Main Entry: informatics
Pronunciation: "in-f&r-'ma-tiks
Function: noun plural but singular in construction
Etymology: International Scientific Vocabulary information + -ics
chiefly British : INFORMATION SCIENCE
If they do hire consultants, its going to be because they don't have the staff, the staff doesn't have the expertise, or the company can not afford to delegate time to this issue.
This is true to a certain extent or they have the personnel in place but want an outside opinion - so to speak policing the police
Quote
This means that even if security consultants are brought in, they will probably be very limited in their scope, unless they've been contracted to perform a complete overhaul. So obviously, some issues may be overlooked, or if they are discovered will have to be left up to the staff to remedy.
Very true, as the basis of why they are doing this form of audit comes into question as to what initiated the request. Is this to stay incompliance with the policies, is this part of the risk assessment, is this part of a where are we now. The overall responsibility will fall on Management, and the appropriate staff delegated with that responsibility.
Quote
Obviously advise and document everything you stumble upon outside of your assigned task that you believe should be changed, but leave it at that. Who knows, it may become a recurring contract. It's just something consultants need to deal with. Document document document.
It also helps in the CYA department as well. Legal departments salivate over stuff like this when there is no documentation.
Quote
Personally I think the industry is at fault. The FUD (fear, uncertainty, and doubt) a lot of these security companies create to sell their products and services
A few years ago I would have whole heartedly jumped on that with a big OH YEAH!!
But now I can say yes to a certain degree. There is a larger jump in what is happening now then before. So yes there is some unique marketing out there but there is also a more disciplined threat then 4 to 5 years ago.
I think you hit on some pretty good points Tyrano and wanted to add my thoughts to them.
A few years ago I would have whole heartedly jumped on that with a big OH YEAH!!
But now I can say yes to a certain degree. There is a larger jump in what is happening now then before. So yes there is some unique marketing out there but there is also a more disciplined threat then 4 to 5 years ago.
Yeah I will completely agree with you here, I may have jumped the gun a bit. Things are definately better than they were, but still sub-par in my opinion.
I suppose that with smaller businesses it may not be as important to have security audits done. I'm rethinking my stance on this, and I'm not sure which side of the line I will come out on...
On one hand, I think that if an audit is done properly, it can be an invaluable resource for keeping your systems safe, but then we must define what a properly done audit is. Surely it isn't just a nessus scan.... surely it involves Acceptible Use Policies, proper Password Policies, a whole slew of Policies... but then, how many smaller businesses are going to use and follow those policies.
I'm not really sure about that anymore... and you are right then GSecur, if its just a nessus scan, its not worth it.
this word is generaly used by BOOK SCHOOLED persons of East Indian descent.
this is bolstered by the asking of assine and very open ended questions to solicit information they cannot read in a book or hear in a class. I find this to be almost universally true for persons of this ( India ) culture.
my suggestion to these persons: Get out of the Security field
why: you cannot think on your own
BTW: most of the comments in this thread are *right on target"
this word is generaly used by BOOK SCHOOLED persons of East Indian descent.
this is bolstered by the asking of assine and very open ended questions to solicit information they cannot read in a book or hear in a class. I find this to be almost universally true for persons of this ( India ) culture.
my suggestion to these persons: Get out of the Security field
why: you cannot think on your own
BTW: most of the comments in this thread are *right on target"
Sorry... but i'm not planning to be some stupid bookschooled guy... even though I know this is the fact for a lot of people that follow this courses....
I'm not an idiot... i learned thinking for myself some time ago, and i don't intend to let school or some courses change that. I know this is very important if you want to do the job right.
So i'll just have to prove you wrong i suppose... I think that's one of the main reasons why i'm reading these boards here.
And btw, there is a difference between the pure informatics theory course (4 years of theory lessons, math, software programming etc... this is the one indian people mostly study), and the course i'm following, wich is a lot more practical.
GSecur,
A breath of fresh air from someone who appreciates your honesty and who hires, and fires, security consultants all the time. Working in the gubment, I go through security consultants like The Donald goes through apprentices - 16 this year alone. Between finding them, sifting through the wheat and chaff, releasing the bad ones and replacing the good ones that inevitably climb the ladder of success, the business of security consulting is a booming one in the DC area.
There is a reason though why the good one's are scarce and why the business of security consulting is worth engaging. There is a ton of money in it at the Federal level. It is far tougher though, to try and do it alone. Most work as hired guns for the beltway bandits (SAIC, BAH, CSC, et al), who have establish contracts with the gubment that they must perform to. It definitely is a sellers market. Average contract price for a Senior Level GSA Labor rate in the computer security biz is $150 bucks an hour.
