Printable View
ROTFL if you're going to neg me with some stupid crap like "den you get negged to, boi..." then at least have the sack to sign your name.
Not that antipoints matter all that much, but just be man/woman enough to own up to your negs. I do...
*shrug*
Thanks to those who did agree.
Yes the MCSE does not have a lot to do with security, but I see a lot of incompentents in all apsects of the field out there.
Avenger.
Strange thing about the security survey...Companies say security is a top priority, but don't want to spend the additional dollars to improve it. Then when it comes to budget cut time, the security area is one of the first places they look to cut costs because it is an expense that takes away from the "bottom line."
Juridian...I've heard that attending a SANS Conference is about the best thing for a security professional, in terms of exposure and learning. Can you confirm? I'd love to attend one next year - if I survive budget cuts next week.
I haven't attended one of their conferences yet...tho I hear they are really great. I am currently working on the gsec training/certification through their online program and so far it is really good.
Computer Science classes do not relate to seccurity at all. They tend to relate to programming, programming technique etc. When they talk about Operating Systems they are normally talking about a basic to semi-MCSE type training.
Even most IT programs at Universities do not cover security in detail. They do cover networking, databases, computer programming, and computer hardware and design. Security, from what I have seen, is only presented under these auspices not as a field unto itself.
However, a good understanding of programming and networking is a good basis to launch a deeper understanding of Security. So the classes are not wasted. I currently am teaching myself Perl. While I learned Fortran in college I have not used it for a long time. Since then I dabbled in C and C++ but never got overly serious. Perl so far has seemed to be a good starting language and is easily adapted to the Security and Computer Administration environment. I hope to couple that with my knowledge of networking to get a deeper understanding of Security than I currently have. Right now I am the anti-script kiddie. I am using tools and downloads to protect myself without fully understanding, in many cases, what they are really protecting me against.
BTW my credentials for making the statements I made are 6 years as an Adjunct Professor at Cerro Coso Community College and Porterville Community College teaching Networking, Introduction to Computers, and Introduction to Windows. My degree is in Mechanical Engineering so I can also comment on gears but I got out of that field 8 years ago and started working with computers and networking. Now I find myself in security and it is almost but not quite totally unlike anything else in the computer field. It helps to have a lot of basic knowledge but then that knowledge has to be used in ways I have never had to use it before. So, I am again at the beginning of developing new skills. My old ones may help but most of these are not taught in classes at this time, certainly not in colleges and universities. The class mentioned earlier sure sounds enticing though.
This raises one of the reasons why Security Specialists are needed but companies don't know how to get them. Companies tend to think of security as an add on to Computer Administration. Many administrators agree until they start realizing the amount of time it takes to keep up with the changing world of security. So instead they harden their systems with the basics and pray (or wish if you prefer) that nothing bad happens. Some are lucky, like me, that their network uses Novell as its primary NOS and, honestly, Novell is a lot safer than M$ for obvious reasons, and even than *nix because few people even try to break it. Most, however, are stuck with M$, probably are running a web server, and quickly find that standard hardening techniques are not enough and that the standard keeps moving.
If most companies did hire a true security specialist then they would probably end up firing him too since most of the work is hidden and is research and learning. One of the key mistakes, IMO, is to make the NS the Admin. If you do you have no accountability. I don't want admin access, I want a dummy network that I can try to find the vulnerabilities on, then report them along with a fix. Prove the fix and finally have the administrator repair the vulnerability in the production network. I can prove and watch the security software without admin privileges and this way I monitor not only the users but the administrators too. That gives the network an auditor, access to view without access to modify. Again, most companies do not see the need for this because they have not defined security enough.
Is my desire a pipe dream. Well, yes, for most of us it is. But until industry wakes up and realizes that security means money and that it is a specialized field they will always be in a reactive rather than proactive mode.
/me steps off soap box and fades into the distance.