+ Reply to Thread
Results 1 to 12 of 12
  1. Member
    Join Date
    Mar 2012
    Posts
    37
    #1

    Default Do people here with Security Qualification work on a contract/ full time or freelance

    Hi just wondering if people here work part time/ full time or freelance?

    I guess I ask because I figure that once you have done a full security audit with pen testing - you essentially (at least for that moment in time) solve the potential weaknesses and problems of an organization IT system. Does that mean that for the other 80% of the time you just sit around? I mean, if you were employed on a full time basis then surely once you are confident that the IT infrastructure and integrity is solid - then what do you do with the rest of your time?

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #2
    There's a lot to infosec than just pen testing, the practice includes forensics, incident management, sdlc security, etc., etc.. Threat vectors change, bad guys adapt.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jul 2008
    Location
    Los Angeles
    Posts
    115
    #3
    Quote Originally Posted by paul78 View Post
    There's a lot to infosec than just pen testing, the practice includes forensics, incident management, sdlc security, etc., etc.. Threat vectors change, bad guys adapt.
    Paul is spot on. I'm lucky in the respect that our company has fair sized information security and compliance teams. The pen testing is definitely the fun/sexy part of the job but the reporting and documentation is the part of the job most people seem to forget about. We also handle vulnerability scanning, threat/risk analysis and management and validation that the identified risks are remediated by the appropriate teams. We work with the compliance teams to create policy and procedure documents. I work with the training teams to keep our security awareness training current. Then we have to work with the developers for code analysis, testing, beating them with a stick to follow best practices, and teaching them some of the ways we break err test their code. Once that is done we have vendor compliance and assessments to be completed. We do a ton of testing on vendor patches and we submit a number of vendor bug disclosures which have to be tested multiple times and submitted through legal for approval prior to contacting the vendor. Then if you're bored we work as an escalation point for the SOC teams and incident handlers as the need arises. But after all of that the part of the job I really love is when we setup a lab and host a brown bag lunch for the people that want to learn some of the basics of ethical hacking. When you send out the event invite with limited space and 15 minutes later all seats are full is a great feeling. Almost as great as the feeling you get to see the look on the executive assistant's face when he/she gets their first xss message to pop and they realized what they just did. It makes all the long hours totally worth it.
    Last edited by contentpros; 03-13-2012 at 07:55 AM.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #4
    Quote Originally Posted by contentpros View Post
    It makes all the long hours totally worth it.
    That was well described. And if your job involves helping to put away bad guys, it can be satisfying.

    For me, I actually spend about 10-20% of my time working with lawyers on the legal side - either with customers, regulators, or other auditors.
    Reply With Quote Quote  

  6. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,846

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF CCO CCPA
    #5
    I think you are forgetting the infrastructure does change and new vulnerabilities come out everyday. I really don't believe you will find any company with a dedicated security team come out and say "welp, we're a 100% secure" and then relax for a bit. If so, they'd no longer work for me that's for sure.
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  7. Network Security tpatt100's Avatar
    Join Date
    Aug 2009
    Location
    Ypsilanti, MI
    Posts
    2,886

    Certifications
    CISA, CISSP, GIAC G2700, CEH, CHFI, Security+, CCENT, N+, A+
    #6
    When I was focused more on technical audits at my old job it was almost daily and weekly scans and audits to prepare for the monthly report. Since I was working in a SOC that provided security services for several different government sites we went from sitting around after our daily routines in the morning to working full on getting ready for a roll out of new systems.

    Usually like I said it was daily weekly preparations for the monthly report showing vulnerabilities that were not corrected and creating a POAM for tracking when the issue was last reported and then phone tagging the admins to get them to correct it within the next 48-72 hours depending on severity.

    since systems were always coming online I usually had a group of machines I was working on reports for.

    Also like somebody mentioned things change constantly, new versions of OS's, service packs, new versions of software running on systems adds new issues that need to be identified and corrected.
    Reply With Quote Quote  

  8. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #7
    Quote Originally Posted by contentpros View Post
    Paul is spot on. I'm lucky in the respect that our company has fair sized information security and compliance teams. The pen testing is definitely the fun/sexy part of the job but the reporting and documentation is the part of the job most people seem to forget about. We also handle vulnerability scanning, threat/risk analysis and management and validation that the identified risks are remediated by the appropriate teams. We work with the compliance teams to create policy and procedure documents. I work with the training teams to keep our security awareness training current. Then we have to work with the developers for code analysis, testing, beating them with a stick to follow best practices, and teaching them some of the ways we break err test their code. Once that is done we have vendor compliance and assessments to be completed. We do a ton of testing on vendor patches and we submit a number of vendor bug disclosures which have to be tested multiple times and submitted through legal for approval prior to contacting the vendor. Then if you're bored we work as an escalation point for the SOC teams and incident handlers as the need arises. But after all of that the part of the job I really love is when we setup a lab and host a brown bag lunch for the people that want to learn some of the basics of ethical hacking. When you send out the event invite with limited space and 15 minutes later all seats are full is a great feeling. Almost as great as the feeling you get to see the look on the executive assistant's face when he/she gets their first xss message to pop and they realized what they just did. It makes all the long hours totally worth it.
    I have to say... This sounds just plain awesome.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Aug 2011
    Location
    Little Rock, AR
    Posts
    818

