RE: Pentester vs IT security analyst

["Brian Fritts" <bfritts () wcmc org>]

IT Security Analyst:

Overworked, underpaid, former network individual who was shoved into the
"Security is the next big thing" area. Individual is usually required to
protect Fort Knox with string, bubble gum, and an old paperclip from an
unseen army of "Evil Hackers" bent on world domination via your computer
network. 90% of the time, those "Evil Hackers" are internal users who
feel the need to stress test the network by plugging every virus
infected USB Flash drive that they find on the subway into they're work
computer. User is expected by Administration to understand every nuance
of systems ranging from software that has only been used once by "that
one guy who went crazy and quit" to those of the 30 year old computer
that has been setting at the back of a closet, getting dripped on by a
leaker pipe running the most critical software applications on a windows
ME home brew server that hasn't been updated since the day it was
installed and has never even seen antivirus. 

Penetration Tester:

Overworked, starving freelance hippie who thought he would be reliving
the movie "Hackers" only legally. Individual is expected by cliental to
be able to break into any system at any time, on command, without being
given any prior information, using top secret super programs that even
the FBI doesn't know exists, then be able to give a detailed step by
step documentation of how it was performed using only one button so that
the client can just do it themselves next time without having to hire
you again. Individual will then be criticized for anything that breaks
while he is performing the pen testings and be told " you should have
known it would break it our super rare computer program that we didn't
even tell you we had". Even if they are simply sending a ping request to
server A and Server B's power supply fails, you will be blamed and
expected to pay for the repairs to their $30,000 windows ME machine that
was running their most critical software that was damaged so bad that
they will now have to purchase a new server. 



Security Analysts dream of the freedom of Pen Testers
Pen Testers dream of the stability of Security Analysts







-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of haZard0us
Sent: Wednesday, June 20, 2012 1:57 PM
To: moranc () twp grand-blanc mi us
Cc: security-basics () securityfocus com
Subject: Re: Pentester vs IT security analyst

Q: IT Sec Analyst vs PenTester?

If I had to answer this without further research, it would be:

A: Defensive Security vs. Offensive Security.

--haZ

On Jun 20, 2012, at 5:06 PM, moranc () twp grand-blanc mi us wrote:

> What is the difference between an IT security analyst and a
penetration tester? Some say they are similar and some say Security
analyst do similar things just more policy work. Thanks for your input
guys.
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------


-----------------------------------------
IMPORTANT NOTICE - The information (both of the message and any
attachments) contained in this message is intended only for the use
of the individual or entity to which it is addressed and may
contain information that is privileged, confidential and exempt
from disclosure under applicable law. If the reader of this message
is not the intended recipient or an agent responsible for
delivering it to an intended recipient, or has received this
message in error, you are hereby notified that White County Medical
Center does not consent to any reading, dissemination, distribution
or copying of this message and any such actions are strictly
prohibited. If you have received this message in error, please
notify the sender immediately and destroy the transmitted
information.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------