PaulDotCom mailing list archives

Re: Yet another request for career advice.

From: Michael Dickey <lonervamp () gmail com>
Date: Wed, 12 Sep 2012 17:59:59 -0500

Sort of what Josh is talking about, be sure you can talk the talk and get
people to know you can talk the talk. Let people know you have an interest
and background in security, and always provide your positive (or requested
negative) input into discussions that involve security topics. Many persons
really do appreciate the knowledge sharing.

Basically, make sure everyone already buys into you as the security dood.
Share security news with the team/manager, give advice, etc. Get plenty of
experience and confidence talking the talk so you can sound good in the
elevator with someone who influences your boss' budget when the opportunity
presents!

And be extra cautious. For a shop that doesn't sound like they scan or poke
at their own systems very hard, nothing will destroy your cred quicker than
impacting availability of business systems. (Ok, for that matter, it would
probably destroy your job quick as well!)

Lastly, look for any chance you can to pair up security and value, whether
it be easier compliance auditing, better change management, a
misconfiguration/oversight that has been sitting just waiting to explode,
meeting SLAs or B2B questionnaires more accurately, etc.


On Wed, Sep 12, 2012 at 2:41 PM, Josh More <jmore () starmind org> wrote:

No time to go into depth here, so here's a scattershot:

Start with discussions, not technology.
Do attack vector mapping and scan by attack vector in order of priority.
Do not scan the next attack vector until you have created a mitigation
plan that everyone agrees with.
Once you have that, split your time 80/20 between resolving issues and
finding new ones.
The surest way to fail is to drown people in data while providing no
practical advice.

Practice your report writing skills.
Contrary to what you were (likely) taught in school, longer is not
better. If you can't explain an issue possible solutions and your
recommended mitigation in a single page, it needs to be shorter.
Read children's board books for inspiration.  (Seriously.  Do this
now.  I am not kidding.)

Be prepared to prove your findings.
Practice on VMs and test systems so your proof doesn't break production.

Try to find mitigations that shortcut other people's jobs.  That's a
great way to get buy in.

(Meeting starting, have to end here.   Good luck.)

-Josh More



On Wed, Sep 12, 2012 at 12:41 PM, A D <hackermuscle () gmail com> wrote:

Hi all.

I recently started working for a new company (beginning of the year)
as part of the networked systems team. We currently manage 300 or so
systems provisioned at a handful of datacenters around the world. 97%
of the systems or running Linux. We have no official security team.
Just good common sense and a need to steer clear of becoming
compromised. My last few jobs I have always been the security
administrator (perimeter security services) so I have some experience
and built in paranoia about what goes on behind the scenes. This
appears to me to be a perfect opportunity to really jump into a
security role by taking the lead in providing vulnerability scans and
penetration testing for the company. I have had exposure to the
typical scanning tools pre-installed with the Backtrack distro and
some others. Although, my Metaspoit skills suck at the moment.

With the hope of providing some quick results and to get my employer
interested in my abilities I am going to jump right in and start doing
whitebox testing using NMAP and Nessus.

What suggestions do you guys have to allow me to step up to the
challenge? This is what want to do in the next phase of my career.

Thanks in adv.

HM
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Yet another request for career advice. A D (Sep 12)
- Re: Yet another request for career advice. Josh More (Sep 12)
  - Re: Yet another request for career advice. Michael Dickey (Sep 12)
- Re: Yet another request for career advice. Brian Erdelyi (Sep 12)
- Re: Yet another request for career advice. gold flake (Sep 18)