As an outsider of the security industry, do people feel like the importance of security is actually going up, or are people becoming progressively less concerned, given how desensitized we've become to hacks and data leaks?
E.g. the Equifax hack was a pretty big deal, but nobody's that upset, everybody moved on real quick. Same with hundreds of other major hacks.
I would guess a lot of people think they could be better at security, but not better enough to matter. So why spend the money. The fact is all our systems are broken from a security point of view from the ground up, and there's no solution in sight. The internet was built to share data, not hide it.
It has a lot of attention right now and is attracting a lot of money. That’s good and bad... the investment is great but it’s attracting a lot of marginal talent with fancy credentials and not necessarily adding much. Reminds me of circa 1998 MCSEs.
Security is a tough field to begin with in that attracts a certain mindset. It’s especially bad in big orgs where security was mostly a policy and compliance org. Listening to would be cyber-warriors quack about OODA loops, challenge coins, and kill chains gets old fast. Particularly where the “kill chain” is interdicting field guys whose iPad didn’t update on time or execs who disabled AV.
Your point, well observed, is that there are very little repercussions. It is becoming important and more prominent (than say 10 years ago) due to constant media exposure and the constant breaches being seen, so there are a lot of roles being opened and functions are being built where there weren't any before. As a whole though, businesses will deprioritize security for increased business performance, which you can understand.
Regulations like GDPR coming along should have some bite to get people into action, but until that's actually observed there's not much going on.
There are still organizations that care a great deal about cybersecurity. I think it is going up, but at a very slow rate because very few people really know anything about it, and it is those people that care the most (or so they tell us.)
Unfilled job postings doesn't mean there's a shortage. There might be a shortage of experienced IT security experts willing to work for $40k in the most expensive cities of the world, but if there was an actual job shortage, degrees and certifications wouldn't be a requirement, they'd just take a risk hiring people willing to learn.
Talk with ops guys and have a security guy (that typically is on that team) assign you things to fix.
It’s a bull shit job, as far as software development goes. Sure, you’ll learn a bunch of hacks and ways to fix them and maybe pass cissp cert if you really don’t want to code anymore.
OSCP has a good reputation and should definitely get you a position combined with your engineering experience.
If you're in a big city, try to find a security meetup that runs CTFs or events for new folks. Doubly so you can talk and get a more definite direction.
Anything OSCP tests you on can be done yourself by virtualization on your own machine or home lab.
1. This is written and published by Cyber Security Ventures. Their bias should be obvious.
2. The 3.5 million is a global number. India is projected to have 1 million of them.
3. The article seems to also try to drum up demand for Managed Security Service Providers, a service Cyber Security Ventures provides.
4. Many currently open Cybersecurity jobs pay less then what a tech minded person can get selling clicks or SQL reports. There is a difference between an "open position" and a position that meets the labor market. Open positions that stay open most likely are valued below the market. I'm sure many goverment agencies have open Cybersecurity jobs.
5. It's 2018, are we really going to keep using the word cyber?
fwiw I was once browsing jobs wondering why one in particular had such strange hours and requirements until I realized that the search had also returned results for what amounted to security guards
Well, one role in this might be that a lot of cybersecurity jobs are complete bullshit, and or their certifications are.
I won a free certification course as an EC-Council Certified Security Analyst, and it's the biggest joke I've ever seen. It's such a massive fucking joke that I decided to not even renew my certification for free because it would just have been a waste of time.
Most of these "cybersecurity" jobs are download Metasploit and run autopwn, install garbage antivirus everywhere. Maybe layer some more bullshit on top like network intrusion detection and web application firewalls. If you get still get owned talk some bullshit about how advanced the attack was and that there was nothing you could have done.
The other option is to go and write exploits and sell these to government agencies.
I don't really want to do either of those, so I'll stay far away from this field, even as an infosec enthusiast.
I'm sure theres also some real infosec jobs, but i'd say they're pretty rare.
Couldn’t agree more. Sure, it’s great to know about a lot of these hacks and ways to prevent them (and be on top of patching) - but unfortunately most of these full time sec jobs are just bull shit, made up for compliance purposes.
