[CyberBank]

The biggest areas for growth for Cyber at the moment are of the not-so-sexy jobs. The asset inventory, patch management, vulnerability management, third party management, risk management, etc. If you are good at any of those and are innovating in any of those areas, you are as close to naming your own price as you can get in Cyber.

As for the most "needed" areas of Cyber, it comes down to education. Not your bachelors degree, but educating and raising awareness to your business, your IT staff, and even your development teams. It's extremely tricky to measure your return on investment, but almost always it comes down to a lack of knowledge causing one massive hole in the fence, leading to a breach.

No amount of controls will stop someone truly motivated and skilled, so you're better off raising the fence a bit higher and hoping that it deters the truly malicious.

Disclosure: I run Vulnerability Management and Assessments globally for one of the largest companies in the world, so my answer may be a bit bias :)

[bostik]

I keep telling to people who want to get into infosec one thing over and over: most of the infosec work is not about breaking [into] things, it's about incredibly boring reporting.

The truly interesting bits are on what to investigate/automate, what to report from it - and how.

If you're really good, I recommend to focus your long-term efforts into usability. Security gets a bad rap because far, far, FAR too often increasing security of <something> means reducing that thing's usability. But if you can find a way to improve <something> in a way which makes it more secure and more usable, you can't keep people away.

Fact of life: people gravitate towards convenience.

[winternett]

I keep telling people that the person who applies the patches needs to be qualified, paid, AND TRAINED just as much as the guy who wrote the fancy paper on maintaining security, and that development and infrastructure need to be more simplified, otherwise security will likely not be implemented properly... companies rarely heed the warning. And that leads to breaches that PR teams get paid a LOT within companies fight furiously to squash.

[zelon88]

This is a huge component of my work, and in my industry truly underappreciated. I'm the only programmer in a manufacturing environment and as our business grows so does our exposure, attack surface, and potential bounty. Some days I feel like my co-workers think I'm goofing off or ignoring my other other hats by messing with obscure systems. Sometimes I feel guilty. It's one of those professions where nobody notices you when you're doing things right, and the only way you know for sure it's right is after it's gone horribly wrong.

> No amount of controls will stop someone truly motivated and skilled, so you're better off raising the fence a bit higher and hoping that it deters the truly malicious.

I also want to second this. As angering as this statement is its entirely true. You cannot stop someone forever. You can just increase the difficulty of their tasks to beyond a reasonable or obtainable threshold. A "secure" network with ineffective monitoring can quickly become worse than a terribly insecure network that is tirelessly monitored. Complacency is a killer.

[clebio]

I didn't realize people actually use the term "Cyber".

[tim58]

The word cyber is almost exclusively used when discussing security of computer systems. It's used very heavily by government and academic circles and it propagates to other industries from there.

In the 90s I used the word to describe an instant messenger version of "phone sex" and I haven't been able to take anyone that uses the term seriously after that, but I never really took the goverment or academia seriously to begin with.

[_delirium]

Even in academia, at least in my corner of it, "Cyber" as a term has a very government/military/suit connotation. Academics will sometimes use it when writing grant proposals or presenting in a DARPA-ish context, but most researchers prefer to call what they do "cybersecurity" (or even just "security", if a CS context is clear).

[auiya]

Thankfully, the field of study listed on my degree is Information Security. I would almost be embarrassed to tell anyone it was in "cyber" security.

[biztos]

Yeah, not only is "Cybersecurity" a "Thing" (I work in s/w security and hear it all the time) but people still talk about "Artificial Intelligence" when they mean image filters and classifiers, and have been doing so since the 1980's.

Language fires the imagination. This is mostly a good thing. Sometimes it's also stupid, but not necessarily bad for it.

[lawnchair_larry]

It’s usually used by either people working with the government, or by people who are tech-illiterate (marketing etc). The rest of the security industry is likely to snicker if they hear that word.

[staticassertion]

It's a term that's been adopted out of necessity.

[Thorrez]

Why isn't "computer security" or "infosec" good enough?

[snowwrestler]

“Computer security” is too narrow; you want to secure more than just computers (phones, for example, which are technically just little computers but no one calls them that).

“Information security” is too broad as it covers more than technological systems—sensitive information often exists on paper, for example.

A close plain English name would probably be something like “information systems security” and I have heard some people use that, but it’s kind of a mouthful.

I guess I wonder why people get so upset and offended by the word cyber. Sure it’s a made up word, but all words are made up. IMO a lot of the resistance to using it comes down to weird cultural signaling like “I’m too smart or informed to use this dumb word.” It’s just a word, and even people who complain about it know what it means.

[tastroder]

For me that cultural signal goes the other way around. When faced with people using "cyber" unironically I'm attributing that to government proximity, weird processes and TED talks for managerial types instead of actual technical content. Which is fine in context I guess, that doesn't make the term any less stupid, for me it signifies a certain cultural distance from the subject matter of a generation that has been left behind. I always assumed the term stemmed from the old use of cyberspace or cyber information highway in the 70s/80s(?), we've moved on from that era of the internet being a sci-fi construct. Even school children get at least some technical understanding these days and are made aware of larger implications like privacy.

While I absolutely agree that it's a pointless discussion, I don't believe it's completely insignificant.

[thepangolino]

You're not the only one. Brussels, the self proclaimed capital of the European Union and seat of many lobbies, is full of those "cyber-security" types. They proudly declare themselves experts in the field but are hardly pressed to discuss any product other than what they've been told to sell.

[nesadi]

https://en.wikipedia.org/wiki/Cybernetics

This is where 'cyber' comes from. It's not "stupid".

[daveslash]

I agree with you -- I think there's a lot of cultural signalling, perhaps some unintentional by those who use the word 'cyber'. Generally speaking, I'm off-put when someone uses the word "cyber" because I generally interpret that as a signal that someone doesn't really know that much about infosec/cyber-security. For example, let's suppose that I'm meeting with a rep from Company X's cybersecurity team and we're reviewing my threat model, counter-measures, the specifics of the encryption, etc... and I'm asked "this all looks good, but is it cyber?" -- it's just plain off-putting. That said, I'll still do my best to smile and be helpful because, at the end of the day, we're trying to improve the world, not cut people down.

[staticassertion]

Government wants to use cyber so we use cyber.

[Spooky23]

They needed a fancy word to attract and anchor the ridiculous investments made. This area has attracted so much attention, it has become an overlay IT organization that demands a lot of care and feeding. Nothing escapes the cyber-amoeba... even sleepy areas like asset management need expensive cyber tools and expensive cyber people.

Think of it like front end web development in the 90s. Webmasters ended up with a lot of independence and cash, because the company had to get on the information superhighway.

[staticassertion]

This is way off, the security community at large rejected the term cyber for years, but it was necessary to play ball with govt. That's it. The fact that vendors now leverage the word is irrelevant, that happened way later.

[biztos]

Sometimes I wonder how much money is out there waiting for the Magical HN Unicorn that is anti-cloud, anti-network, pro-RDBMS, pro-POSIX, old-school Dirty-Grandpa-Fighter[0] ultraconservative about computer security. My gut tells me $LOTS.

[0]: https://youtu.be/Civy151wAH4

(sorry, youtube and B-movie but hey... analogy!)

[devin]

Could you say more? Describe a possible company.

[biztos]

I'm just riffing of course, but let's say:

StatiDyn - Stability in Motion

Marshaling the latest innovations in AI, ML and self-driving infrastructure, we protect your company with time-tested compromise-free MIL-SPEC IT solutions!

60000% more secure than Palantir, 134% more secure than AWS Government Cloud, according to "Fair and Balanced" independent testing.

Free yourself from the Cloud! Guaranteed physical isolation of mission-critical assets; armed guards 24/7 in front of your dedicated StatiDyn Security Cell; biometric six-factor authentication using the Gillette's Razor™ protocol.

...one could go on but angel round first. :-)

[winternett]

We need to go back to the client Server Days! It's much more secure to run IIS on WinNT! -Grandpa

[Bhilai]

I thought Asset Management was the next sexy thing in security - heard about a lot of security startups that facilitate in Asset and inventory management - BitDiscovery, Senrio etc.

[CyberBank]

Everyone is trying to get a piece of the pie :) trickiest thing right now is defining what an "asset" truly is.

An asset could be ephemeral cloud infrastructure, an uncompiled piece of code, an API endpoint, a server, a compiled application, a third party vendor, a group of microservices, a fax machine, an employee, a filing cabinet with sensitive information, a virtually defined CI/CD pipeline, and a million other things. At what point do you cross line from paranoia to proper asset inventory, tracking, triaging, remediation, etc. How do you find commonality between all of these devices, critical infrastructure, and data?

Bonus points of trickiness, how do you manage inventory when it changes constantly like cloud, like a third party, a web app, etc. Things like certificate management get extremely dicey. Where do you cross the line between data management, asset management, etc. It's currently the most open area of IT and Cyber that there is, and no one, in my opinion, has a grip on it.

[RandomTisk]

I've never even seen a company that properly tracks assets when they're only defined as "servers" and "software packages". The closest I saw with hardware, before virtualization really took over, was when the datacenter wasn't allowed to hand out IP addresses to new servers without them being in the master inventory list. Then virtualization happened and things got bad again. Any company with Devops is going to run into challenges too.

[thorwasdfasdf]

I've never understood people who say: "No amount of controls will stop someone truly motivated and skilled". I don't think that's true.

Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right? It's not about hacker/pirate skill. It's about whether or not the target has plugged all their holes or not.

[mcpherrinm]

How secure is the source integrity of all your dependencies?

All your software vendors?

How likely are you to get malware on an employee laptop?

Phish employee credentials?

Have somebody sneak into your office late at night and install keyloggers on everyone's keyboards?

Kidnap an employee's family and blackmail them into giving you access?

Go through your recruiting pipeline and join as an employee with the motive to steal your data?

Get two people to do the same and bypass peer review controls?

Of course those are getting outlandish and unlikely, but that depends how "motivated and skilled" your attacker is.

[sprafa]

If you’re going against a three letter agency, Israeli or Chinese intelligence, you also have to consider all of your hardware sourcing. They don’t even need to compromise vendors, they just need to intercept a package en route.

Not sure where OP was coming from. It’s virtually impossible to protect yourself against a dedicated advanced persistent threat group.

[no-dr-onboard]

In the purest, most academic sense of the conversation; yes, it is impossible to comprehensively defend against 0-days, APTs and nation states.

If we want to be pragmatic about the discussion, then it’s all about your threat model. In that sense, OP is right. If you’re a mom and pop shop selling a catalog of hardware, your LAMP stack isn’t going to face the same scrutiny as a “GooFacePayZon”. According to how he defines his threat model, he can call himself ‘secure’.

[graylights]

Software is only one part. Do you trust your hardware, your people, your supply chain, your physical security. "Truly motivated" can mean extreme resources and willingness to cross all boundaries.

Are you secure if your admin's child is kidnapped and the ransom demand is for network access? Are you secure from the Secret Police wanting to hijack your service for their purposes?

Once you accept you CAN'T stop truly all attacks you can be comfortable with acceptable risk and work to mitigate realistic risks.

[btown]

Yep - this is why you might try to limit pivoting based on an assumption that everything is compromised, you can require coordination from multiple geographies to unlock access to certain highly sensitive resources, you ensure that these protocols aren't published, and above all you follow the New York Times Test: don't type anything that you wouldn't want to see on the front page of the NYT. This requires pride in security at all levels of your organization, and it's something that few organizations outside of the military get right.

[yifanl]

It boils down to this: if you can access secured data, then someone following the same steps can also access it.

So unless you advocate for no secured data, you are vulnerable to a sufficiently sophisticated attack (I.e. hypnodrones hijack your mind)

[newman314]

I’ve bypassed the man trap for a DC by accident before so I guess I’m good? :)

Can’t remember how I did it but my former coworkers still tell stories about it. Lol.

[CyberBank]

I am referring to a CIA (confidentiality, integrity, availability) related incident. Less so the availability. If an attack was truly motivated, the web stack / application stack is not how you compromise the system. The user is how you compromise the system. Do you have proper physical security to prevent unauthorized access? Do you have proper password and 2 factor auth configured? Do you educate your employees on how to identify phishing? There are numerous other ways to compromise a system than remotely via the web or application stack :)

[kerng]

Read up on Microsoft's Assume Breach strategy. A mature organization has to embrace thinking beyond prevention.

https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837...

[fuzz4lyfe]

>Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right? It's not about hacker/pirate skill. It's about whether or not the target has plugged all their holes or not.

Similarly if a ship is unsinkable the passengers will never drown. Easier said than done.

[csours]

I think you may be imagining a comprehensive numbered list of exploits. Some products are sold that indicate things like this.

It may be possible to write a software component that is not vulnerable to exploits, but any non-trivial system built of many components will almost certainly be exploitable.

As much as people say they value security, they also value delivery of working software.

Additionally, as others have said, no system is invulnerable from the CIA, NSA, KGB, etc. Someone knows the passwords (or where the passwords are stored) for your system. They may be vulnerable to bribery, blackmail, torture, etc.

[neuralzen]

Unfortunately it is never that simple. Even if you have thing well plugged on your end, other software /services that interact may provide a path. I recall one instance a few years ago where a hacker chained password recovery services together to breach an apple account, by bouncing through Amazon. One of the password recovery methods for Apple at the time was providing the billing address, and at Amazon you could recover a password by providing the full CC# of a card on file. But Amazon also let you add a CC# for an account you weren't logged into, so the hacker got a Visa giftcard, added it to the Amazon account of the victim, reset the Amazon password with that CC#, and then used the shipping address in Amazon to recover the Apple account password.

Then there are the security holes that exist and are known about by select groups which they sit on and use for big plays...

[blincoln]

The computing stacks for a typical modern corporation are too complex to be able to say with certainty that all the holes are plugged.

[godelski]

> Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right?

Right. But there's a saying. "Nothing in unhackable". There in lies the problem. If you can build an unhackable system you literally can get whatever salary you want. If you can convince someone that such a thing is possible. But I'm pretty sure that'd count as fraud.

[novok]

An unhackable system is like saying an invincible building.

They both will never exist with the proper 'adversary'.

[godelski]

I'm confused at your reply. Did you think I suggested something might be unhackable? Because I suggested that nothing is unhackable.

[thijsvandien]

> If you can build an unhackable system you literally can get whatever salary you want.

Does it have to be useful?

On a more serious note, similarly to being able to break RSA in ‘little’ time, having that kind of skill would not result in financial wealth but a huge risk to your physical and mental/emotional well-being. Imagine who would come knocking on your door (assuming they won’t straight out abduct you), and trying to tell them no.

[dreamcompiler]

> It's about whether or not the target has plugged all their holes or not.

You're not exactly wrong, but you're assuming something that's impossible. How do you know where all the holes are? You (I'm using the generic you here, as though speaking to a CIO) cannot even inventory all the net-connected software and hardware you own, and even if you could the list would be out of date in 24 hours. But let's say you had that fictional inventory. How do you find its vulnerabilities? You might be able to design an automated process to look at your source code and match against the CVE database. Whoops! You don't have source code for most of your resources because they're proprietary and came from outside vendors. So maybe you look at object code. There are tools that do that. Whoops! A lot of the code is in ROM and you cannot extract it. Even if you could extract all your object code and analyze it against CVEs (which you can't), that's only going to catch known vulnerabilities. What about the unknown ones?

Oh and now we have to talk about all the stuff that's not net-connected which is vulnerable to employees plugging in USB drives...

So no, you can't know where all the holes are so there's no way to patch them all. This doesn't mean security is impossible. It just means there's no such thing as perfect security and there are no magic bullets. Security is a necessary, expensive, and mostly boring part of any company's day-to-day business operations, like, say, accounting and the legal department. But that's not quite right, because most of your employees probably don't need to know much about accounting or the law. But they do need to understand the basics of safe computer use, so ongoing training should be a fat budget line item.

Anyway security is a process, not a thing you can just buy a little of from a vendor. You ignore the security process at your peril.

[meowface]

Good luck patching all the humans that work at, or with, your organization.

[staticassertion]

There is no plugging all of the holes. Not in a general case. It's like the halting problem (it's technically equivalent) - maybe you can say for one program there are no holes, but not for arbitrary programs, for arbitrary definitions of holes.

This is rice's theorem.

More practically, you can simply assume that for an arbitrary program of 'reasonable size' with a moving codebase there are effectively infinite exploitable vulnerabilities.

[scarejunba]

They'll just rubber-hose your teenage son until you give it up. I'd certainly give up a database password before I'd let my son get beaten by Bin Laden.

Or if they're not SuperMicro, then you'll buy hardware with a https://en.wikipedia.org/wiki/The_Thing_(listening_device) in it

[lawnchair_larry]

Two problems with that - knowing about all of your holes, and whether or not they are plugged, is impossible. Second, many breaches don’t even involve holes in your web app stack. Low tech attacks like phishing and malicious attachments are remarkably effective to get a foothold into a network.

[aidos]

I guess the stack itself is probably so deep and wide generally that the attack surface goes on and on. More than anything though, humans. Staff can be exploited easier than anything else in a lot of cases (I'd wager, not my area of expertise).

[spydum]

not right. there are ALWAYS holes - it's the nature of software, hardware, and humans.

[rodgerd]

Please, share with us your application stack that has no holes.

[guscost]

How about: “No amount of controls will stop someone truly motivated, skilled, and lucky.”

[bayesian_horse]

Yes, "someone truly motivated and skilled" is a useless statement.

The bar can be raised quite high.

[buboard]

a hacker needs only one hole. The security pro has to plug all of them. it s a rigged game that inevitably costs disproportionally

[burpsnard]

hereabouts, banks adopted new procedures after some incidents involving staff's families being kidnapped.

[samnwa]

Do you still use excel sheets for security assessment or some platform?

[CyberBank]

A combo of in house tools for creating findings from "non-standard" tools, (standard tools being nessus, app scan, etc.) Such as pen tests, responsible disclosure, red teamings, etc. We partner with Kenna Security pretty heavily in terms of tracking and consolidating our vulnerabilities, along with remediation prioritization and strategy

[chasemiller]

Completely agree. We're working on an idea to handle the boring stuff as part of YC's Startup School 2019. GDPR, HIPAA, CCPA, PCI, etc. compliance + penetration testing and risk assessments.

We'll be building it at: https://secquity.com or if anyone has any specific questions, feel free to reach out at info@secquity.com

[dyu]

from your website: HIPPA should be HIPAA

[CyberBank]

Might want to fix the Lorem Ipsum on the homepage for mobile towards the bottom :) for example

HIPPA Compliance Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc quam urna, dignissim nec auctor in, mattis vitae leo.

GDPR Compliance Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc quam urna, dignissim nec auctor in, mattis vitae leo.

PCI Compliance Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc quam urna, dignissim nec auctor in, mattis vitae leo.