Any IT Security professionals out there?

[Zugzwang152]

Security is one of the hottest fields in IT at the moment, with only growth predicted in the future... Surely there's others out there who practice security if not have it in their job title... So, I'm calling you all out. Let's make this forum something before it disappears into nothingness!

 

[Atheus]

I'm supposed to be a programmer, but since we're a small company and I know a bit about it, I handle much of the security stuff too. Most of our servers were around before I started working there and many of them were set up with little regard for security. We recently had one totally rooted by an Indonesian 'hacker' called solpot (quite a well known guy it seems) and it was being used to DoS another server - we had to take the whole thing down and start again from scratch.

 

[ScottFern]

I would love to pick the brain of a IT Security Pro!

 

[n0cmonkey]

Sometimes.

 

[stash]

I am a security consultant/support engineer, but obviously I focus on Microsoft solutions (MS PKI, AD, etc).

Most of the topics in this forum seem to deal with cleaning up malware from personal machines. That's fine, but that's not the sort of thing I deal with professionally, so that's the main reason why I haven't been active much in this new forum.

 

[Atheus]

Originally posted by: stash
Most of the topics in this forum seem to deal with cleaning up malware from personal machines. That's fine, but that's not the sort of thing I deal with professionally, so that's the main reason why I haven't been active much in this new forum.

Totally...

If there were threads on forensics, secure coding practices, pentesting, virus writing, etc, I'd be all over it.

 

[Oakenfold]

This is the direction that I want to go in eventually. I'd like to hear from any out there as well. Gotta be awesome to be paid to look at IDS logs all day! (j/k).

 

[Nothinman]

Sometimes.

Pretty much the same here, at my last job anyway. I was technically part of the security team but spent most of my time working with the Linux guys or playing Blast Billiards. I did have a morning routine of looking at some logs and crap but that only took ~20 minutes usually and most of the time any anomalies were just internal misconfigurations.

Most of the topics in this forum seem to deal with cleaning up malware from personal machines. That's fine, but that's not the sort of thing I deal with professionally, so that's the main reason why I haven't been active much in this new forum.

Seconded. I was even a little disappointed when I saw that the only 2(?) real security threads created after the new forums were setup were posted in the OS section and not here.

Gotta be awesome to be paid to look at IDS logs all day!

If you have it setup right you just get an email when something out of the ordinary happens. But the hassle of trying to actually get security policies agreed upon and ratified by upper management isn't worth it IMO.

 

[Zugzwang152]

Excellent! i was hoping this forum would not de-evolve into patch bulletins and spyware. There's so very few actual security professionals where I am because there really aren't a whole lot of large companies. So when this forum appeared out of nowhere, I was hoping we could build at least a small community.

I would love to pick the brain of a IT Security Pro!

Start up some threads, let's get some discussion going!

Oakenfold, what are other your certification plans? I've basically just begun my security career (~1 year in security, ~2-3 years other IT), so I've been looking for some studying partners. I just bought a MS 70-299 book to see what this exam is like, not sure if I'm going to take the test though.

Gotta be awesome to be paid to look at IDS logs all day!

Come here and do mine for me. You can review logs AND be in Hawaii. OMG heaven!

 

[Zugzwang152]

Originally posted by: Atheus
I'm supposed to be a programmer, but since we're a small company and I know a bit about it, I handle much of the security stuff too.

This is a big problem over here. There are numerous (but successful) small companies that don't have the money for dedicated security personnel. I think the largest non-government employer in the state has less than 4000 workers. Small potatoes.

Audit and compliance requirements keep increasing, and only the largest companies are able to fund all of the controls that are necessary.

 

[Oakenfold]

Originally posted by: Nothinman

Gotta be awesome to be paid to look at IDS logs all day!

If you have it setup right you just get an email when something out of the ordinary happens. But the hassle of trying to actually get security policies agreed upon and ratified by upper management isn't worth it IMO.