IT has a shortage of metasploit/burpscanner/nexpose/nessus jockeys and XYZ security appliance administrators at low salaries. The positions you're talking about are an incredibly difficult sell to companies. Top 10 companies have a few positions on hire at decent wages doing unique work but that's it. Some companies cyber defense strategy just involves buying a bunch of insurance.
Plenty of pen testing mega-mart consultancy jobs making 60-90K a year working 70 hours a week in Boston and other ungodly expensive cities though. Guessing all this news about the "shortage" in cyber is just more propaganda to further open up the H1B floodgates and drive salaries down.
If refineries shut down and the price of gas goes to $10/gallon is that not a "real shortage" because there is still a market clearing price and I can still buy gas? I disagree.
I think the fact that software engineers get offered $120k+ out of school to fiddle with js frameworks indicates a real shortage personally.
>>> I think the fact that software engineers get offered $120k+ out of school to fiddle with js frameworks indicates a real shortage personally.
Software engineers from a top school, who passed the most hardcore interviews in the most selective firms in the world, to live in the most expensive city on the planet where a single bedroom flat is $4k a month.
I don't think so. There really are not 3 million jobs in cybersecurity.
There is not much demand for people who can run a scanner or set up a firewall. Not to mention that a setup is a single day of work, it's not even close to a full time job.
Maybe they are counting every guy who ever plugged a broadband modem as a security specialist.
Buying insurance might be the most cost effective strategy. If insurance of $2MM would cover your liability, why incur 3MM expenditures and still only be reasonably secure?
Cyber security insurance has liability caps, relatively low for the premiums. Standard boilerplate demands to hold such insurance in the US is around $1M liability coverage for small shops, usually gets quoted around $50K annual premiums. If you can even get underwritten at all. I have been able to negotiate those clauses away so far.
Everyone is already trying to pass the buck (quite literally) on information security risk via insurance, and the insurance industry is pushing back. One possibility that might develop out of the standoff is customers pushing the liability onto Cloud vendors and washing their hands of the concern.
What no one outside of information security wants to admit much less promulgate is development and IT teams must grow larger, or security continues as an expensive as hell fat tail risk. The cheap hedge is hiring additional staff; businesses have grown so accustomed to living outside the fat tail that the accumulated technical debt presents the illusion that status quo is normal. The new normal is ever-more expensive attacks.
I wish POSIX would offer a standard way to elide certain parts of a the command string that shows up in a process list. There are piles of legacy programs that won’t get retrofitted to use a file to read a password anytime soon. There are sins aplenty in our fields when it comes to security.
>>> One possibility that might develop out of the standoff is customers pushing the liability onto Cloud vendors and washing their hands of the concern.
That would be good, the cloud is a lot more secure than everything self hosted or self developed.
If you're doing heavy R&D and you keep things on isolated networks, might not your R&D be at least similarly secure on-premises, if you follow secure practices?
How much visibility do you have into your cloud provider's security? For email, sure go with a known cloud provider. Some SaaS services on the back-end can be less than ideally secure.
Security is easier in the cloud. It comes with good access management, audit trails, inventory of active resources and it enforces a lot of good practices.
All companies who don't have cloud tools have to re invent everything, it's hard and a lot of effort so the result is always terrible. Poor UI, poor security, full of bugs, pick any three.
AWS is better for isolated networks, it can manage strict network access rules way beyond anything iptables can achieve. In fact, cloud is the only way to have well isolated networks, unless we're talking about a computer unplugged from any network.
There are many stories of AWS users setting their access rules improperly because they weren't given sufficient time or resources to understand how to use them, in some cases leaving S3 containers for example wide open. It isn't just the technology, it's the incentives, people and processes as well.
It’s team- and manager-dependent. I’ve seen good and bad security in cloud and on-prem. The key is management recognizes and budgets for the fat tail risk, just like the fat tail risk of financial fraud is treated by the finance teams. Much of the response is proforma, and only intended to secure from drive-by opportunistic raids, and insider attacks are still difficult to defend against, for example, so no silver bullets in this story.
> Most of these "cybersecurity" jobs are download Metasploit and run autopwn
This is, unfortunately, selling the security industry short. In reality, and especially in cities like DC, the security industry is pretty competitive and the barrier to entry for even entry-level jobs is pretty high. Companies are looking for not just metasploit experience, but a more-than-surface-level understanding of things like networking, OS internals, programming, systems administration, critical thinking, and more. Then on top of that, one needs to be able to look at everything with "vulnerabilities" and "exploitation" in mind. It's not easy. Quite frankly, there is a lot of information that one needs to know, and know well, to be competitive in this field.
With that said, I 100% agree that the certifications are complete bullshit (including SANS). And sure, there are certainly fields that are definitely bullshit-y and mostly for compliance purposes (cough pentesting cough). But there is merit in the security field and it's not all bullshit.
I have NEVER heard a useful description by a cybersecurity analyst (i.e. detecting intrusions and exfiltration) on how they do their work, despite being in a position where they should have been able to do so. Usually I just get shrugged shoulders.
Apologies for being unclear, to elaborate ... IMHO cyber-security analysts could do much better in defining how they do their job in order to give people that are interested a path forward in developing the needed skills. To be clear, I'm not talking about the larger cyber-security profession that is mostly focused on setting and enforcing rules.
I have no trouble conjuring a job description for a "cybersecurity analyst"; I assume their job consists of:
1. Staffing an event management system (probably something with a pretty console that is 1/5th as powerful as an ELK deployment but that costs 10x as much because Security) and investigating alerts.
2. Kicking off routine scanning processes and reviewing the results generated by them.
3. Responding to requests to let this application or that host through some perimeter firewall.
> I won a free certification course as an EC-Council Certified Security Analyst, and it's the biggest joke I've ever seen. It's such a massive fucking joke that I decided to not even renew my certification for free because it would just have been a waste of time.
I've been in the field for a couple of years. I work for a global corporation with 10k+ employees and most of our team members in the security department are judge on their skills and various other factors and we filter potential candidates with a small CTF. Certs have very little importance for us, but we're the exception. Most big compagnies require certifications and oddly they are the ones getting hacked.
In the field, we all know that EC-Council certs are bullshit. They are, at best, the laughing stock in infosec because their "Ethical Hacker" certification is a multiple choice answer and requires little technical knowledge and no hands-on.
However, there are a few certs out there that need a lot of work and technical knowledge to be learn for passing it, such as OSCP. It might be easy to get for someone with 10+ years but for relatively new comers, it's a really good challenge to tackle. I started with their lab, thinking it was going to be a piece of cake for me but it's more difficult than I expected, which is a good thing.
But I see your point and I mostly agree.
Care to explain why you think intrusion detection is bullshit?
>Care to explain why you think intrusion detection is bullshit?
If they're signature based they're not better than antivirus. I have zero faith in signature based systems.
For the stuff that uses machine learning, I have to admit, I have no idea how that stuff performs. But in general I wouldn't trust a machine learning model to not be fooled.
Edit: Add to that HTTPS, I don't buy any claim that they can spot malware traffic from malware that isn't dumb, and I don't think MITMing all traffic is an acceptable solution.
Anomaly detection doesn't do much better than signature systems do. It finds real stuff, but it "finds" so much garbage that the signal is swamped by it.
I don't know about network detection systems but antivirus heuristics used to be terrific.
You can assign 100 students to develop a trojan for a week. At the end of the week, more than 90% of the software are detected as generic trojan by the antivirus.
> You can assign 100 students to develop a trojan for a week. At the end of the week, more than 90% of the software are detected as generic trojan by the antivirus.
Probably because 90 of these 100 students have no idea how AV heuristics work and what the trivial tricks are to completely stomp them.
I don't have to underestimate AV's because I know how they work, and tested myself how easy it is to bypass them. You either don't or you're employed by one and shilling here.
I've worked with global retail banks, investment banks, nationwide insurance firms, stock exchanges, power grid operators, biglaw firms, payroll and benefits providers, and a giant global pharma. Not one of them demanded that I or anyone I worked with possess a certification of any sort. I'm confident there are firms that want to see a CISSP --- I'm guessing they're mostly mid-range regional firms --- but it's not a bigco thing.
