Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flush Times For Hackers in Booming Cyber Security Job Market (reuters.com)

Posted by msmash on from the job-opportunities dept.

The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security. From a report: The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting. "Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people," said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week's most popular parties. Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies. But as tech has taken over the world, the opportunities in the security field have exploded.

42 comments

  1. Good way to get indicted... by Anonymous Coward · · Score: 0

    ... for "computer hacking". It's illegal, even though not even the law knows what it is. Not surprising since the computer security industry doesn't know either. They keep on arguing about it.

  2. Good times for the certification sellers too by OffTheLip · · Score: 2

    The US defense department is practically bankrolling CompTIA with their perpetual certification requirement for Security+.

    1. Re:Good times for the certification sellers too by Anonymous Coward · · Score: 0

      As a veteran I know a lot of people in the employ of the DoD and as someone with an interest in computer security I'll take these certification courses. I was in a Security+ class where the total attendance was probably just 10 people, 8 were from a local military base, 1 was a small business owner, and me, at the time recently discharged and using some GI Bill money to get training that seemed valuable. I don't know if any of them were enlisted but none came to class in a uniform.

      A friend that is in the Air Force talked about how he was tasked for a time as a training manager of sorts, making sure the people on base had sufficient IT security training for their job. His "job" officially was some kind of mechanic, but it turned into having to keep everyone's certifications current for a time. He doesn't talk much about what he does any more. I think he sits at a computer all day playing "flight simulators" now.

  3. thank God for... by ole_timer · · Score: 1

    criminals, hackers, Chinese, Russians, Iranians, etc...they keep us all employed...

    --
    nothing to see here - move along
  4. most of the new folks... by Anonymous Coward · · Score: 3, Informative

    Ive been in the security field since 2000, and was a developer/programmer fascinated by hacking and crypto for years before that.

    Most, not all, of the new people I see entering security in this boom aren't interested in hacking, crypto, forensics, exploitation, etc. Without a curiosity about these things, I dont know how much they will ever contribute. It is very reminiscent of IT in the 90s.

    1. Re:most of the new folks... by Anonymous Coward · · Score: 0

      Well, as per many professions, once the word gets out that it's a lucrative field the job gets populated with people wanting better than their jobby-job.
      Naturally the curious and true-career icons that are all cut from the same cloth get diluted by newcomers. These arrivals may be earnest, but without natural curiosity & aptitude they can not help but treat this potential career as another regular jobby-job.

  5. You don't need to be a hacker... by __aaclcg7560 · · Score: 2

    I'm currently halfway through a five-year contract in Government IT to provide security remediation. Just about everyone has 20+ years of experience in IT. Other than a few Raspberry Pi hackers, the team doesn't have any real hackers. Security remediation was 70% we when got started. It's now 95% and pushing towards 99%. .

    1. Re:You don't need to be a hacker... by ole_timer · · Score: 1

      you go right on believing that - the hackers love you...

      --
      nothing to see here - move along
    2. Re:You don't need to be a hacker... by ole_timer · · Score: 1

      anyone who thinks they are at 95% does not understand the problem...

      --
      nothing to see here - move along
    3. Re:You don't need to be a hacker... by Anonymous Coward · · Score: 0

      So you've closed 95 out of 100 known security vulnerabilities in your infrastructure? WOW.

      Which means that you've left 5 out of 100 known security vulnerabilities - for which active exploits no doubt exist in the wild - wide open. And you're so focused on the "known" pieces that you're not even considering what hasn't been publicly reported as a CVE?

      You are to a "security" team what a janitor is to an "architectural" team. You open tickets and route them to real workers who do the actual implementation work. And meanwhile, 5% of KNOWN vulnerabilities go un-addressed. If you have a building with 100 doors, and 5 of them are left unlocked to anybody who wants to come open them... how secure is your building, exactly? And meanwhile, nobody's considering the overall threat footprint of the environment, and what the likely attack surfaces are for the "next, as-yet-unknown" security vulnerability that's going to let hackers have a field day in your environment.

      So let's correct your post:

      "You don't need to be a hacker to open tickets and open tickets based on Nessus (and similiar) scans."

      You DO, however, need a deep understanding of security and secure programming, to do anything more than that - i.e., defending your organization against unpublicized threats.

    4. Re:You don't need to be a hacker... by __aaclcg7560 · · Score: 1

      So let's correct your post:

      Have some Jalapeno Spam with your whine.

    5. Re:You don't need to be a hacker... by Anonymous Coward · · Score: 0

      I don't think you quite understand how security remediation is done by Government IT contractors. OP really means to say that 950 of 1000 boxes are checked on their remediation checklist. Nothing more than that should be read into their security posture or the underlying work done to achieve this status.

    6. Re:You don't need to be a hacker... by __aaclcg7560 · · Score: 1

      OP really means to say that 950 of 1000 boxes are checked on their remediation checklist.

      The other 50 are either offline or slated for reimage.

    7. Re:You don't need to be a hacker... by Anonymous Coward · · Score: 0

      you sound triggered, bro

    8. Re:You don't need to be a hacker... by Anonymous Coward · · Score: 0

      By which you mean that the other 50 are still open, active, unremediated security vulnerabilities present in your environment.

      And since you claim "tens of thousands" of workstations - let's say 50,000 workstations - that you're managing, that means that at any given time, 2500 workstations have an open, unsecured vulnerability present on them.

      Which, in turn, means that your security posture can be described as approximating the effectiveness of a screen door on a submarine. And that is what you get when you hire creimers to manage your security. A bunch of bureaucratic "we checked off the boxes," nonsense, without any real assurance that your environment is actually secured.

    9. Re:You don't need to be a hacker... by __aaclcg7560 · · Score: 1

      A bunch of bureaucratic "we checked off the boxes," nonsense, without any real assurance that your environment is actually secured.

      I've been through a half-dozen OIG audits without my work being flagged for any issues.

    10. Re:You don't need to be a hacker... by Anonymous Coward · · Score: 0

      Neither has the janitor's.

    11. Re:You don't need to be a hacker... by __aaclcg7560 · · Score: 1

      Neither has the janitor's.

      I know the younger Latino women are hot on the janitorial staff, but you need to control your fixation on them. :P

    12. Re:You don't need to be a hacker... by Anonymous Coward · · Score: 0

      I've been through a half-dozen OIG audits without my work being flagged for any issues.

      "Has the environment been secured?"
      "The audit forms have been completed in triplicate, and approved by the appropriate bureaucrats."
      "But has the environment been secured?"
      "No audit has ever shown our paperwork to be anything less than complete and correct."
      "But has the environment been secured?"
      "My work has NEVER been flagged for any issues by the OIG."
      "But has the environment been secured?"
      "I'd refer you to report 2017-OIG-2731741234, which shows a 95% remediation rate for the environment."

      Your answers are PERFECT bureaucratic answers, creimer. You dodge the actual point by throwing irrelevant facts and statistics around. 95% remediation rate says that 5% of issues at any given time are unremediated in your environment. That means your environment isn't secure, no matter how many bureaucrats say you passed an audit.

    13. Re:You don't need to be a hacker... by __aaclcg7560 · · Score: 1

      That means your environment isn't secure, no matter how many bureaucrats say you passed an audit.

      There's no such thing as a 100% secured environment. The NSA proved that when a worker printed out a document, put the printout into her purse and walked out the door to give to the press.

      https://www.theguardian.com/us-news/2017/jun/05/reality-winner-russia-us-election-hack-nsa-leak

      A 95% remediation rate means that script kiddies, casual hackers and opportunists will be prevented from breaching the system. A determined hacker will always find a way to breach the network.

    14. Re:You don't need to be a hacker... by Anonymous Coward · · Score: 0

      Good for you. So what?

    15. Re: You don't need to be a hacker... by Anonymous Coward · · Score: 0

      I believe he's saying that security remediation makes up 95% of his workload, not asserting that he's a 95th percentile hacker.

  6. Humble Bundle: Cybersecurity. by Anonymous Coward · · Score: 1

    https://www.humblebundle.com/books/cybersecurity-wiley

    For $15 you can get the Humble Bundle for this month.

  7. Correct... apk by Anonymous Coward · · Score: 0

    See subject: Utter agreement here. Given a choice between certs or even degrees & experience? I'd choose the latter.
    Why??

    Simple: Questions during the tech interview would tell me what I need to know & 9/10 times, & from my experience (1994-2008 on most all levels in the art & science of computing professionally) guys w/ REAL world "peddle-to-the-metal"/"in-the-trenches" experience wins!

    * This goes for most ANY field out there imo (& doubtless that of hiring mgt. as well worldwide).

    APK

    P.S.=> A young guy who graduated Stanford in CS (brillitant but VERY "left-brained" almost autistic type) whom I did my CS degreework w/ said it best "Old guys know a LOT of tricks that these degrees don't give me"... apk

    1. Re:Correct... apk by Anonymous Coward · · Score: 0

      I wouldn't hire you based off of your work as it is all little toy problems, so you had better hope you have some brains but that is doubtful given how you argue. Don't bring up your hosts file stuff as that is the definition of a toy problem.

  8. How does big party = meet more talent? by xxxJonBoyxxx · · Score: 2

    >> Hosting big parties has enabled us to meet more talent in the community

    Take the Nike party at Defcon recently. Huge nightclub, free swag, pumping music, wall-to-wall geeks. However, there was nowhere in the club you could actually TALK to anyone, so you basically cruised in, grabbed anything you wanted and left with your friends. There may have been a signup - if so, it didn't seem to lead to even a single recruitment contact. So...how does this help recruitment?

    1. Re:How does big party = meet more talent? by phantomfive · · Score: 1

      Why does Nike care about Defcon? (Also, how did you hear about the Nike party?)

