Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Why Don't IT Generalists Understand Security?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 4   >   >>
dsweil35
dsweil35,
 User Rank: Apprentice
9/23/2015 | 1:08:50 PM
Entry into Info Sec is difficult.

I have lots of coworker who are IT Gen. like myself, but have no interested in security or even care about it. There only concern is getting what they need to do quickly and efficiently done. I on the other hand am intrigued by security, but and limited by what few certs I can get and book knowledge I can obtain, getting actual experience is almost impossible. Companies expect to hire fully formed professionals with all the knowledge that they will need. Even with growing security concern and using cloud based service to help with companies security concerns it seem there will need to be lots of new professionals in the industry to meet the demands of the market with the increased rate and severity of attacks. Only issue is there are very few entries into the security world. Companies are not likely to spend money on training IT Pros. to do the work that is needed so the industry needs is to create people that meet those needs can create better training to get users up to speed with current Sec Pros.

gautamnandy01
gautamnandy01,
 User Rank: Apprentice
7/9/2015 | 5:09:30 AM
Re: IT professionals
The IT Generalist, dows not want to deal with security. 
anirudhsingh1
anirudhsingh1,
 User Rank: Apprentice
7/8/2015 | 3:43:15 AM
Re: IT Generalists Can Understand Security But Should They?
great news
shirishkunder re
shirishkunder re,
 User Rank: Apprentice
7/7/2015 | 4:01:57 AM
Re: IT Generalists Can Understand Security But Should They?
Although I do agree that Risk Management is a critical part of Information Security, I'm not sold on remaning it as such.
RetiredUser
RetiredUser,
 User Rank: Ninja
11/4/2014 | 3:47:08 PM
IT Generalists Can Understand Security But Should They?
I started out in the 90s building my own systems (early Red Hat, Slackware and Radio Shack) because I couldn't afford license fees for the software everyone else I knew was using.  That led to work in the industry as a software tester, then builder and automation engineer, to project manager and build/release manager.  Now I'm on my way back down in the tech trenches, doing builds and testing and a host of fun security-related tech at home.  It's fair to say that since the 90s I became an "IT generalist" over time, with a minor specialty at each new job.  However, going back down the ladder, I'm learning that while my experience across the board in IT helps me appreciate what everyone else does, it doesn't mean I should formulate opinions or direct others to do things within their area of expertise.  In fact, I feel more strongly today about "each thing (or resource) in its place" than ever.  I liken IT Security to the military, and I think that all of us "generalists" don't need to understand security more deeply that this:  Shut up and listen to your IT Security team.  They are there to keep your data safe and maintain the integrity of the company you work for.  It's like being caught in a terror attack:  Do you need to understand why it's happening, or the mechanics of how the military sent in to protect you works?  No – respect the SMEs (subject matter experts) and jump when they tell you.

I think that is why I am so focused on software security now that I'm older.  Testing software opened up a new world to me and I broke lots of code; exploits could have been written off some of the results I got out of my stress testing.  Writing code for test automation also opened my eyes to a whole new world of tech, and built appreciation for programmers and what they do; especially from the perspective of writing secure code.  But never once did I feel I "understood" security and could speak to it as an expert.  I shut up and I do what the security teams tell me to do, from patching my systems to cease/desist orders against my ISO downloads :-)  Do I want to understand it fully?  Sure – and I have lots of lab time in over the last couple years that has allowed me to develop both practical systems security knowledge and combative security tactics.  But I'm still proud to be an "IT generalist" because my brain is just too interested in too many things tech to stay on one track for long.

Why don't IT generalists understand security?  Maybe because they shouldn't have to.  They can, but really all that's important is that they respect that IT security is a necessary function, and that when they are told by someone from that function to do something that will protect them and their office mates, they do it.
ODA155
ODA155,
 User Rank: Ninja
10/16/2014 | 10:57:07 AM
Re: Understanding
@Sara Peters

"You say that's going to change. How long do you think it will take?"

