Thoughts on Being an Average Security Guy

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

I chose the handle averagesecurityguy because it is the best description of how I view myself. I know I'm not below average because I work hard at what I do and I've seen enough sorry work to know I'm not there. I know I'm not an expert because I've seen the work of experts in this industry and I know I'm not there. So I tend to see myself as average.

Over the years IT and infosec have often come into conflict with family obligations. Trying to keep systems up and running, trying to understand some new exploit, and trying to stay relevant in this ever changing field has caused more than one argument in my house. I have finally realized that this industry changes too fast and is too complex for me to waste my time becoming an expert. I have resigned myself to being average. I won't stop learning and I'm not giving up on infosec but I'm not killing myself for it either.

The beauty of this industry is that there are enough lazy sysadmins, poor programmers, and below average infosec practitioners to keep an average security guy employed for lifetime. Let me show you what I mean. I recently found this whitepaper over at the SANS reading room and was impressed by the timely and sage advice: physically protect your systems, minimize the number of installed packages and running services, use strong passwords, limit the number of admin users, update your systems, test your systems for vulnerabilities, monitor your systems periodically, and plan for disaster recovery. On a daily basis I see these simple rules violated, but the reason this paper makes me realize I will always have a job is that it was written ten years ago and at the time it was written this was not cutting edge advice.

In the last two months I have seen both the SNMP and SMB service available on Internet facing machines and I have compromised machines using MS08-067, which is three years old.

People keep worrying about advanced persistent threats (APT) but we still haven't figured out how to deal with basic daily threats (BDT). I'm not sure how to fix the industry but I do know that I can have a good career in infosec and never have to be above average.