Gotcha, wouldn't you need to occasionally review the logs to validate the settings? I have zero hands on experience so keep that in mind.
Can you be more specific on the security policies that upper management do not necessarily have a desire to readily implement?

 

[Oakenfold]

Originally posted by: Zugzwang152
Excellent! i was hoping this forum would not de-evolve into patch bulletins and spyware. There's so very few actual security professionals where I am because there really aren't a whole lot of large companies. So when this forum appeared out of nowhere, I was hoping we could build at least a small community.

I would love to pick the brain of a IT Security Pro!

Start up some threads, let's get some discussion going!

Oakenfold, what are other your certification plans? I've basically just begun my security career (~1 year in security, ~2-3 years other IT), so I've been looking for some studying partners. I just bought a MS 70-299 book to see what this exam is like, not sure if I'm going to take the test though.

Gotta be awesome to be paid to look at IDS logs all day!

Come here and do mine for me. You can review logs AND be in Hawaii. OMG heaven!

Hawaii eh, that would be a very easy sell to the wife! That MS program sounds pretty intense, do you have experience as a Sys Admin/Sys Engineer?


My certification plans are currently limited to the Certified Internal Auditor (CIA).
Just got my results back today for parts 3 and 4, looks like I'm retaking it in November, missed both by less than 60 points out of 600 of 750 needed to pass.

I'm an internal auditor by profession however I get to see quite a bit of the organization. We're actually doing our IS Controls audit right now. I currently have a 4 year degree in management but looking to go back to school for a data forensics certification when I obtain my CIA.

I should be able to study for the Certified information Systems Auditor while doing the data forensics coursework, in addition the data forensics course prepares you to sit for the CISSP. By the time I complete these goals I should have another 3 years in audit for a total of 5 years experience as an internal auditor.

Data Forensics course load
Let me know your thoughts on this. I've taken parts 1 and 2 of the CCNA track, got the promotion to audit so I was not able to finish 3 and 4 and enter the network/data security track at the same college. I've still got my routers from CCNA so I can always go back to studying that if I choose too.

I think this will get me in the direction for a Security Analyst gig.

 

[RebateMonger]

I'd be hesitant to call myself a "Security Professional". My only related IT cert is the Windows MCSE:Security title, which is peanuts compared to some of the "real" Security folks I've run across.

But I do what I can to improve my knowledge of Security and I would like to get some formal certifications at some point. I'll do my best to hang around here and particpate in any discussions.

 

[RebateMonger]

Originally posted by: Zugzwang152
I just bought a MS 70-299 book to see what this exam is like, not sure if I'm going to take the test though.

70-299 was actually the first Microsoft certification exam I ever took. It was a lark, since Microsoft had given me a free four-day Security course, a free 70-299 textbook, and a free 70-299 exam voucher. I figured, "Why waste the opportunity?"

That free class basically launched my formal (for money) IT career. I'd been implementing PCs at work for 20+ years, but always as a sideshow to my main (engineering) jobs.

 

[Zugzwang152]

Originally posted by: Oakenfold

Originally posted by: Nothinman

Gotta be awesome to be paid to look at IDS logs all day!

If you have it setup right you just get an email when something out of the ordinary happens. But the hassle of trying to actually get security policies agreed upon and ratified by upper management isn't worth it IMO.

Gotcha, wouldn't you need to occasionally review the logs to validate the settings? I have zero hands on experience so keep that in mind.
Can you be more specific on the security policies that upper management do not necessarily have a desire to readily implement?

It's not that they don't have a desire to implement them. Executive management is responsible for weighing the impact on the entire business. So even minor problems can cause major headaches in the future. Keeping in mind that once approved, the security policy is THE source of authority. There's a huge difference, for instance, when you say something "should" happen versus something "must" happen. The difficulty is in convincing executives of things you need to have as a "must," therefore leaving no wiggle room in the future.