When we turn on the TV or come out to this site and read that senior people responsible for the care, management operation and security in some poorly secured data environment was hacked for 83 Million customer records, when they along with their CEO's and others responsible been indicted for neglegence. That's when it with change.
Marc Eggers
Marc Eggers,
 User Rank: Strategist
10/15/2014 | 8:06:10 PM
IT Generalist - so bad?
As one of those "IT generalists" who has returned to my security roots and is delving back into it, I have to say that I think the issue is less a question of "Do IT Generalists understand security" as it "Why dont' we have more IT generalists who know what they are doing". Now, I am not talking about the business users who are considered generalists because they have superuser rights or can go into admin panels and change passwords, but I am talking about the IT Generalists who are able to support their company in any way that is needed.

I think that there needs to be a return to the generalist mentality. Hear me out before you decry my statement. I am not advocating a return to the single person IT department, but I do think that cross-functional understanding improves everyone's performance and facilitates communication so that everyone is on the same page. How often has there been a problem because a programmer didn't build in enough security assuming that the firewall or vpn would protect them? How often has a firewall been misconfigured because it was quicker or easier to get it up and running that way? How often has a project been completed only to have someone find an architectural concern or security flaw in the design that would have been able to be eliminated from the start had input been sought from someone in a different sector?

It is disheartening to see the silos that are built up around all the different areas of IT. How often have you heard a programmer design a website or an application that does not understand assembler or network protocols? Or a system admin who doesn't question why their server is running at 75% memory usage but just throws more memory at the problem? Colleges these days are teaching programming in a very slapdash manner to get more people out there coding, but so many do not understand how the computer works to understand the difference between an int and a long, strcpy vs strncpy, varchar or nvarchar, etc. The list goes on and on. I have heard infosec professionals say that if every developer stopped using strcpy we would almsot eliminate the entire class of vulnerabilities that rely on buffer overflows. Yet we still have developers using strcpy. We have websites that are still written to send the username and password directly to the database.

I don't think that everyone needs to know the nitty-gritty of encryption or NAT tables or SQL injection or whatever it happens to be, but I think that everyone should have a more than passing knowledge that these things exist so that everyone can support one another. Security can not be one person's responsibility without the support of the rest of the organization. Everyone having a broader understanding of other's roles, responsibilities, and most importantly capabilities allows us to layer security more comprehensively than a wrapper that is thrown on as an afterthought.  One of our biggest responsibilities in security is training others to be secure and bringing everyone together and how can we bring everyone together if we aren't generalists enough to know what everyone else's skills and responsibilities are?
savoiadilucania
savoiadilucania,
 User Rank: Moderator
10/15/2014 | 1:25:54 PM
Re: IT vs. InfoSec
@KillerB

"No more security as a bolt on."

This notion no longer seems tenable. Information technology systems are going through a massive phase of disintegration, where the security controls being provided are fully agnostic to the system itself. Vendors are providing discrete products to satisfy specialized security needs. The mentality that the platform provides the full panoply of security controls is antiquated and arguably defunct.

"If security is included up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up."

I question this conclusion. The bug in bash was obscure, unique, and the consequence of poor programming. I don't know what could have been done 20+ years ago to identify it. And quite honestly the bug would have been far less devastaing if there were not so many interdependencies between applications and the underlying operating system.

"Open source, freeware, whatever you want to call it should give you pause"

I do not want to resurrect the open vs. closed source debate in this forum but will point out that, just as my "German" automobile contains Chinese/Taiwanese electronics and was assembled in Mexico, the "closed source" product in your environment most definitely contains a variety of open source code and even code purchased from others.
savoiadilucania
savoiadilucania,
 User Rank: Moderator
10/15/2014 | 11:33:25 AM
Meh
Information technology generalists don't understand security because they don't understand information technology.
Sara Peters
Sara Peters,
 User Rank: Author
10/13/2014 | 12:34:15 PM
Re: There's no middle ground
@bearinboulder  Great, great points. I'd considered how this chicken-egg problem -- can't get a job without security certs and can't get the certs without the job -- affects the so-called "security skills shortage." But I hadn't thought about how that issue impacts how security is viewed/treated within an organization.
Page 1 / 4   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.