To parrot one of the CISSP lines, mgmt support is key. Having security concious admins would be great (send them my way if you see either of them), but what you really need is someone willing to fire those who don't or can't or are too stupid to follow policies.
I think part of the problem is that the security concious admins become security folks and that's depleting the stock. Why get paid to fix crap at 2 am when you could have a day job that pays better?
As for paper CISSPs, yes, like every other cert, they're out there. But many who take the cissp say that it's forcing them to learn areas they didn't know too much about. That's good. Everyone needs to start somewhere. The bad folks that have only the cert and not the experience will be sorted out. I know a person who had the cert and the experience, she just couldn't execute. She was sorted.
GSecur,
A breath of fresh air from someone who appreciates your honesty and who hires, and fires, security consultants all the time. Working in the gubment, I go through security consultants like The Donald goes through apprentices - 16 this year alone. Between finding them, sifting through the wheat and chaff, releasing the bad ones and replacing the good ones that inevitably climb the ladder of success, the business of security consulting is a booming one in the DC area.
There is a reason though why the good one's are scarce and why the business of security consulting is worth engaging. There is a ton of money in it at the Federal level. It is far tougher though, to try and do it alone. Most work as hired guns for the beltway bandits (SAIC, BAH, CSC, et al), who have establish contracts with the gubment that they must perform to. It definitely is a sellers market. Average contract price for a Senior Level GSA Labor rate in the computer security biz is $150 bucks an hour.
Trust me I have no complaint about the pay, security has treated me extremly well ;-) I wrote this as an article of confession. Basically a true tell all so that smaller companies do not get caught up in the hype and spend funds un wisely.
Any kind of security audit needs to show the impact of weaknesses/vulnerabilties uncovered during the assessment. With showing a 'real' impact, then the list of weaknesses go right over everyone's (important, that is) head. The bean counters don't care unless you can prove that you can develop a credible course of action against their company. Something realistic that can cause loss of competitive egde/financial/company secrets.
Any kind of security audit needs to show the impact of weaknesses/vulnerabilties uncovered during the assessment. With showing a 'real' impact, then the list of weaknesses go right over everyone's (important, that is) head. The bean counters don't care unless you can prove that you can develop a credible course of action against their company. Something realistic that can cause loss of competitive egde/financial/company secrets.
I also agree to a certain extenet with TK_Man when he said
Quote
To many CISSP's not enough injuns!
There are CISSPs out there who have the ability to have been able to sit in a classroom and be able to retain the flood of information thrown at them, that have absolutely no clue as to the differences of malware. Sad but true.
I have read through study guides for the CISSP exam. I know most of the material, but the common test taker probably can not tell me what nessus or nmap are. I saw alot of this when the MSCE revolution began. All of these people, who could not turn a PC on, were studying to become MSCE's. One person in paticular became and MCSE for NT4, but he could not get the ip addresses from the command line. CISSP is a great certification, but alot of its grantees are just managers, not hackers. I have strived to learn by doing and hacking just like TK mentioned. True Security Professionals know that anything is possible, and nothing in life is perfect. Maybe its a security equation:
Security = (Nothing is perfect) + (Anything is possible)
There are CISSPs out there who have the ability to have been able to sit in a classroom and be able to retain the flood of information thrown at them, that have absolutely no clue as to the differences of malware. Sad but true.
There are also CISSPs out there with 0day. There are MCSEs who write shellcode. The problem is the overall perception of a class of people who sit an examination. This can be quite an advantage when playing the corporate game :D
this word is generaly used by BOOK SCHOOLED persons of East Indian descent.
this is bolstered by the asking of assine and very open ended questions to solicit information they cannot read in a book or hear in a class. I find this to be almost universally true for persons of this ( India ) culture.
my suggestion to these persons: Get out of the Security field
why: you cannot think on your own
BTW: most of the comments in this thread are *right on target"
Maybe true but I'll give you the benefit of the doubt Ragabash. In a nutshell read and experiment. Read read read and read till you eyes burn. And then experiment with what you learn about in a practical way. Don't waste your time trying to find the any secrets or shortcuts. Just get your hands dirty and get to work at it.
Ask questions, but figure out as much on your own as possible. This way you'll ask more intelligent questions and are more likely to get a response. Also don't get caught up in playing with "toys" learn how things work. Learn about protocols, OS innards, programming etc. challenge yourself, don't take the easy way out, you'll end up not knowing anything of value.
Anyway I digress, there's plenty of newbie tutorials to get you started out there.
And I must concur with everyone this is an excellent thread.
Since CISSP is being thrown out alot I should point out IMO CISSP is a management cert, great for a CISO but pretty lame for a INFOSEC engineer. I mean the network security related concepts are shallow compared to a CCIE or GSEC material.
Sign In
Register
Help
This topic is locked
MultiQuote