Worked with a security solution, spammed company’s distribution list specifically for this work with alerts. I ended up analyzed everything and found not just false positives but also wrong analysis from their analysts... this is to say the intention to selling security solution out could be good and genuine, but the values in return can be nothing. So why companies pay? 99% is “let the experts deal with the problem, if shit happens, we know who to blame, we have done our due diligence so one more thing to check off on auditor’s radar.”
Ironically, going to https://www.cybersecurityventures.com in Firefox throws an SSL certificate error: SSL_ERROR_BAD_CERT_DOMAIN. This does not fill me with confidence regarding this company's security prowess.
I'm just making more of a general comment re. the website/company, not the specific post this HN thread covers. Granted, it's a minor detail, and most people probably won't hit the www version of the site, but for whatever reason it's the version of their site that my search engine surfaced, so FWIW I just found it ironic.
65 comments
[ 3.3 ms ] story [ 138 ms ] threadE.g. the Equifax hack was a pretty big deal, but nobody's that upset, everybody moved on real quick. Same with hundreds of other major hacks.
Security is a tough field to begin with in that attracts a certain mindset. It’s especially bad in big orgs where security was mostly a policy and compliance org. Listening to would be cyber-warriors quack about OODA loops, challenge coins, and kill chains gets old fast. Particularly where the “kill chain” is interdicting field guys whose iPad didn’t update on time or execs who disabled AV.
Regulations like GDPR coming along should have some bite to get people into action, but until that's actually observed there's not much going on.
It’s a bull shit job, as far as software development goes. Sure, you’ll learn a bunch of hacks and ways to fix them and maybe pass cissp cert if you really don’t want to code anymore.
If you're in a big city, try to find a security meetup that runs CTFs or events for new folks. Doubly so you can talk and get a more definite direction.
Anything OSCP tests you on can be done yourself by virtualization on your own machine or home lab.
2. The 3.5 million is a global number. India is projected to have 1 million of them.
3. The article seems to also try to drum up demand for Managed Security Service Providers, a service Cyber Security Ventures provides.
4. Many currently open Cybersecurity jobs pay less then what a tech minded person can get selling clicks or SQL reports. There is a difference between an "open position" and a position that meets the labor market. Open positions that stay open most likely are valued below the market. I'm sure many goverment agencies have open Cybersecurity jobs.
5. It's 2018, are we really going to keep using the word cyber?
I won a free certification course as an EC-Council Certified Security Analyst, and it's the biggest joke I've ever seen. It's such a massive fucking joke that I decided to not even renew my certification for free because it would just have been a waste of time.
Most of these "cybersecurity" jobs are download Metasploit and run autopwn, install garbage antivirus everywhere. Maybe layer some more bullshit on top like network intrusion detection and web application firewalls. If you get still get owned talk some bullshit about how advanced the attack was and that there was nothing you could have done.
The other option is to go and write exploits and sell these to government agencies.
I don't really want to do either of those, so I'll stay far away from this field, even as an infosec enthusiast.
I'm sure theres also some real infosec jobs, but i'd say they're pretty rare.
Plenty of pen testing mega-mart consultancy jobs making 60-90K a year working 70 hours a week in Boston and other ungodly expensive cities though. Guessing all this news about the "shortage" in cyber is just more propaganda to further open up the H1B floodgates and drive salaries down.
I think the fact that software engineers get offered $120k+ out of school to fiddle with js frameworks indicates a real shortage personally.
Software engineers from a top school, who passed the most hardcore interviews in the most selective firms in the world, to live in the most expensive city on the planet where a single bedroom flat is $4k a month.
There is not much demand for people who can run a scanner or set up a firewall. Not to mention that a setup is a single day of work, it's not even close to a full time job.
Maybe they are counting every guy who ever plugged a broadband modem as a security specialist.
Everyone is already trying to pass the buck (quite literally) on information security risk via insurance, and the insurance industry is pushing back. One possibility that might develop out of the standoff is customers pushing the liability onto Cloud vendors and washing their hands of the concern.
