to each conference his can a paper so as to speak, supposedly writes a bunch of code but never shares it or shares several small works of code, believes his handle is a personal brand and markets it. They can also be very good people, good coders and good at their jobs but need to always feed their ego.

The Charlatan – He is steals ideas, code, papers, blog posts..etc from others and calls them him own, he has never shared one piece of code, original idea during his so called profession or self branded as a hacker or security professional. He does not take the time to mentor and when asked to teach comes up with lines like “Your cant affords my fees”. But he is good at something, social engineering, he makes customers believe that he know what he is talking about, he know the business jargon and say the right words so the upper management is the one that pushed his solution over the better more technically and business wise solution that the IT or Security team is trying to really push.

Areas of Improvement

I believe that most of us have in varying proportions of the first 2 and should strive to avoid being the third one but learn from him his ways of working with management.

Learn from other areas, you might be a good pentester but if you do not know how to map your findings to the business goals, areas of risk and work with both management and the technical staff those skills are wasted. Learn how to manage a project, the importance of keeping the client involved and to plan for eventual problems, it will save you a lot of headaches and show that you are a professional that brings value to your customer or employer. Loose the fanboy attitude, I do have to say it saddens me when I see people say if you do not use Linux you are not a hacker, or that OSX is the best OS to use, same for Windows, BSD and others. They are just tools each with their strengths and weaknesses, know how to operate and use each OS in a corporate environment; learn about how databases systems are used and how they are configured. This will help you to identify risk and how to mitigate it better in your customers. If a clients or employers business revolve lets say under X brand of Database Systems and ecosystem of that product do not go an make comment saying that is garbage this will not look good and will not be perceived well by management. If to interoperate with other system the system can not be hardened to your liking find ways to mitigate and reduce that risk for this the knowledge gained from understanding and knowing how a system works and how its is used will be of great value.  Running an automated tool and handling in the report is not an assessment of any type, if you do not provide actionable items and validate those results and present them in a meaningful way to your customer they are close to worthless. Most IT shops in companies are very busy they need that the professional that did the assessment took the time to learn how they operate, how their network is structured, now how does it map to the business process and provide actionable items according to this gained knowledge, if you do not take the time to do this you are falling in charlatan territory. Not everyone can gain all the skills that is why team work and having a very good well rounded team is of great importance.

Do the right thing, we all love the sexiness of a pentest, but lets face it you will find clients where this is not needed, you have to know when to approach your client and offer value not what the RFP mentions, get in with the RFP but then after identifying that what they need even more have the ability to move and push for a change of scope or a change order where you will provide probably a vulnerability assessment, policy review, network and architecture review and provide the needed pentest for the checkbox, not always it will work but you will have shown value to them and shown that you know what you speak off even if they do not have the money for it at the moment and probably given them a plan of futures project where the chances of you being the one to do them is high. Have you taken a project plan class? A sales primer? Technical writing and report writing class? Have you even considered studying the right way and get a MCSE or MCDBA instead of a CEH so as to know about the systems you are supposed to secure? No, then what are you waiting for.

What I Love of this Community

What I love is that I have not find a bigger group of people willing to share, willing to teach others and where egos do not rein supreme. A community of professional willing to change and adapt, I have seen people go a get MBAs, go from coding C to Ruby, to Python and to Assembly because they want to further themselves. This attitude puts this professionals and community apart.

Vendors

Lets start by saying I work for a vendor and in my previous job I worked for another vendor and integrator. So most of this comes from my talks with clients and my experience integrating the products.

Areas of Improvement

Technically the best solution is not necessarily the best solution overall, your IPS, Firewall, SIM, Vulnerability Scanner, Pentest Tool or any other you would like to put in here can be the one that manages the largest number of packets, events and provide the most accurate results but if the data is no actionable and by actionable I mean provide the information via a dashboard, integration with helpdesk systems or/and reports is not one that can be modified and adapted to the needs of the client you tool becomes a hindrance not a tool and a waste of money. Flexibility in using the gathered information is paramount, some errors are tolerated if I can use the data with little effort or massaging. Professional Services I see this is a key for any vendor be it pf their own or thru partners, selling a client a tool and not having somebody who knows the tool help implement and adapt the tool if needed is of great danger for the future of the product in the customer but also to the customer it self that will be wasting time trying to figure it out thru trial an error. Integration thru Open Standards, I hate seeing in documentation that to integrate a product I have to use the same vendors plugins or products, I hate the vendor locking that comes with that, there are standards like SNMP, Syslog, XMLRPC and others out there why build something to lock me in? To make money? We have to orient our clients and employers about the risks of this type of system. This is what makes the difference between a solution that will go to a SMB to one that will go in to a large enterprise with a large number of mixed systems with different large departments with different missions and geographically distributed.

Educational services, any vendor out there should at least p
rovide webcasts and videos on how to use their product, larger vendors must provide official clases and should always mention it then sales process and try to include this services. When I worked at HP I noticed that we got over 80% less support calls and less headaches from those clients that took training than from those that did not, it empowers your customer, it means less headaches for you in the long run so implement this, please!

Wishes For 2011

That this community matures and not becomes a checkbox checker, that this community is able to break from the geek shell and move to be able to provide the growth in the area of a more formal uniform profession and lot the charlatans be the face and voice of this profession to the rest of the world.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.