    Certifications
    CISSP, CCNA (R&S, Sec), WGU BS:IT Sec, MCTS: Win 7 Config, Sec+, Project+, Storage+, Net+, A+
    #8
    Quote Originally Posted by contentpros View Post
    Paul is spot on. I'm lucky in the respect that our company has fair sized information security and compliance teams. The pen testing is definitely the fun/sexy part of the job but the reporting and documentation is the part of the job most people seem to forget about. We also handle vulnerability scanning, threat/risk analysis and management and validation that the identified risks are remediated by the appropriate teams. We work with the compliance teams to create policy and procedure documents. I work with the training teams to keep our security awareness training current. Then we have to work with the developers for code analysis, testing, beating them with a stick to follow best practices, and teaching them some of the ways we break err test their code. Once that is done we have vendor compliance and assessments to be completed. We do a ton of testing on vendor patches and we submit a number of vendor bug disclosures which have to be tested multiple times and submitted through legal for approval prior to contacting the vendor. Then if you're bored we work as an escalation point for the SOC teams and incident handlers as the need arises. But after all of that the part of the job I really love is when we setup a lab and host a brown bag lunch for the people that want to learn some of the basics of ethical hacking. When you send out the event invite with limited space and 15 minutes later all seats are full is a great feeling. Almost as great as the feeling you get to see the look on the executive assistant's face when he/she gets their first xss message to pop and they realized what they just did. It makes all the long hours totally worth it.
    I have to say, this is the job I want. Who wouldn't like pen testing? But, I think I would really like vulnerability scanning and threat analysis; and by tempering it with teaching best practices and actually seeing my work pay off with a better informed userbase would fulfill my desire to make everyone's job easier through proper use of technology. No one really likes all of the bureaucratic paperwork, but that comes with every job to a degree. I also think creating policy and procedure docs would be fun.

    Seeing things like this helps me to know that I am heading down the right track. IT Sec is definitely the field for me. Now, all I have to do is finish my degree, get a couple more certs, and GTFO of this JOAT position.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jan 2007
    Location
    ::1F03:0307
    Posts
    239

    Certifications
    somewhat
    #9
    Quote Originally Posted by lister View Post
    Hi just wondering if people here work part time/ full time or freelance?

    I guess I ask because I figure that once you have done a full security audit with pen testing - you essentially (at least for that moment in time) solve the potential weaknesses and problems of an organization IT system. Does that mean that for the other 80% of the time you just sit around? I mean, if you were employed on a full time basis then surely once you are confident that the IT infrastructure and integrity is solid - then what do you do with the rest of your time?

    Thanks
    Security auditing and penetration testing are two completely separate tasks as is vulnerability assessing and penetration testing.

    Once upon a time, penetration testing was an art form. Those in the industry needed to understand a lot of different areas in the industry to be successful. One needed to really understand networking at LEAST on a CCNA level to understand subnetting, broad/multi/etccasting, VLANs (VLAN hopping). They needed to understand systems all around - meaning, those with systems administration (Solaris, Windows, BSD, Linux) were likely to be better pentesters since they often understood systems as a whole. The candidate needed a bit of programming experience and so forth. The last decade has brought forth too many "point and click" hackers who believe that running metasploit auto_pwn is a pentest. The kind who believe that Nessus, Rapid7, Core Impact and Canvas on a network constitute a pentest.

    Pentesting used to be sexy. Nowadays, companies don't want outright pentesting. Most want vulnerability assessments from "hacker tools" like metasploit, but metasploit is only as good as the individual using the application. Most people I have seen who quote on quote "know" metasploit know little more than 5-6 commands. Enough to pull off staged exploits that make non-security folks drool. These "tool drones" have saturated the market with zero knowledge of real world exploitation. Real world exploitation meaning, take away their favorite tools, throw them on a network with zero of their tools and let's see how much they truly know.

    I had and have been asked time and time again for advice getting into this career hence me writing my "Pentesting 101" document. It was aimed at someone taking the time to learn enough about the scopes of the OSI and how they relate to Pentesting. I truly believe that anyone following it would be a sharp/strong pentester. Moreso than doing the same re-hashed staged exploitation via metasploit or any other tool.

    Anyhow, enough rambling. I suggest you read the following lister: http://www.infiltrated.net/pentesting101.html it lays out a solid foundation to build on.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Aug 2011
    Location
    Little Rock, AR
    Posts
    818

    Certifications
    CISSP, CCNA (R&S, Sec), WGU BS:IT Sec, MCTS: Win 7 Config, Sec+, Project+, Storage+, Net+, A+
    #10
    Quote Originally Posted by sexion8 View Post
    ... quote on quote "know" ...
    Grammar **** Warning:

    Sorry, but you just hit on a pet peeve. 1) it's "quote, unquote" 2)there is no reason to write out "quote, unquote" when you can write out the punctuation.

    I just can't let otherwise intellegently sounding people make these kinds of mistakes.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jan 2007
    Location
    ::1F03:0307
    Posts
    239

    Certifications
    somewhat
    #11
    quote on quote - I write what and how I feel, don't like it don't read it. Instead of you wasting your time trying to correct your own OCD based pet peeve, you could have added to the discussion. Einstein, DaVinci, Edison... All had dyslexia (care to correct my three dots 2? or would the 2 in this sentence also irk you too)
    Reply With Quote Quote  

  13. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #12
    Thread veering off topic alert...
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks