Embedded Files
I'm old. like really old. age 36 or so. Therefore, I thought it might be helpful to share some of the information security lessons I've learned over the years. or CyberSec, as we currently refer to it. Which, if you're old, sounds like a pretty inappropriate IRC moment.
A long back, I tweeted a question asking people what they wished they had understood before entering the field of cyber security. I reflected on those tweets and offered my own observations and viewpoints. Because the world really needs another blog from an unknown author, right?
Politics
Politics
This was by far the most common tweet sent to me, and it was all negative. People claimed they had no idea they were about to enter the political sphere.
The truth is that not many jobs require you to perform security tasks merely for the purpose of performing security tasks. Smart businesses desire security so they may conduct secure operations, which may include removing obstacles (which can include products and deployment configs which allow people to get on with working).
Some companies disregard security completely. It's actually incredibly uncommon to come across a company with even mediocre security. Many businesses simply cannot afford to operate anything close to the highest level of security; after all, the crab paste company where you've been eyeing a position has to create crab paste, not have everyone log in using triple factor SSH keys.
Politics, in my opinion, is something I typically appreciate. No, never. The key for me has been understanding how to gently persuade people to do a desired action; this may take time and patience. I've also learned when to get over myself and compromise on something in order to achieve a better long-term objective or position within an organization. The most important one is listening. Sometimes, the resources a department, team, or corporation has prevent what you're proposing from being accomplished. Sometimes the solution you're putting out is unworkable for factors you've never even considered. In the actual world, sometimes what you're suggesting is plain stupid. Additionally, occasionally a group's justifications for opposing a decision are illogical. The important thing is that you have listened and can now decide what to confront and how.
However, in general, if you enter the sector believing that most organizations have excellent security, that you're there to enforce the finest security standards, and that there will be little politics: you might not have a good experience. Although most businesses today view cyber security as a major concern, it does not always indicate that they are focusing heavily on it. Rightfully so. Cybersecurity isn't there to create a cyber security company; rather, it's there to help an existing business return to its original identity.
Cyberspace is incredibly inclusive.
Cyberspace is incredibly inclusive.
The use of cyberspace has increased. When I was younger, it involved a lot of IRC hanging around and trips to Vegas. Most people found it absurd that you would hire a hacker. It had a modest generalist culture. When I mentioned implementing virus software at my first employer, an oil business, people would inquire if I meant "anti-virus" software. Yes. because I was paid to do it. But they were certain it had a negative connotation.
Today, some organizations have Risk teams, Policy, red teams that try to break into businesses, and personnel who sit and watch Splunk to see what is going on in order to defend their organizations.
It's important to remember that almost every internal departmental communication you have will involve someone with a certain point of view. This is important to bear in mind when having talks online as well. Online, you will frequently hear people say, "Just patch!" Which is entirely correct in terms of policy. "Just patch!" sounds like "Just call up Taylor Swift and ask her to be your buddy" to those who actually perform the patching at scale and manage the systems operationally.
Additionally, this goes the other way. I recently participated in a discussion about how to create a fantastic vulnerability management team as opposed to a good one with several people from numerous UK companies. You have a specialized Vulnerability Management team?! A lot of people thought that. Basic patching continues to be a challenge for many organizations. It relates to the broadchurch incident; remember that even if you are both theoretically looking at the same object, it may appear very differently to each of you depending on your experiences.
Sometimes, the security community is quite bad.
Sometimes, the security community is quite bad.
We used to hang out on IRC all day long in my youth(tm), and then get together for cocktails at night. When they first met, people were aware of one other's genuine identities. Trusts were established. Concepts were discussed. There were also a lot of fools about.
Many of them either left the industry or found employment in large corporations.
What's left is a strange shell with numerous odd angles. Some of it is very creative. For instance, I frequently enjoy using InfoSec Twitter since it allows me to view content I otherwise wouldn't. I primarily consume animated GIFs and information drips; I read very few InfoSec websites. I try not to take it seriously at all.
But the atmosphere is strange. I believe that the infosec community has slowly disintegrated, and in its place, a strange dynamic of self-importance is growing, especially in the wake of WannaCry as businesses look for expertise.
I try to stay away from all the drama and punching that goes on, especially on Twitter. Since it seems like most people on LinkedIn are just reposting news headlines, I tend to stay away from it because I don't think anyone there actually understands what they're highlighting.
I believe that there is also a very real echo chamber.
I have the impression that the InfoSec community is starting to crumble. Users are being called "thick" as we punch at them. We are calling the social media representatives of big businesses stupid and punching them. We are also punching each other.
Now, you might ask, "Aren't you the one who called attention to Equifax's flaws?" Sure, I am. They are a group of businesses worth several billion dollars. In my article, I discussed how to prevent the issues they had with Struts. Personally, I believe it is OK to emphasize how big businesses can improve without disparaging anyone. I do, however, often reflect about this.
In the end, I believe that the community today takes itself seriously—possibly too seriously. Twitter is a good way to pass the time and may be a terrific source of information, but when you consider that I have 47,000 followers, you realize it is nonsense.
Get ready to prove your worth.
Get ready to prove your worth.
Many people are entering the cybersecurity field. Which is fantastic because it's imperative that new faces and perspectives are brought to the table because, embarrassingly, many of the same issues still exist today. I believe our sector suffers from a severe lack of diversity in all facets.
But consider this: Experience is also the top attribute I believe individuals can bring to the table. It does not imply ten years of experience. That entails carrying on with one's work and remaining at one's employer. You'll be valued and won't have trouble obtaining other employment in the future if you're actually in there, doing what you're supposed to be doing. Commit. Do; provide.
It's also important to note that many businesses are still at the beginning of their cyber journey and that some require direction. Sometimes, a role may need you to perform duties that you weren't anticipating. That may occasionally be a bad indicator. It frequently enables you to escape the box you're in and participate in anything amazing. You must occasionally take a chance and go in front. According to my rule, you're doing anything well if it actually helps a company stay secure.
Publish it. Fire it. Release it. You may sauté it or crochet it. MAKE.
Publish it. Fire it. Release it. You may sauté it or crochet it. MAKE.
You can start a blog and write if you're interested in entering the industry. This isn't for everyone. or acquire coding skills and submit your own code.
You'd be astonished at how many essential InfoSec tools are still missing. For instance, there was never a simple central method for reporting events from Microsoft EMET. Businesses engage in activities like associating. ransomware attacks is to convert vbs files to Notepad, however no one has created a tool that does this better.
One of my buddies acquired a Cobalt RaQ 3 in 1998 while participating in a student internship at Cable and Wireless INSnet. Since I wasn't your typical teenager, I changed the Linux kernel on the box to incorporate security hardening patches, and we used it to host projects for friends. He made me the admin of the box. I set up VMware on it, and we launched a Linux virtual machine with no outward internet connectivity. We posted the credentials to the machine in IRC channels, and then we used tcpdump to packet capture the users of the machine. It was one of the first honeypots, looking back.
I picked out incredibly useful Linux admin and security strategies from Dave's professional experience.
Find a niche, research it, and write about it, is my best suggestion. If it fails, either stick with it if it interests you or look for another area. Cybersecurity is still an unsolved problem, thus there is much room for exploration. People will locate you for employment if you are out there.
Learn More At Cyber Security
Page updated
Google Sites
Report abuse