From: M. D. (nekromancer@eudoramail.com)
Date: Sat Jul 08 2000 - 07:24:17 EDT
Don Parker wrote:
>Hello all, I just wanted to comment on what I see as a rather alarming trend in the
>security industry today. More and more many are becoming reliant upon tools to do their
>job whilst they ignore core components of their skillset. Specifically in this case an
>in-depth knowledge of TCP/IP.
{snip}
>I would be curious to hear of your opinions on this?
Hi Don et all,
Well... that's not news flash for me, and it has also been my concern for some time (now I've relaxed a bit...)
In fact the fundamental lack of skills can be detected in most IT security knowledge areas, except for a few qualified individuals (and by 'qualified' I don't mean formal qualification, don't misunderstand me).
The problem, IMHO, can be dissected in 4 parts:
a) there are not enough people with the proper skills out there
b) a lot of people consider that they HAVE the proper skills simply by using the tools
c) management [mis]understand that they only need people who use tools to do the job
d) it's usually cheaper to hire an expert rather than hiring an EXPERT ;-)
Point (a) is a reality. Probably we don't see that in the lists (perhaps because they're oriented to gather people of the same bizarre inclinations together ;-) but I know that most of the people working in IT security can be amazed by reading basic IT security books.
(On the other hand, and as long as companies are not hiring the people with the skills for whatever reason, there'll be a handful of such people out there waiting to be hired, or so I hope!)
Point (b) is serious, but it's hard to make the people understand that their university degree in IT plus their M$ certification is not preparing them to face the real IT security world. I can't (strongly) blame them, they spent a hell of a lot of time and money in getting all this, and they DO think that's fine. We've to blame the university and the company providing the certification IF they said so.
Point (c) is a tricky one... 99.9% of the time they do their job only using tools. The company don't need EXPERTS or "investigators" 99.9% of the time.
Company X doesn't want anyone doing a pen-test, or deploying a large scale vulnerability assessment, or doing proactive password auditing (or even training!). Everything is running, so... what's the reason for "spending" money in such strange activities?
Reality shows its ugly face 0.1% of the time, when something serious happens. Then millions can be spent (depending upon availability) on solving that by hiring a third party, praying to the gods, whatever.
If WE (yes, WE) don't convince management that money used in IT security prevention and detection is money INVESTED, they'll continue believing that's money SPENT. We know the truth, money is spent when we've to work on remediation.
Point (d) should be fairly obvious, and you can always refer to my comment on point (c) above.
In the first sentece of this email I wrote that I've relaxed a bit, and the reason is that most of the companies out there are as messy as we are, so even when we can face some problems (everyone is exposed to that) we're not PARTICULARLY vulnerable. I still would like to enhance things, but I understand that's not soooo urgent (I don't have to run unplugging systems ;-)
Out of the bullet points above, I would like to mention something that's specific to me. Probably other people share the same feelings.
I like the technical side of things. I like to be in touch with the iron. I like to pen-test.
I strongly prefer the above rather than sitting in a office (where I know how vulnerable we are) writing reports to management.
I know that there will be people who like to do the reports.
I will fit OK if I've to sit in front of the console and start playing g4m3z (no, not pacman).
I will do my job if I've to do reporting... I know how to do that, I've the experience, but deep in my heart I'll be waiting for the time when everyone realizes that we've to do something...
Cheers,
-- Nekromancer Have YOU ever tried Lepton's Crack? Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT