tag:blogger.com,1999:blog-4088979.post7145483343233485974..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: What Hackers Learn that the Rest of Us Don'tRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4088979.post-54616461118729160262009-11-24T11:31:55.815-05:002009-11-24T11:31:55.815-05:00This comment has been removed by a blog administrator.Stevehttps://www.blogger.com/profile/04528276377971658871noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-50254042876935597722009-11-16T14:48:46.282-05:002009-11-16T14:48:46.282-05:00This comment has been removed by a blog administrator.Unknownhttps://www.blogger.com/profile/11954215704587271065noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23835361158385001012009-06-21T14:25:35.084-04:002009-06-21T14:25:35.084-04:00This comment has been removed by a blog administrator.adminhttps://www.blogger.com/profile/06722650756557801158noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-83626059895297610132007-08-24T00:09:00.000-04:002007-08-24T00:09:00.000-04:00Responded to this: http://digiassn.blogspot.com/20...Responded to this: http://digiassn.blogspot.com/2007/08/it-field-following-money.html<BR/><BR/>Long story short, you have dedicated hackers who love to hack versus tradeschoolers looking for the big bucks and only want to put in the 9-5. Who do you think is going to win? I think Matt hit the nail right on the head.John Wardhttps://www.blogger.com/profile/10741149622435353727noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-40555275600011376672007-08-23T10:08:00.000-04:002007-08-23T10:08:00.000-04:00Last night I was sitting in the play area of the m...Last night I was sitting in the play area of the mall watching my 2 kids when the guy sitting next to me starts to tell me how he was going to school for "network security". His interests were in moving away from his current carpenter position and getting into the "six figure" security jobs he always reads about.<BR/><BR/>His coursework (to be completed) consists of 3 networking, 4 system administration and 2 security classes taught over 3 semesters. The school promises they can help him land a "security" job after graduation with a local company.<BR/><BR/>God help us all. <BR/><BR/>This security analyst to be will be lucky to have even a basic understanding of the subject matter let alone the context in which real threats occur. <BR/><BR/>I'm sure this program is in the minority of formal security education but it's still really sad. 9 months and 9 technical courses does not prepare you to troubleshoot a Windows PC let alone grapple complex security problems.Matt Richardhttps://www.blogger.com/profile/03544548724026559741noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-13929476399169639472007-08-22T23:11:00.000-04:002007-08-22T23:11:00.000-04:00I will clarify that I don't think it is useless fo...I will clarify that I don't think it is useless for us to have that, but I don't think it is as huge a push as people think it is...Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-49485071030147423952007-08-22T17:51:00.000-04:002007-08-22T17:51:00.000-04:00Excellent post, and quite timely. I am in a point ...Excellent post, and quite timely. I am in a point in my career where I regularly read job ads and have gotten quite used to them. I agree with what you pointed out; "entry level" positions have tacked on requirements that are too often absurd for entry level people. I know managers too often are one level abstracted from the daily needs of their people, and HR is another abstraction layer away, but come on... No wonder some of them keep getting posted on the boards I read. :)<BR/><BR/><BR/>It is also something we as a group still have to come to terms with, and that is the "geek" level of hackers versus professional business people or developers. In my recent jobs, I would guess that 1 out of 4 developers are what I would consider geeky enough to really learn the things pointed out in that article. With your generalized hacker, they are natural geeks who are curious about pushing technology.<BR/><BR/>It's obvious to me what this all shakes out as.<BR/><BR/>I've never yet bought into how IT people need and are going to mesh with business and gain those skills. I believe there will be a layer of hybrids who live in both worlds, but IT and especially security simply cannot survive by watering our talents and skills down like that. It just can't happen.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-24604093629873049452007-08-22T14:08:00.000-04:002007-08-22T14:08:00.000-04:00You can't know everything about everything. I can'...<I>You can't know everything about everything. I can't know every detail about IOS at a hacker level AND everything about Windows security at a hacker level</I><BR/><BR/>Can I please add Unix and application security to that list?<BR/><BR/>You can. You just have to study harder and read more.<BR/><BR/>To be honest, I've always found that I've been lacking in business skills - but what that really means is "paper degrees" and "paper certs". But some of that stuff is worthwhile, especially for some people. Don't disregard an MBA program as a potential place to learn security skills. Depending on who you are and who you're with - you could learn a whole hell of a lot.<BR/><BR/>Finding talented people is easy. Getting talented people to stay talented and work with you takes management and leadership skills. Getting talented people to learn your environment takes time and requires heavy investments in instructional capital.<BR/><BR/>The best people are the ones who immediately start contributing to others, creating their own forms of social and instructional capital. You can't learn how to do this sort of stuff from a computer security book or in an MBA classroom. What you want is a team of experienced leaders - and that only comes by surrounding yourself with self-actualized people and motivating them correctly.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-62629883070189115862007-08-22T09:25:00.000-04:002007-08-22T09:25:00.000-04:00I think we have come to the conclusion that no mat...I think we have come to the conclusion that no matter how clever your InfoSec team is they can't know everything. <BR/><BR/>I started off as a techie but I'm finding that the skills I often ignored in the past have become more important. Marketing, leadership, management, report writing, speaking, etc.<BR/><BR/>You can't know everything about everything. I can't know every detail about IOS at a hacker level AND everything about Windows security at a hacker level. I need to rely on my technical teams for that. <BR/><BR/>My job is to make sure that they are aware of the issues and to push home ideas like strong passwords which is something common to all systems including windows and ios.Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-43386601985363773702007-08-22T07:48:00.000-04:002007-08-22T07:48:00.000-04:00Wow. Very insightful, Richard, thanks. And I abs...Wow. Very insightful, Richard, thanks. And I absolutely agree about the futility of expecting a Windows administrator to spring fully formed from the forehead of Zeus, PLUS a business degree that will cause them never to apply for a job like this in the first place.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-88324795739289270782007-08-22T06:03:00.000-04:002007-08-22T06:03:00.000-04:00Very interesting stuff...mostly due to the obvious...Very interesting stuff...mostly due to the obvious element of truth that is so often staring us in the face, yet we fail to see it. I would say that the points about developers apply equally to sysadmins and system engineers who develop and maintain architectures. I've had FTE positions supporting SMBs, as well as providing network security support to telecomm ops...which received their infrastructure after engineering threw it over the "Chinese wall".<BR/><BR/>Re: academic settings...in some cases, it isn't so much an "ever-increasing number of topics", per se, as it is the availability of instructors, or the expertise of whomever sets up the program. I've seen degree programs that, early on, focused on databases, due to the fact that the professors who set up the program were all database guys.<BR/><BR/>In some ways, the actions of the "hacker" harken back to 1969 MIT, rather than the mis-use of the term today.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com