Re: My Frustrations



Alex,
Nice post, I enjoyed reading that. I agree with you that people should come to the list and as questions, that is after all how we all learned. When someone comes to this list and tells us that he's already started a penetration and needs some direction with a problem, that is perfectly fine. But when the direction that he is requesting is elementary in nature and is something like "how do I run this exploit" or "how can I use XSS" or "Why is SQL Injection risky", that makes me cringe.

The real issue is that in this industry the cream doesn't float to the top without a fight. Thats because there are very few people who are not experts that can tell the difference between who is an expert and who isn't. As a result customers purchase services from people thinking that they are experts, when they aren't. The get that fake kit-car ferrari but pay for the real thing. Or maybe they get the fake ferrari and pay less but think that they are getting the real thing.

Just as an FYI, my motivation for shedding light on this subject is to protect people. When you purchase security services and you're not an expert, you expect to feel secure and safe after everything is said and done. If the people offering the services don't know what they are doing then what they are really selling you is a false sense of security. In my opinion thats almost criminal.


On Dec 18, 2008, at 10:31 AM, Alex Moen wrote:

Adriel,

I am, by no means whatsoever, an experienced, professional, or even focused pentester, but rather an experienced, profesional, focused network administrator that is very interested in pen testing for my own knowledge and security of my systems. I would expect some questions like the ones that you are discussing to come from someone like me... :)

However, I do agree with you that someone calling themselves a security professional or pentester, and charging for their services, should not be asking "basic" or low-level questions, especially on a public forum such as this. I would think that there would be a level of pride or whatever that would prevent that to a degree, however, I have always lived by the idea that there is nothing wrong with asking questions, nor are there any stupid questions. At least the professional that is asking questions is trying to improve himself in this regard, and is probably sensitive to his limitations... The people that really get to me are the ones who do not ask any questions and are secure that they know everything and that they are always right, even when I can prove them wrong. I sometimes ask some pretty silly questions in respect to my job, although they don't always seem silly at the time of the asking and earn a heel-of-the-palm-to-the-forehead from myself in retrospect.

This is not a problem isolated to the security professional world, however. It is, afaik, in *every* profession. Our company does web and e-mail hosting, PC repair, and network services as well as ISP services, and we have competition in all of those arenas. Some of the competitors are competent professionals, others are fly-by-night half-wits that talk themselves into the graces of the customers. Those customers eventually get burned and come back to us. It is really up to the customer to determine whom to trust and not to trust, and to do background checks and get information and referrals about the companies that they are doing business with, and if they get burned it is no one's fault but their own. Also, it may be a company trying to save a few bucks by hiring the cheapest workforce that they can, rather than the best. For whatever reason, tho, the poor performers never seem to go out of business and keep rearing their ugly heads and leaving messes for the rest of us to clean up...

Anyway, that's my 2 cents on the whole issue. Hopefully my opinion doesn't earn a bunch of flames. Just keep doing the best job that you can, and remember that the cream always flows to the top.

Alex



Adriel T. Desautels wrote:
I recently wrote this blog entry and wanted to get some comments from readers of this list. I'm frustrated with the caliber of the people that are offering security services and posing as experts, thats the subject of the post. Please comment, insult, whatever... I'm interested.
http://snosoft.blogspot.com/
Adriel T. Desautels
ad_lists@xxxxxxxxxxxxx
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Adriel T. Desautels
ad_lists@xxxxxxxxxxxxx




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • RE: CISSP Question
    ... Subject: CISSP Question ... In cases where one does not have the required experience, ISC2 has instituted an Associate qualification. ... So if for instance the opposing council subpoenas your CISSP records and it stated 5 years professional security experience and you had been a security guard - they will use this. ... Thus it was mentioned that the legal terminology of a profession does not matter, maybe if you never go into a court. ...
    (Security-Basics)
  • Re: My Frustrations
    ... I am, by no means whatsoever, an experienced, professional, or even focused pentester, but rather an experienced, profesional, focused network administrator that is very interested in pen testing for my own knowledge and security of my systems. ... However, I do agree with you that someone calling themselves a security professional or pentester, and charging for their services, should not be asking "basic" or low-level questions, especially on a public forum such as this. ... It is, afaik, in *every* profession. ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • RE: [fw-wiz] Re: Ethics, morality and the industry
    ... disenchanted about the professionalism in our profession. ... role of IT security in our environments. ... makers attending conferences featuring colourful speakers that are able ... clown flogging his criminal past is accurate in this context. ...
    (Firewall-Wizards)
  • RE: CISSP Question
    ... member of a profession. ... and not necessarily endorsed by BDO Kendalls. ... advocacy is a position of representation. ... A Security guard does not." ...
    (Security-Basics)
  • RE: CISSP Question
    ... member of a profession. ... BDO Kendalls is a national association of separate partnerships and entities. ... advocacy is a position of representation. ... A Security guard does not." ...
    (Security-Basics)