 

[Zugzwang152]

That MS program sounds pretty intense, do you have experience as a Sys Admin/Sys Engineer?

No formal experience or training as a system admin, but I can get around in a Windows environment when necessary. They really recommend against taking 70-299 as your first exam, but I'm really disinterested in learning the finer details of administration and deployment.

I should be able to study for the Certified information Systems Auditor while doing the data forensics coursework, in addition the data forensics course prepares you to sit for the CISSP. By the time I complete these goals I should have another 3 years in audit for a total of 5 years experience as an internal auditor.

I'm interested in the CISA designation as well. I completed a SANS training course a couple months ago, and got the GSEC certification along the way. I'm looking at the 70-299 as a cheap way to get the MCP acronym on my resume (just for show). After that, I haven't decided. I may do an online Masters in Infosec, study for and pass the CISSP exam early before I get the work experience, or look into CISA. I have 2 more years until I meet the work experience for CISSP (I have a bachelor's degree and the GSEC cert qualifies for an additional year knocked off).

Let me know your thoughts on this. I've taken parts 1 and 2 of the CCNA track, got the promotion to audit so I was not able to finish 3 and 4 and enter the network/data security track at the same college. I've still got my routers from CCNA so I can always go back to studying that if I choose too.

I don't necessarily think that the certificate itself will mean much, but I found it was very important to be able to speak the lingo while in my interviews. For instance, when they talk about CIA, don't think about spies

Have a solid networking foundation, which CCNA will more than help with. Those classes look like they may give you a nice foundation of knowledge to get an entry-level job. Having experience as an auditor, especially information systems auditing, will help a lot I think too.

 

[Zugzwang152]

Originally posted by: RebateMonger

Originally posted by: Zugzwang152
I just bought a MS 70-299 book to see what this exam is like, not sure if I'm going to take the test though.

70-299 was actually the first Microsoft certification exam I ever took. It was a lark, since Microsoft had given me a free four-day Security course, a free 70-299 textbook, and a free 70-299 exam voucher. I figured, "Why waste the opportunity?"

That free class basically launched my formal (for money) IT career. I'd been implementing PCs at work for 20+ years, but always as a sideshow to my main (engineering) jobs.

Did you take the easy mode test or the new adaptive test? How hard was it? Were you in the IT field prior to obtaining MCSE? MCSE/MCSA are actually no joke these days. The adaptive tests put the fear of god into many a test taker. I've heard that if you get the first three questions of an adaptive test wrong, you've basically failed already.

 

[Oakenfold]

Originally posted by: Zugzwang152
It's not that they don't have a desire to implement them. Executive management is responsible for weighing the impact on the entire business. So even minor problems can cause major headaches in the future. Keeping in mind that once approved, the security policy is THE source of authority. There's a huge difference, for instance, when you say something "should" happen versus something "must" happen. The difficulty is in convincing executives of things you need to have as a "must," therefore leaving no wiggle room in the future.

Now that I do understand and agree with. :thumbsup:
That's basically what auditors roles are within an organization, we sell recommendations to management, some things we agree on and some we don't. It's all about risk (likelihood, impact), and of course what's the cost/implication of the control implementation.

Originally posted by: Zugzwang152

That MS program sounds pretty intense, do you have experience as a Sys Admin/Sys Engineer?

I'm interested in the CISA designation as well. I completed a SANS training course a couple months ago, and got the GSEC certification along the way. I'm looking at the 70-299 as a cheap way to get the MCP acronym on my resume (just for show). After that, I haven't decided. I may do an online Masters in Infosec, study for and pass the CISSP exam early before I get the work experience, or look into CISA. I have 2 more years until I meet the work experience for CISSP (I have a bachelor's degree and the GSEC cert qualifies for an additional year knocked off).


