Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

Why Don't IT Generalists Understand Security?

150%
-50%

Why doesn't the rest of the IT department understand what encryption and passwords can and can't do? And does it matter?

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 4   >   >>
dsweil35
50%
50%
dsweil35,
User Rank: Apprentice
9/23/2015 | 1:08:50 PM
Entry into Info Sec is difficult.

I have lots of coworker who are IT Gen. like myself, but have no interested in security or even care about it. There only concern is getting what they need to do quickly and efficiently done. I on the other hand am intrigued by security, but and limited by what few certs I can get and book knowledge I can obtain, getting actual experience is almost impossible. Companies expect to hire fully formed professionals with all the knowledge that they will need. Even with growing security concern and using cloud based service to help with companies security concerns it seem there will need to be lots of new professionals in the industry to meet the demands of the market with the increased rate and severity of attacks. Only issue is there are very few entries into the security world. Companies are not likely to spend money on training IT Pros. to do the work that is needed so the industry needs is to create people that meet those needs can create better training to get users up to speed with current Sec Pros.

gautamnandy01
50%
50%
gautamnandy01,
User Rank: Apprentice
7/9/2015 | 5:09:30 AM
Re: IT professionals
The IT Generalist, dows not want to deal with security. 
anirudhsingh1
50%
50%
anirudhsingh1,
User Rank: Apprentice
7/8/2015 | 3:43:15 AM
Re: IT Generalists Can Understand Security But Should They?
great news
shirishkunder re
50%
50%
shirishkunder re,
User Rank: Apprentice
7/7/2015 | 4:01:57 AM
Re: IT Generalists Can Understand Security But Should They?
Although I do agree that Risk Management is a critical part of Information Security, I'm not sold on remaning it as such.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
11/4/2014 | 3:47:08 PM
IT Generalists Can Understand Security But Should They?
I started out in the 90s building my own systems (early Red Hat, Slackware and Radio Shack) because I couldn't afford license fees for the software everyone else I knew was using.  That led to work in the industry as a software tester, then builder and automation engineer, to project manager and build/release manager.  Now I'm on my way back down in the tech trenches, doing builds and testing and a host of fun security-related tech at home.  It's fair to say that since the 90s I became an "IT generalist" over time, with a minor specialty at each new job.  However, going back down the ladder, I'm learning that while my experience across the board in IT helps me appreciate what everyone else does, it doesn't mean I should formulate opinions or direct others to do things within their area of expertise.  In fact, I feel more strongly today about "each thing (or resource) in its place" than ever.  I liken IT Security to the military, and I think that all of us "generalists" don't need to understand security more deeply that this:  Shut up and listen to your IT Security team.  They are there to keep your data safe and maintain the integrity of the company you work for.  It's like being caught in a terror attack:  Do you need to understand why it's happening, or the mechanics of how the military sent in to protect you works?  No – respect the SMEs (subject matter experts) and jump when they tell you.

I think that is why I am so focused on software security now that I'm older.  Testing software opened up a new world to me and I broke lots of code; exploits could have been written off some of the results I got out of my stress testing.  Writing code for test automation also opened my eyes to a whole new world of tech, and built appreciation for programmers and what they do; especially from the perspective of writing secure code.  But never once did I feel I "understood" security and could speak to it as an expert.  I shut up and I do what the security teams tell me to do, from patching my systems to cease/desist orders against my ISO downloads :-)  Do I want to understand it fully?  Sure – and I have lots of lab time in over the last couple years that has allowed me to develop both practical systems security knowledge and combative security tactics.  But I'm still proud to be an "IT generalist" because my brain is just too interested in too many things tech to stay on one track for long.

Why don't IT generalists understand security?  Maybe because they shouldn't have to.  They can, but really all that's important is that they respect that IT security is a necessary function, and that when they are told by someone from that function to do something that will protect them and their office mates, they do it.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/16/2014 | 10:57:07 AM
Re: Understanding
@Sara Peters

"You say that's going to change. How long do you think it will take?"