What no one outside of information security wants to admit much less promulgate is development and IT teams must grow larger, or security continues as an expensive as hell fat tail risk. The cheap hedge is hiring additional staff; businesses have grown so accustomed to living outside the fat tail that the accumulated technical debt presents the illusion that status quo is normal. The new normal is ever-more expensive attacks.
I wish POSIX would offer a standard way to elide certain parts of a the command string that shows up in a process list. There are piles of legacy programs that won’t get retrofitted to use a file to read a password anytime soon. There are sins aplenty in our fields when it comes to security.
That would be good, the cloud is a lot more secure than everything self hosted or self developed.
If you're doing heavy R&D and you keep things on isolated networks, might not your R&D be at least similarly secure on-premises, if you follow secure practices?
How much visibility do you have into your cloud provider's security? For email, sure go with a known cloud provider. Some SaaS services on the back-end can be less than ideally secure.
All companies who don't have cloud tools have to re invent everything, it's hard and a lot of effort so the result is always terrible. Poor UI, poor security, full of bugs, pick any three.
AWS is better for isolated networks, it can manage strict network access rules way beyond anything iptables can achieve. In fact, cloud is the only way to have well isolated networks, unless we're talking about a computer unplugged from any network.
This is, unfortunately, selling the security industry short. In reality, and especially in cities like DC, the security industry is pretty competitive and the barrier to entry for even entry-level jobs is pretty high. Companies are looking for not just metasploit experience, but a more-than-surface-level understanding of things like networking, OS internals, programming, systems administration, critical thinking, and more. Then on top of that, one needs to be able to look at everything with "vulnerabilities" and "exploitation" in mind. It's not easy. Quite frankly, there is a lot of information that one needs to know, and know well, to be competitive in this field.
With that said, I 100% agree that the certifications are complete bullshit (including SANS). And sure, there are certainly fields that are definitely bullshit-y and mostly for compliance purposes (cough pentesting cough). But there is merit in the security field and it's not all bullshit.
Can you please elaborate?
1. Staffing an event management system (probably something with a pretty console that is 1/5th as powerful as an ELK deployment but that costs 10x as much because Security) and investigating alerts.
2. Kicking off routine scanning processes and reviewing the results generated by them.
3. Responding to requests to let this application or that host through some perimeter firewall.
I've been in the field for a couple of years. I work for a global corporation with 10k+ employees and most of our team members in the security department are judge on their skills and various other factors and we filter potential candidates with a small CTF. Certs have very little importance for us, but we're the exception. Most big compagnies require certifications and oddly they are the ones getting hacked.
In the field, we all know that EC-Council certs are bullshit. They are, at best, the laughing stock in infosec because their "Ethical Hacker" certification is a multiple choice answer and requires little technical knowledge and no hands-on.
However, there are a few certs out there that need a lot of work and technical knowledge to be learn for passing it, such as OSCP. It might be easy to get for someone with 10+ years but for relatively new comers, it's a really good challenge to tackle. I started with their lab, thinking it was going to be a piece of cake for me but it's more difficult than I expected, which is a good thing.
But I see your point and I mostly agree.
Care to explain why you think intrusion detection is bullshit?
If they're signature based they're not better than antivirus. I have zero faith in signature based systems.
For the stuff that uses machine learning, I have to admit, I have no idea how that stuff performs. But in general I wouldn't trust a machine learning model to not be fooled.
Edit: Add to that HTTPS, I don't buy any claim that they can spot malware traffic from malware that isn't dumb, and I don't think MITMing all traffic is an acceptable solution.
You can assign 100 students to develop a trojan for a week. At the end of the week, more than 90% of the software are detected as generic trojan by the antivirus.
Probably because 90 of these 100 students have no idea how AV heuristics work and what the trivial tricks are to completely stomp them.
Don't underestimate the students and don't underestimate the AV. The world is full of surprises.
That's ok.
You're in good company with the vendors who sell ML cybersecurity appliances.
I second the IDS and WAF bullshit argument.
See http://cs.unc.edu/~fabian/course_papers/PtacekNewsham98.pdf. IDS is considered a speed bump by sophisticated attackers. Which is where you want to focus your energy.
Peace.