I don't necessarily think that the certificate itself will mean much, but I found it was very important to be able to speak the lingo while in my interviews. For instance, when they talk about CIA, don't think about spies

Have a solid networking foundation, which CCNA will more than help with. Those classes look like they may give you a nice foundation of knowledge to get an entry-level job. Having experience as an auditor, especially information systems auditing, will help a lot I think too.

Glad to hear that there are others that have heard of the CISA, how would you rate the SANS training that you attended? I'm on their email distribution and have looked at some of their course material, our Information Systems Security Officer (ISSO) attended training through SAN as well and had a positive experience. If you want to get the MCP I agree that would be a more applicable way to get the cert than to pass an exam on the intricacies of domain admin.

Agreed I can see no good coming out of asking an auditor who obtained a CIA designation how the last mission went.

At some point I'll goof around with CCNA again, as It only help with hands on experience which I will be lacking. Thanks for the feedback, sounds like I should be good to go.

I am not really concerned with having the data forensics cert (the CISSP is what I'm concerned with hehheh), the coursework is what I'm after as it is a great selection that will help with information systems auditing and incident management, in addition just gaining the risk/control awareness and applying it to other areas in the organization will be excellent!

Originally posted by: RebateMonger
I'd be hesitant to call myself a "Security Professional". My only related IT cert is the Windows MCSE:Security title, which is peanuts compared to some of the "real" Security folks I've run across.

But I do what I can to improve my knowledge of Security and I would like to get some formal certifications at some point. I'll do my best to hang around here and particpate in any discussions.

While you may not have any certs I believe you are being a little modest. You are very well versed in the network forum (I'd love to have your hands on knowledge) and have a risk awareness level that IT personnel need.
What I'm saying is don't let that stop you from sharing your experiences.

 

[Reel]

Out of school, I took a position as a "security consultant" for a big 4 accounting firm's consulting branch. In that position, a lot of the work was audit support such as providing advanced security knowledge in the course of an audit.

Some of the more interesting projects I worked on (without breaking confidentiality but providing hints where necessary ):
A major background check company had a breach of security revealing sensitive information of many many people. The FTC ordered them to implement better controls and then provide proof that these controls were in place after a certain amount of time. I was part of the team verifying the controls and specifically reviewed their Unix environment and networking environment controls.
A major soft drink company releases somewhere around 100 web sites a year internationally. We had an exclusive contract reviewing their web sites prior to release or subsequent to external penetration. I personally reviewed their most major sites such as their corporate site and primary marketing sites.
I performed numerous penetration testing projects on various financial institutions, healthcare institutions, and major software companies.
I performed software application review for a teller application for a major banking backend company.
I performed a wireless security review for a top tier university using a pretty cool Aruba wireless system.

Now that I think back, I did a lot of cool projects while employed there but I was not a fan of the big 4 squeeze every drop out of you mentality nor was I a fan of the same consultant mentality. I have moved on to a software engineering position for a major government communications company. I am currently working on the next generation mobile ad-hoc wireless networking for the military. My prior (and still slightly ongoing) project was a communications-related improvement to Air Force One so as with anything that could carry the President's voice, security is a major concern.

I have been very interested in security through school and took all the courses I could that were relevant to security while I was in grad school. I have passed the CISSP exam but probably won't pursue any other certifications unless my employer offers to pay for them.


@Zug: I had made a thread with a similar goal in mind when this forum came about. Unfortunately, it was a few replies but threads in this forum seem to vanish rather quickly especially with the plethora of AV/FW type threads.

 

[Zugzwang152]

That's quite the resume, Reel! :Q

@Zug: I had made a thread with a similar goal in mind when this forum came about. Unfortunately, it was a few replies but threads in this forum seem to vanish rather quickly especially with the plethora of AV/FW type threads.

Doh, sorry to hear that. I must have missed it before...

 

[Zugzwang152]

how would you rate the SANS training that you attended?

SANS training is awesome... many people I've talked to have said that SANS provides the most up to date and relevent security training in the world. Their courses and certifications are quite expensive though, so definitely get your company to pay for it. They even offer a CISSP exam prep course.