When we turn on the TV or come out to this site and read that senior people responsible for the care, management operation and security in some poorly secured data environment was hacked for 83 Million customer records, when they along with their CEO's and others responsible been indicted for neglegence. That's when it with change.
Marc Eggers
100%
0%
Marc Eggers,
User Rank: Strategist
10/15/2014 | 8:06:10 PM
IT Generalist - so bad?
As one of those "IT generalists" who has returned to my security roots and is delving back into it, I have to say that I think the issue is less a question of "Do IT Generalists understand security" as it "Why dont' we have more IT generalists who know what they are doing". Now, I am not talking about the business users who are considered generalists because they have superuser rights or can go into admin panels and change passwords, but I am talking about the IT Generalists who are able to support their company in any way that is needed.

I think that there needs to be a return to the generalist mentality. Hear me out before you decry my statement. I am not advocating a return to the single person IT department, but I do think that cross-functional understanding improves everyone's performance and facilitates communication so that everyone is on the same page. How often has there been a problem because a programmer didn't build in enough security assuming that the firewall or vpn would protect them? How often has a firewall been misconfigured because it was quicker or easier to get it up and running that way? How often has a project been completed only to have someone find an architectural concern or security flaw in the design that would have been able to be eliminated from the start had input been sought from someone in a different sector?

It is disheartening to see the silos that are built up around all the different areas of IT. How often have you heard a programmer design a website or an application that does not understand assembler or network protocols? Or a system admin who doesn't question why their server is running at 75% memory usage but just throws more memory at the problem? Colleges these days are teaching programming in a very slapdash manner to get more people out there coding, but so many do not understand how the computer works to understand the difference between an int and a long, strcpy vs strncpy, varchar or nvarchar, etc. The list goes on and on. I have heard infosec professionals say that if every developer stopped using strcpy we would almsot eliminate the entire class of vulnerabilities that rely on buffer overflows. Yet we still have developers using strcpy. We have websites that are still written to send the username and password directly to the database.

I don't think that everyone needs to know the nitty-gritty of encryption or NAT tables or SQL injection or whatever it happens to be, but I think that everyone should have a more than passing knowledge that these things exist so that everyone can support one another. Security can not be one person's responsibility without the support of the rest of the organization. Everyone having a broader understanding of other's roles, responsibilities, and most importantly capabilities allows us to layer security more comprehensively than a wrapper that is thrown on as an afterthought.  One of our biggest responsibilities in security is training others to be secure and bringing everyone together and how can we bring everyone together if we aren't generalists enough to know what everyone else's skills and responsibilities are?
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/15/2014 | 1:25:54 PM
Re: IT vs. InfoSec
@KillerB

"No more security as a bolt on."

This notion no longer seems tenable. Information technology systems are going through a massive phase of disintegration, where the security controls being provided are fully agnostic to the system itself. Vendors are providing discrete products to satisfy specialized security needs. The mentality that the platform provides the full panoply of security controls is antiquated and arguably defunct.

"If security is included up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up."

I question this conclusion. The bug in bash was obscure, unique, and the consequence of poor programming. I don't know what could have been done 20+ years ago to identify it. And quite honestly the bug would have been far less devastaing if there were not so many interdependencies between applications and the underlying operating system.

"Open source, freeware, whatever you want to call it should give you pause"

I do not want to resurrect the open vs. closed source debate in this forum but will point out that, just as my "German" automobile contains Chinese/Taiwanese electronics and was assembled in Mexico, the "closed source" product in your environment most definitely contains a variety of open source code and even code purchased from others.
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/15/2014 | 11:33:25 AM
Meh
Information technology generalists don't understand security because they don't understand information technology.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/13/2014 | 12:34:15 PM
Re: There's no middle ground
@bearinboulder  Great, great points. I'd considered how this chicken-egg problem -- can't get a job without security certs and can't get the certs without the job -- affects the so-called "security skills shortage." But I hadn't thought about how that issue impacts how security is viewed/treated within an organization.
Page 1 / 4   >   >>
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.