Any cyber sec / hackers ( ethical of course) in the house
Discussion
Cyber security covers a massive remit including a lot of speciality stuff.
I work in enterprise security for a large CDN and love my job, every day is different, some very mentally taxing, others not so much. Others in my team have moved on to work in Dev Ops and Sec Ops and not sure I would want to do their jobs, lots of data processing, monitoring, daily grind for them.
I work in enterprise security for a large CDN and love my job, every day is different, some very mentally taxing, others not so much. Others in my team have moved on to work in Dev Ops and Sec Ops and not sure I would want to do their jobs, lots of data processing, monitoring, daily grind for them.
Worked in IT for 20 years. Have some cyber certification. Have other MS/Cisco certs too.
Work is work. Some days are better than others. Threat hunting is great fun now and again. I have a non standard job without giving too much away about where I work. It’s not your usual 9-5 role.
When your security head is screwed on trying to push it through the business can be difficult.
Work is work. Some days are better than others. Threat hunting is great fun now and again. I have a non standard job without giving too much away about where I work. It’s not your usual 9-5 role.
When your security head is screwed on trying to push it through the business can be difficult.
onlynik said:
Worked in IT for 20 years. Have some cyber certification. Have other MS/Cisco certs too.
Work is work. Some days are better than others. Threat hunting is great fun now and again. I have a non standard job without giving too much away about where I work. It’s not your usual 9-5 role.
When your security head is screwed on trying to push it through the business can be difficult.
From the user side, security is about making it as hard as possible for people to do their job.Work is work. Some days are better than others. Threat hunting is great fun now and again. I have a non standard job without giving too much away about where I work. It’s not your usual 9-5 role.
When your security head is screwed on trying to push it through the business can be difficult.
I jest of course. Mostly.
I used to work in Information Security for a large financial. Great job, but some right numpty managers so I was very happy to retire some years back.
Interesting work though, I used to visit sites where our customer data was stored to make everything was compliant with our rules and point out where it wasn't. Lots of travel (India 6 or 7 times), Europe, USA etc..
Not so much of the hacking side, although I was indirectly involved in penetration testing, done by far cleverer people than me.
Don't miss the job but do miss colleagues. Loving retirement...
Interesting work though, I used to visit sites where our customer data was stored to make everything was compliant with our rules and point out where it wasn't. Lots of travel (India 6 or 7 times), Europe, USA etc..
Not so much of the hacking side, although I was indirectly involved in penetration testing, done by far cleverer people than me.
Don't miss the job but do miss colleagues. Loving retirement...
Pitre said:
I used to work in Information Security for a large financial. Great job, but some right numpty managers so I was very happy to retire some years back.
Interesting work though, I used to visit sites where our customer data was stored to make everything was compliant with our rules and point out where it wasn't. Lots of travel (India 6 or 7 times), Europe, USA etc..
Not so much of the hacking side, although I was indirectly involved in penetration testing, done by far cleverer people than me.
Don't miss the job but do miss colleagues. Loving retirement...
Are the testers very well paid just like coders are in amazon/fb/google?Interesting work though, I used to visit sites where our customer data was stored to make everything was compliant with our rules and point out where it wasn't. Lots of travel (India 6 or 7 times), Europe, USA etc..
Not so much of the hacking side, although I was indirectly involved in penetration testing, done by far cleverer people than me.
Don't miss the job but do miss colleagues. Loving retirement...
Pitre said:
Well, personally I've been away for too long to know, but proper technical pentesters were paid very well in my day...
Which, with all of the cyber security courses pumping out "security experts" and it being the big gold mine they'll be a dime a dozen and you'll pretty much need to do their work for them 
rodericb said:
Pitre said:
Well, personally I've been away for too long to know, but proper technical pentesters were paid very well in my day...
Which, with all of the cyber security courses pumping out "security experts" and it being the big gold mine they'll be a dime a dozen and you'll pretty much need to do their work for them In my day you had to learn and demonstrate all your skills to a couple of blokes in a darkened room with a whiteboard and a patch lead on the desk.
I'm moving from the public sector into a cyber security role (incident response). Got some technical certifications in hacking - OSCP plus some SANS stuff too.
I don't deal with "clients" at the moment, but from what I've read people often complain about your advice and recommendations falling on deaf ears.
Lots of complaints over antiquated cyber security approaches too such as - forced password changes, making it a stupidly overly complex one too which no one can ever remember.
My new role is going to be writing a lot of reports after investigating the incident so I expect to get a bit sick of doing the same thing but I'm hoping to automate some of this a little.
I don't deal with "clients" at the moment, but from what I've read people often complain about your advice and recommendations falling on deaf ears.
Lots of complaints over antiquated cyber security approaches too such as - forced password changes, making it a stupidly overly complex one too which no one can ever remember.
My new role is going to be writing a lot of reports after investigating the incident so I expect to get a bit sick of doing the same thing but I'm hoping to automate some of this a little.
I do a lot of the non-technical side of InfoSec. Got a fairly broad set of experiences from physical, through to compliance and work in predominantly pre-sales and solutions through to consultancy.
I like the problem solving side of things and being able to be creative.
I don't like to do the "churn" work.
I work with architects, pentesters, CSIRT, pretty much everyone.
I like the problem solving side of things and being able to be creative.
I don't like to do the "churn" work.
I work with architects, pentesters, CSIRT, pretty much everyone.
eliot said:
rodericb said:
Pitre said:
Well, personally I've been away for too long to know, but proper technical pentesters were paid very well in my day...
Which, with all of the cyber security courses pumping out "security experts" and it being the big gold mine they'll be a dime a dozen and you'll pretty much need to do their work for them In my day you had to learn and demonstrate all your skills to a couple of blokes in a darkened room with a whiteboard and a patch lead on the desk.
I share a workspace with a hacker who works for one of the CyberSec consultancies.
True story; with correct authorisation and in accordance with a planned assignment for a major prospective client he hacked into their systems, and wrote a report detailing how he did it, security vulnerabilities etc, along with recommended remedial actions etc.
Then he accidentally sent it to a different prospective client - which happened to be a competitor of the first one!
True story; with correct authorisation and in accordance with a planned assignment for a major prospective client he hacked into their systems, and wrote a report detailing how he did it, security vulnerabilities etc, along with recommended remedial actions etc.
Then he accidentally sent it to a different prospective client - which happened to be a competitor of the first one!
sideways sid said:
I share a workspace with a hacker who works for one of the CyberSec consultancies.
True story; with correct authorisation and in accordance with a planned assignment for a major prospective client he hacked into their systems, and wrote a report detailing how he did it, security vulnerabilities etc, along with recommended remedial actions etc.
Then he accidentally sent it to a different prospective client - which happened to be a competitor of the first one!
Seriously? True story; with correct authorisation and in accordance with a planned assignment for a major prospective client he hacked into their systems, and wrote a report detailing how he did it, security vulnerabilities etc, along with recommended remedial actions etc.
Then he accidentally sent it to a different prospective client - which happened to be a competitor of the first one!
Wow, did he keep his job or was he given the chop?
redrabbit29 said:
sideways sid said:
I share a workspace with a hacker who works for one of the CyberSec consultancies.
True story; with correct authorisation and in accordance with a planned assignment for a major prospective client he hacked into their systems, and wrote a report detailing how he did it, security vulnerabilities etc, along with recommended remedial actions etc.
Then he accidentally sent it to a different prospective client - which happened to be a competitor of the first one!
Seriously? True story; with correct authorisation and in accordance with a planned assignment for a major prospective client he hacked into their systems, and wrote a report detailing how he did it, security vulnerabilities etc, along with recommended remedial actions etc.
Then he accidentally sent it to a different prospective client - which happened to be a competitor of the first one!
Wow, did he keep his job or was he given the chop?
The comments above about ‘hacking’ certification or whatever it was had me chuckling.
I’d say hacking was merely an emergent property/ability of someone particularly competent and with a deep interest in their particular job/hobby/whatever.
Can people actually enter this industry now via specific ‘hacker’ type courses etc?
I'm now a CISO for cloud provider, but am a former pen-tester (physical and social engineering) & senior security consultant (as in proper penetration testing, not the point an app at something and automatically generate a report type testing that's common these days).
I've been in security since around 2002, have been involved in R&D, testing, training, GRC and strategy so I like to think I've seen most things. I love the education and people side of the job as you can have a positive impact on people and businesses in a way that they "get".
The part of the role that I don't like is that a lot of businesses pay significant lip service to security (particularly to their customers), whereas in reality they are often not willing to make the investments where it's actually needed until something bad eventually happens.
TBH there are a lot of separate disciplines in security and I have been lucky enough in my career to have been involved in a lot of them. Red/Blue team stuff is interesting and always changing, the compliance (GRC) side of things is a little more dull and is more akin to just performing/responding to audits, classifying & mitigating risk and other often not so interesting stuff.
I've been in security since around 2002, have been involved in R&D, testing, training, GRC and strategy so I like to think I've seen most things. I love the education and people side of the job as you can have a positive impact on people and businesses in a way that they "get".
The part of the role that I don't like is that a lot of businesses pay significant lip service to security (particularly to their customers), whereas in reality they are often not willing to make the investments where it's actually needed until something bad eventually happens.
TBH there are a lot of separate disciplines in security and I have been lucky enough in my career to have been involved in a lot of them. Red/Blue team stuff is interesting and always changing, the compliance (GRC) side of things is a little more dull and is more akin to just performing/responding to audits, classifying & mitigating risk and other often not so interesting stuff.
Mr Whippy said:
While I’m sure they’re not as rare as hens teeth, the supply of capable ‘hackers’ is probably thin enough to mean you don’t just go sacking them for making a mistake?
I think you could find yourself being encouraged to leave with a mistake of that gravity. I know of several incidents where one company has deliberately targetted other rivals and so releasing sensitive information like this would be a huge issue. I've got a lot of law enforcement experience and companies won't even share their internal reports with us due to sensitivity around their contents.Mr Whippy said:
The comments above about ‘hacking’ certification or whatever it was had me chuckling.
I’d say hacking was merely an emergent property/ability of someone particularly competent and with a deep interest in their particular job/hobby/whatever.
Can people actually enter this industry now via specific ‘hacker’ type courses etc?
In short yes it is possible and part of it is marketing yourself. It depends on the certification, some are reputable and respected, others are not. Some are deeply technical, hands on and challenging (OSCE for example) and some are higher level and more around information security (CISSP, CISM).I’d say hacking was merely an emergent property/ability of someone particularly competent and with a deep interest in their particular job/hobby/whatever.
Can people actually enter this industry now via specific ‘hacker’ type courses etc?
The advantage these qualifications have is they open doors to interviews. Of course you do have to have the knowledge to back it up.
A lot of it also depends on the company and recruiters, plus the job role itself.
I have an unusual background but got a very well paid job offer, partly thanks to my strong certifications, plus also passing a technical assessment. Without the former, I wouldn't have got anywhere near it I don't think
redrabbit29 said:
In short yes it is possible and part of it is marketing yourself. It depends on the certification, some are reputable and respected, others are not. Some are deeply technical, hands on and challenging (OSCE for example) and some are higher level and more around information security (CISSP, CISM).
The advantage these qualifications have is they open doors to interviews. Of course you do have to have the knowledge to back it up.
A lot of it also depends on the company and recruiters, plus the job role itself.
I have an unusual background but got a very well paid job offer, partly thanks to my strong certifications, plus also passing a technical assessment. Without the former, I wouldn't have got anywhere near it I don't think
What we talking? >100k PAYE? What sort of role is it?The advantage these qualifications have is they open doors to interviews. Of course you do have to have the knowledge to back it up.
A lot of it also depends on the company and recruiters, plus the job role itself.
I have an unusual background but got a very well paid job offer, partly thanks to my strong certifications, plus also passing a technical assessment. Without the former, I wouldn't have got anywhere near it I don't think
Also, I would also say that "hacking" is such a generalised and unspecific term these days.
Most people associate hacking to guys writing code, infiltrating the "mainframe" whilst lines of binary code are running down the screen.
In most cases, hacking referring to "penetration testers" is often more around vulnerability assessments and far more procedural type work.
That can include:
- Simple automated scripts which assess the companies network from an outside perspective
- Code reviews on a particular application or set up
- Internal security testing
- Fuzzing (sending a ton of random data into an application to see how it reacts)
- Phishing campaigns
There are the more hardcore ones that are things like Red Teamers, those who are capable of writing exploits as well as reverse engineering malware.
Most people associate hacking to guys writing code, infiltrating the "mainframe" whilst lines of binary code are running down the screen.
In most cases, hacking referring to "penetration testers" is often more around vulnerability assessments and far more procedural type work.
That can include:
- Simple automated scripts which assess the companies network from an outside perspective
- Code reviews on a particular application or set up
- Internal security testing
- Fuzzing (sending a ton of random data into an application to see how it reacts)
- Phishing campaigns
There are the more hardcore ones that are things like Red Teamers, those who are capable of writing exploits as well as reverse engineering malware.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff