Need recommendation for network hardening specialist

[FanIn80]

Anyone able to recommend someone? Essentially, I want a consultant to come in and audit our network security and provide me with a list of ways to improve it.

[Rathji]

Give me your IP and if you end up with horse porn on your desktop, you know it sucks.

Seriously though, I don't know anyone who does this, but it is a field that I am very interested in.

[Hack&Lube]

I know who does this but his rate is beyond your means. Try contacting a 3rd party security company like Seccuris?

[Russic]

Quote:

Originally Posted by Hack&Lube

I know who does this but his rate is beyond your means. Try contacting a 3rd party security company like Seccuris?

I have a cousin-in-law that works in network security and it sounds pretty common for consultants in this field to make wild money.

[photon]

Question is how to get into it. Seems like something where you have to know your stuff VERY well or you wouldn't last very long.

[Rathji]

Quote:

Originally Posted by photon

Question is how to get into it. Seems like something where you have to know your stuff VERY well or you wouldn't last very long.

Well, first you get arrested for breaking into the NSA secret database and spend 15 years in jail...

After that, job for life.

[Hack&Lube]

Quote:

Originally Posted by photon

Question is how to get into it. Seems like something where you have to know your stuff VERY well or you wouldn't last very long.

Strong networking background, good developer background, good investigative/forensic skills/background, high level security certifications (from GIAC, etc.)

And opportunities of course (Rathji jokes but black to white-hat hacking might actually be a way). The guy I know makes 300K working for a US gov't contractor with only a high-school diploma. I've considered this a couple times.

[photon]

Yeah I'm old enough that I wonder if I shouldn't be transitioning to a different career, one that I can follow through to retirement, unless I intend to be a programmer forever.

[Cabbage]

Don't know you exact situation but this work can be expensive. But there are a few options.

1.) Most Expensive way is contracting a information security service provider to do the work.

2.) Getting an assessment done buy a information security product re-seller... This may not get you an deep dive, but most will come in and provide input for free as they want to sell you products.

3.) Do a self assessment... Use open resources to guide your decisions.

Sans Top 20 Critical Controls:
Designed to be mostly implemented in order, but 1 to 5 and 12 will reduce most risk. Each section has good information plus lists of some quick win controls.

http://www.sans.org/critical-security-controls

Australian Government Top 35 Strategies:
http://www.asd.gov.au/infosec/top-mi...2014-table.htm

Vulnerability Assessment Software:
If a small business there is a free community edition for less than 32 IPs
https://www.rapid7.com/products/nexp...-downloads.jsp


If you have any questions please feel free to ask.

Chris

[Hack&Lube]

Quote:

Originally Posted by photon

Yeah I'm old enough that I wonder if I shouldn't be transitioning to a different career, one that I can follow through to retirement, unless I intend to be a programmer forever.

Unfortunately just like everything else, your knowledge quickly becomes obsolete...and in this area faster than any other which makes it hard to deal with as you get older and want something more stable.

[Hack&Lube]

Quote:

Originally Posted by Cabbage

Don't know you exact situation but this work can be expensive. But there are a few options.

1.) Most Expensive way is contracting a information security service provider to do the work.

2.) Getting an assessment done buy a information security product re-seller... This may not get you an deep dive, but most will come in and provide input for free as they want to sell you products.

3.) Do a self assessment... Use open resources to guide your decisions.

Sans Top 20 Critical Controls:
Designed to be mostly implemented in order, but 1 to 5 and 12 will reduce most risk. Each section has good information plus lists of some quick win controls.

http://www.sans.org/critical-security-controls

Australian Government Top 35 Strategies:
http://www.asd.gov.au/infosec/top-mi...2014-table.htm

Vulnerability Assessment Software:
If a small business there is a free community edition for less than 32 IPs
https://www.rapid7.com/products/nexp...-downloads.jsp


If you have any questions please feel free to ask.

Chris

To add to the free options, there's a software called Nexpose that you can get a free trial assessment tool for your systems for as well.

[Russic]

Quote:

Originally Posted by Hack&Lube

Strong networking background, good developer background, good investigative/forensic skills/background, high level security certifications (from GIAC, etc.)

And opportunities of course (Rathji jokes but black to white-hat hacking might actually be a way). The guy I know makes 300K working for a US gov't contractor with only a high-school diploma. I've considered this a couple times.

The cousin I have that does it is an absolute machine. She showed me the books she has to study several times a year for certifications and it was essentially hundreds of pages of gibberish. Granted, I'm a tool and she's very sharp.

[photon]

Quote:

Originally Posted by Hack&Lube

Unfortunately just like everything else, your knowledge quickly becomes obsolete...and in this area faster than any other which makes it hard to deal with as you get older and want something more stable.

Good point, I need a job as a paper pusher. There was that safety compliance stuff mentioned in the other thread...

[CubicleGeek]

Quote:

Originally Posted by Rathji

Well, first you get arrested for breaking into the NSA secret database and spend 15 years in jail...

After that, job for life.

This reminds me of a funny story one of our security experts told me about concerning a contract he had state side to test the hardening of a client's network. He was given an IP range from the client representing the organization's subnet - while running every known exploit and intrusion method he had on file the FBI broke down his hotel room door. Apparently, the numbers they gave him were off by one digit and he spent the entire morning bombarding a government site.

He didn't get a job for life, but he did get it cleared up and didn't end up in Guantanamo Bay.

[Rathji]

Quote:

Originally Posted by CubicleGeek

This reminds me of a funny story one of our security experts told me about concerning a contract he had state side to test the hardening of a client's network. He was given an IP range from the client representing the organization's subnet - while running every known exploit and intrusion method he had on file the FBI broke down his hotel room door. Apparently, the numbers they gave him were off by one digit and he spent the entire morning bombarding a government site.

He didn't get a job for life, but he did get it cleared up and didn't end up in Guantanamo Bay.

That's awesome, and terrifying at the same time.

Its the kind of thing that makes you check IPs 6 times before running a command for the rest of your life...

[FanIn80]

Quote:

Originally Posted by Hack&Lube

I know who does this but his rate is beyond your means. Try contacting a 3rd party security company like Seccuris?

If this guy you know is good (and current), then I'd rather talk to him. Don't worry about what his rate is.

[Hack&Lube]

Quote:

Originally Posted by FanIn80

If this guy you know is good (and current), then I'd rather talk to him. Don't worry about what his rate is.

Unfortunately it's that guy that just left Calgary a few weeks ago to work for the US government contractor so I don't think he's available anymore but I'll see if I can contact him.

[FanIn80]

Quote:

Originally Posted by Hack&Lube

Unfortunately it's that guy that just left Calgary a few weeks ago to work for the US government contractor so I don't think he's available anymore but I'll see if I can contact him.

OK, no worries. I'll try to find someone local.

It seems like this would have been a pretty good field to get into... Though I suppose it's not too late...

[psicodude]

http://www.ionsecurednetworks.com/ These guys are really good, but not cheap. Most security companies are charging in the $200/hour range, but they are usually worth it.

[FanIn80]

Quote:

Originally Posted by psicodude

http://www.ionsecurednetworks.com/ These guys are really good, but not cheap. Most security companies are charging in the $200/hour range, but they are usually worth it.

Their Anti-Virus/Anti-Malware partners are:

• Check Point
• Proofpoint
• McAfee
• FireEye