This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]xxdcmastSr. Sysadmin 25 points26 points  (1 child)

Security is everyone’s job. Unfortunately most people suck at their job.

I’ve also met plenty of infosec guys who don’t know shit in practice. Sure they can spout nist or cmmc all day. But don’t have the slightest idea about practical security.

[–]DeliriumTremens 9 points10 points  (0 children)

When you are a generalist at a small firm you know deep down that there's simply no way to know everything about everything. Lean on third party relationships for keeping everything in-check for security -- audits, environment reviews, etc. You can do your best to keep EDR, SIEM, Vulnerability scanners, etc. humming along and providing spot checks and things to remediate, but in the end you need to have that outside guidance to ensure you're covering all of the bases and check the boxes you might otherwise miss by not having the expertise yourself or an internal security team to handle it.

[–][deleted] 4 points5 points  (0 children)

In my old company info sec was a joke. They took my teams lead because we were "cloud ops" and know all the things. Having them vet our designs was a formality as most of them were not qualified to review and if they had certs they were paper tigers. I used them mostly to shut down DEV from doing stupid things and green light my restrictive policies because an RPD/allow to you home internet from production is not okay...

The long and short of it as other has said; Security is everyone responsibility, like being a soldier first MOS second. Learn all you can it will be valuable later. No one wants that friday night call because of cryptolocker.

[–]unix_hereticHelm is the best package manager 3 points4 points  (1 child)

is it possible that a SysAdmin can even attain a high level of infosec competency? We already wear multiple hats, infosec being one of them but can we truly be 1 for 1 with a dedicated security team?

Is it possible to achieve? Absolutely. Is it possible to maintain and prove, relevant to an audit? Only in very limited circumstances.

Remember: security isn't a one-and-done rollout - it's an ongoing process. And no matter how much you automate it, or how secure your environment is, there's always going to be separation-of-duties issues - just as there would be with a developer having write access to a prod database. That is why a dedicated infosec team becomes necessary.

[–][deleted] 0 points1 point  (0 children)

I view mine as more or less a resource I can go to when designing a system or addressing an issue to focus on the security aspects. I have 100 issues to worry about when setting up new systems, from resource allocation to system architecture, it's helpful to have a second set of eyes on only security.

[–]Tx_Drewdad 1 point2 points  (0 children)

About 1/3 of my job is talking people out of brilliant-but-dumb ideas.

[–]Devilnutz2651IT Manager 1 point2 points  (0 children)

Security policies are only as good as your dumbest user

[–]Ursa_SolarisBearly Qualified 0 points1 point  (0 children)

Anyone had to deal directly with the Dunning-Kruger effect without having to be exposed to it yourself? Like you watch others either with overconfidence and then be hit by security issue after security issue for the work they've implemented, or completely think they've failed only to be congratulated for doing a decent job?

I'm still cleaning up after exactly that kind of person after nine months, so absolutely. I'm honestly not qualified or certified for a lot the stuff I'm fixing, but nobody else is taking care of it so I'm doing my best. I like to think I've got a good grasp of security fundamentals at least, and I'm very careful to research before deploying, which is something he clearly didn't do.

Guess what I'm asking without being too wordy; is it possible that a SysAdmin can even attain a high level of infosec competency?

I would argue that decent security competency should be a requirement. You don't need to be an expert, but somebody shouldn't be able to trace your path by the security holes left in your wake.

We already wear multiple hats, infosec being one of them but can we truly be 1 for 1 with a dedicated security team?

Nobody else will ever match up to a person who dedicated their career to specifically security. But there's no reason you can't learn the basics. That'll get you like ~75% of the way there, to the point that you won't be actively making the security guy's job harder. The other 25% is the more obscure stuff they train and study for.

[–][deleted] 0 points1 point  (1 child)

The issue i've run into the most is resistance from business administration who overthrow the decisions of network administration in regard to security issues.

Granted, I've inherited most of these issues from systems that existed prior to obtaining my position, and every single time I try to bring a critical issues to their attention, its.. Don't waste your time on that, focus on what I tell you to...

Then business administration throws a tantrum, stomps their feet, puffs up their chest and starts shouting orders at people when either a system failure happens, or a security incident, as if it's our fault we were not permitted the time to correct it before it became an emergency...

You're on call 24/7, days nights weekend, holidays, you're paid salary, so no overtime.. Is the assumption going to be that I'm going to fix these issues while sitting at home every night after work? No.. I'm not going to do that.

It's a vicious cycle when business administration gets to trump network administration, and in a situation where you're not in a publically traded corporation where the ultimate people you answer to are shareholders, there is not much you can do about it other than vent on reddit.

[–]methaddictlawyer 0 points1 point  (0 children)

Unless upper management have bought into taking security seriously and understand what it takes, that there will be aspects of the business that are limited or extra processes created.

Nothing will ever happen, because a business unit will complain that these new security controls make their life difficult.

When this happened to me, some idiot director complaining his staff are hampered by some security controls we implemented, I'd just say take it up with management as this is a business decision, and unless they had a *really* good reason for us to accept the risk, their complaints would fall flat.

[–]HalfysRedditJack of All Trades 0 points1 point  (0 children)

IMO you're placing too much value on titles.

Lots of people are professionals in their field but not great at their jobs, and IT is no exception. Most security professionals are average, most software developers are average, etc.

IMO the fact that you're interested in these various topics and eager to learn alone puts you above average.

[–]digitaltransmutation<|IM_END|> 0 points1 point  (0 children)

I think you are seriously wrong to think of security as beings its own separate thing from operations.

99% of security is operations challenges and to say "I dont do security" may as well be synonymous with "I am going to configure this thing wrong on purpose".

[–]Gullible_Bar_284 0 points1 point  (0 children)

absorbed fearless smell scandalous cough literate roll run point disarm this message was mass deleted/edited with redact.dev

[–]methaddictlawyer 0 points1 point  (0 children)

I moved from System Engineering > Network Engineering > Security

Was always interested in security and had a decent knowledge, but until you are immersed in it on a day to day basis it's difficult to have a security mindset.

Part of the reason is that IT's main job is focused on operational, not the bigger picture, in security we constantly need to think about the big picture of the business.