      --
      "First they came for the slanderers and i said nothing."
    2. Re:How does big party = meet more talent? by Anonymous Coward · · Score: 0

      Companies care about making any publicity that will make the public relate to them, and eventually turn to sales. And with the introduction of video games as e-sports (shudder) and hacking as a competitive e-sport in itself, well this shoe company is just making an appearance to be involved for involvement's sake.
      Someone will buy shoes from Nike as a result. Maybe not you & I, but someone.

    3. Re:How does big party = meet more talent? by Anonymous Coward · · Score: 0

      Nike+

    4. Re:How does big party = meet more talent? by Anonymous Coward · · Score: 0

      For parties like R7's at least it's why they require pre-registration for a badge. (I used to work at R7.) They screen (or try to) who comes in, knowing it's going to be a mix of who's who in the industry (people that other people want to hang with), existing customers, potential customers and potential new employees. They review the list of attendees before the party and then staff the party accordingly (we have potential customers coming so we need to make sure their sales reps are there, or we have 50 potential new employees coming so we need to have a couple recruiters there).

      When you pre-reg they also get your email, so even if they miss you at the party they will email you later, and/or the recruiter can call you and start with "how did you enjoy the party?" Usually the recruit had a good time so it's a good opener, and the party gave the person a good impression of the company.

      Before registering for a badge was a thing, indeed a lot of people would just go to the party and then leave, and it was a missed opp for the company if they were trying to recruit someone who showed up. If Nike doesn't, I guess they are hoping that the party makes a good enough impression on you that you follow-up with their infosec recruiting team somehow.

  9. Def: Hacker by TheStickBoy · · Score: 1

    I had to read the summary twice to figure out if the definition of a hacker here meant causing 'destructive cyber attacks' or ' technology tinkerers'
    -1


    also, the 1990's called, they want the terms cyber and tinkerer back.

    1. Re:Def: Hacker by Anonymous Coward · · Score: 0

      https://www.youtube.com/watch?v=5XGPVqF9Zj0

  10. flush times by Anonymous Coward · · Score: 1

    My flush times are normally pretty good. But recently it takes two or more, or even a plunger. Should I be eating more or less lettuce?

  11. Meh by Anonymous Coward · · Score: 0

    20 Years in IT as a UNIX admin, before that electronics and hardware crypto tech.

    Got a CISSP cert in January.

    Not one inquiry about a security position has come my way. Nothing. I still think the cert was worth the time, but unless you've already got a security job, it may be a while before you can get a security job.

  12. catch-22 by Anonymous Coward · · Score: 0

    So how does one get the experience if one is doing a career change?

    No experience in security + taking courses in CSecurity + certification = no job.

  13. You are asking the wrong person by Anonymous Coward · · Score: 0

    You are asking the wrong person.
    APK will say that you should spam some toy problem you did on slashdot for years.
    He would also claim that you should mindless argue with people who prove you wrong and if all else fails go off on word soup tirades that look like something pounded out by a million monkeys with typewriters.

    I would say go take some classes at a nearby technical college (not the ITT tech type but the ones that are state run and similar in price to a local community college) where you get real hands on skills and they offer an internship program. Also people don't typically get hired right out of school into security positions, you start off in development or some other area and express an interest, maybe get some certs, show that you know what you are doing and then move into that area fully.

  14. Oh really? by Anonymous Coward · · Score: 0

    Number of entry level jobs in CyberSecurity that have no experience requirements - just know how requirements.

    ZERO.

  15. I don't have to do those anymore... apk by Anonymous Coward · · Score: 0

    See subject: Problems in multi-part/service cross-platform logistical programmatic trains (multi-million line systems). Thank-God. Seriously. I make my own monies now. My efforts are dedicated to my own self. It's better.

    * Try it...

    (When you do, IF you finally do? You know it)

    APK

    P.S.=> 1/2 a century++ & who knows what I'll do next - hosts was for fun, it works & is terribly efficient... apk

  16. Professional security guy here... by Anonymous Coward · · Score: 0

    As in, been making well into six figures for 15 years now.

    The security field is split. There's the gimps who can sit at a bash prompt or Cisco console all day, then there's the managers/consultants who can suit up and talk to the CEO in business speak.

    The first group are dime a dozen, the second group are in demand. The CISO on the $800k + options salary belongs to the second group and he/she just buys in more plebs from the first group.

    What the board wants to see is experience and business knowlege. They don't care about technobabble or how many tcp packets can fit in the SQL injection firewall DDoS thingy. They want Governance, Risk and Compliance and they'll pay through the fucking nose to get it.

  17. Blowhard, show you've done better... apk by Anonymous Coward · · Score: 0

    I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

    his hosts program is actually pretty good by xenotransplant

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

    (APK's) work, I've flat out said it's good by BronsCon

    I've tried his hosts file generating software. It works by bmo

    APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

    Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

    * It's recommended/hosted by Malwarebytes' hpHosts!

    APK

    P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ - See subject: You can't... apk0