As for other training, I like to use DoD 8570 as a reference. Government jobs are probably the most desired infosec jobs, both in experience and pay level. My GSEC qualifies as IAT Level II, but the CISSP qualifies as level III for both the technical and management tracks.

edit: the table is on page 64 of the link.

 

[Red Squirrel]

I don't consider myself a security expert nor does my job involve it directly, but its a field I'm interested in, and now that I'm no longer wasting time in college but working full time, I'm sure I'll learn a lot about it on the job.

 

[RebateMonger]

Originally posted by: Zugzwang152
Did you take the easy mode test or the new adaptive test? How hard was it? Were you in the IT field prior to obtaining MCSE? MCSE/MCSA are actually no joke these days. The adaptive tests put the fear of god into many a test taker. I've heard that if you get the first three questions of an adaptive test wrong, you've basically failed already.

I've taken maybe 13 or 14 Microsoft IT Pro tests and I've never seen an Adaptive test. I've seen the "Virtualizations" once or twice (and I did the Beta of the Virtualizations for the new version of 70-294).

According to my searches, most folks find 70-299 to be one of the "tougher" Server 2003 exams. I know I put a LOT of work into my preparation. But, no, I wasn't "really" in the IT field before I took my first MCSE exam. The toughest exam, for me, was the ISA 2004 exam. On top of taking the Beta version, let's just say that I had to take that exam more than one time to pass it. It would have helped if I'd had significant hands-on experience with ISA, which I did not at the time.

I consider MS' Server 2003-series of exams to be far from a joke. And that's not because I happen to hold those certifications. I hold BS/MS (Engineering) and MBA degrees, all from decent schools, so I think I some reference point for what's "hard". I had to study as hard for the Microsoft exams as I had to for my Engineering courses. They DO get easier after the first few, and I'm sure more hands-on experience would have helped me a lot, too.

 

[Oakenfold]

Originally posted by: Reel
Out of school, I took a position as a "security consultant" for a big 4 accounting firm's consulting branch. In that position, a lot of the work was audit support such as providing advanced security knowledge in the course of an audit.

Nice experience that you have Reel.
From your experience did you work more with the Internal Audit function (co-sourcing) or more of a consultation/direct assurance provider hired by management to work on projects or did you just work specifically with the auditors from your firm and let the auditors deal directly with the client?

Since you were big4 I'm guessing your skymiles maxxed out?

 

[Reel]

Originally posted by: Oakenfold

Originally posted by: Reel
Out of school, I took a position as a "security consultant" for a big 4 accounting firm's consulting branch. In that position, a lot of the work was audit support such as providing advanced security knowledge in the course of an audit.

Nice experience that you have Reel.
From your experience did you work more with the Internal Audit function (co-sourcing) or more of a consultation/direct assurance provider hired by management to work on projects or did you just work specifically with the auditors from your firm and let the auditors deal directly with the client?

Since you were big4 I'm guessing your skymiles maxxed out?

Our company had various groups distinct from the Tax and Audit practices under the heading of Advisory. Occasionally, we would work with the external audit folks in some capacity. One of my projects was hand in hand with their technical controls people (first one I listed). Occasionally, they would simply email questions and I would provide technical details.

Typically though, much of our work was a result of the internal audit group or healthcare group bringing us in to perform the work for them. Personally, my projects were rarely direct consulting projects however I know they did exist and some of my coworkers did them. Our sellers typically found it easier to come in by getting it paid under the internal audit budget which sadly tends to have more money than IT/security.

I actually don't have that many miles and that was a motivating factor in moving on. I have a sensitive body and travel wreaked havoc on my body. I'd spend the first night unable to sleep in the strange bed and I'd spend the week sick to my stomach from eating out all the time. If I hadn't left, I would be working on a CISP project for a major cable company which would have been travel nearly 3 months straight (minus weekends of course).