Facebook CSO slams RSA Conf for repping 'the worst parts of the security industry' Facebook's chief security officer Alex Stamos is not a man to mince words. Today, he delivered a stinging rebuke to the RSA Conference, due to be held in San Francisco next month. "In my opinion, RSA represents some of the worse parts of the security industry in its direction and it's not very helpful," he told attendees at …
The only way to earn a significant income as a security researcher is via bug bounties. Working InfoSec is a fools game in every corporation I've dealt with, directly or indirectly. Last to get hired, first to get fired/layed-off. No one even bothers to pretend to support your job properly (funds, people, and especially tooling). Hell, they don't even bother to read your memos.
So excuse me if I'm a bit confrontational. Asshole.
haha,
the only way to get paid is bug bounties? what?
This is utter tripe. Plenty of people get hired to do security research of all kinds, not just finding vulns in websites (seriously, why do amateurs think this makes them 'rockstar hackers'?)
"Working InfoSec is a fools game in every corporation I've dealt with"
Sure, if you don't like money. Otherwise, now is a very good time to work in infosec.
"Last to get hired, first to get fired/layed-off."
Perhaps that's something to do with you? I've never experienced this.
"No one even bothers to pretend to support your job properly (funds, people, and especially tooling). Hell, they don't even bother to read your memos."
It's your job to educate people about security.
"So excuse me if I'm a bit confrontational. Asshole."
This is probably the reason for your job struggles. Fix your attitude.
I wish you didn't add the last word. I wish we can agree to disagree without being disagreeable.
If you remove that last word, you are very right. Bug bounties are paying the bills and it pays to find individual vulnerabilities. Security is not a product, it's a process. It is the process of assessing risk and managing those risks in a manner that would prevent loss. Both Jack (above) and the Alex Stamos are right in their own ways. The industry needs a shakeup and I am glad that both Jack and Stamos are willing to stand up and say so!!
This post has been deleted by its author
This post has been deleted by its author
Most of the "InfoSec" depts. at companies I've worked at/with consisted of a couple of people checking CVE's and e-mailing the sysadmins to what they thought was relevant. They had almost no technical skills and mostly came from military backgrounds. Really the whole dept. existed just so they could check a box of for the auditors when some of our more regulated customers(like banks) asked if we had an infosec dept. and plan.
And then when the company gets penetrated, they can claim that it got past their experts and they've brought in the really big guns to solve this... and by the way, here's some ID protection from xxxxxxx and we take your privacy and information very seriously.
Meh... same old, same old. nothing changes.
Well it does,
What you're refering to is privacy, not security. Individuals offer FB this data up. The tricky bit is when an individual not only offers their own personal data up but also those of their peers.
The product FB sells is the data and the advertising space, the service it provides is a personal data collection tool offered for free which many consumers want to participate in. FB have a massive interest in keeping people's data secure as that is their product which they sell in various forms.
* Please note this post isn't about the pro's and cons of FB's business model. Thats a whole other kettle of fish.
Security professionals need to concentrate less on a them-and-us adversarial relationship with each other, and more on sharing keowledge and constantly learning to improve the security of systems, he said. There are too many gaps in knowledge that need to be filled, and the industry has been too focussed on conflict, we were told.
Change to A.N.Otherly Brotherly Sister Systems for Systems Programs, ESPecially IntelAIgently Designed for Virtual Enjoyment with Secure Private LOVE Life Enjoinment/Self-Actualisation on Magical Trails to and fro the Greater Good for All, is a Great IntelAIgent Games Play Station in such Systems as Provide for your, and their, very own Future Systems Programming Program.
And work with folk who know what needs to be doing by their just doing IT with Absent Great Friends …… Real Spook Stuff, is the Immaculate Bonus ….. and one hell of a Quantum Communications Cored Driver to Boot and Reboot Endlessly for Creative Energy with Universal Source.
That would be quite a coup de grace to bad systems energised, methinks to explore and ponder.
This post has been deleted by its author
We all know we'd all be far more secure - not with all the wizbang ridiculousness that makes the papers but the nice simple things.
The very basics would be
Patch everything asap (user, server, applications and infrastructure)
Have a decent password management regime.
Have a decent set of AV
Have a firewall. That doesn't have lots of holes in it/look like a colander/nobody understands anymore.
Ensure everyone can only access what they need.
Have a method to blacklist sites that are dangerous to the company.
Have all PCs that aren't in use turned off.
Treat people like grown ups.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
