Monthly Archives: November 2017

Shodan for the IT Pro

So there you are dropping by your customers and making sure their servers are patched and systems are running normally.  For security you make sure AV is running and the firewalls are configured, but what are you missing?  Do the customers have access to make changes to the firewalls?  Do they have marketing teams or engineering groups who stand up systems outside the company?  How can you determine what is out there for your clients??

Shodan IP Camera Search

Well that is where something like Shodan comes into play.  It is the Internet of Things search engine.  You can search for everything from IP web cameras to industrial control systems.  But what does that all mean to the IT Consultant just trying to keep their clients online and running?  Well lets talk about those engineers or marketing people.  Shodan allows you to search for everything from IP addresses/networks, protocols/ports, and keywords.  The free version will let you search for the basic web protocols – 80, 443, 23, 21, etc… Using the a paid subscription you will gain access to searches for any ports as well as the ability to run reports.  This has been a well known tool to those of us in the Information Security industry, whether we are performing recon activities for a penetration test or building intelligence for organizational threat assessment.  Or just simply identifying possible shadow IT systems deployed without our knowledge.

Shodan Organization Search

So what value is this to the IT pro?  Well you can perform checks of your clients IP space or perform an organization search – org:”Your Company Name”.  This will typically display the information from the TLS certificate.  From there you can review the IP and host names and run additional checks on the network ranges.  This is just he tip of the ice berg with what is available from Shodan.  They have APIs available that can be used with scripting languages such as Python and even Powershell.  Scripts can be written to schedule regular checks on specific terms or searches of known address spaces.  This becomes a great resource for those smaller organizations that do not have the large budgets to perform full threat assessments or implement threat intelligence practices.  And at the very least it makes for a fun Saturday morning activity while you have your coffee.

InfoSec Talent Shortage

So this has been an ongoing discussion in the industry for a while now.  As companies continue to grow and expand their digital footprint, they expose themselves to a greater number of threats.  In turn they need people to manage the monitoring and mitigation of those threats as well as the remediation when things go south.  So the solution that all the research firms recommend is to hire an MSSP, because they can do all the things!

How do the MSSPs fill their positions?

That is a question that should be asked when considering that path.  Some suggest the MSSPs pull from cheaper labor pools.  If that is the case, then what are you actually getting when signing up with these providers?  If you are getting cheap labor then you are either getting under-skilled analysts and engineers, or barely entry level prospects with the ability to read a script and follow a basic procedure.  The information security industry is not an entry level service.  The “junior” analyst needs to have a general understanding of what the based technologies are and how they work.  If they are looking through logs and see an IP address, they should know how to look that up and find information about it.  Or if a website isn’t loading correctly, where to look to see if it is a network issue, web filtering, or simply just a bad site.  On the flip side, a junior analyst would need to know how best to pull in a lot of data and turn it into a presentable format to show to the customer.  That being said, are their “senior” analysts just the juniors with more training?  How many of the MSSP’s staff are actually veteran IT/InfoSec professionals?  How many have had to build and support their own infrastructure?  Or are they just good readers and simply email you a canned alert from your SIEM and say “it might be something…”  Or are they truly skilled people and the MSSP is offering some pretty good incentives to come work for them?

What are we not offering to entice the skilled labor our way?

  • Are we not offering competitive salary and benefits?
  • Do we not provide enough training opportunities?
  • What are prospects looking for?

Salary and benefits are great to peak some interest, but frankly if it is truly competitive, at some point there is a ceiling and it won’t mean much to a seasoned security architect or engineer.  They might be looking for a fun challenge or perhaps a good balance between work and life.  This industry provides its share of challenges both fun and frustrating.  That last bit can lead to some pretty heavy burnout which then leads to people exiting those positions or worse, staying too long they become a toxic member of the team.  Burnout and stress can lead to poor health, so all the money in the world is no good if you are spending all your time in doctors’ offices trying to figure out why you aren’t sleeping or have a sudden heart condition.

Training!  Offer it and don’t be cheap about it.  It’s the old argument “what if we train them and they leave… but what if we don’t and they stay”.  Those of us in the industry are not new to self-education but you as an employer cannot expect that we want to use our free time to learn something that is related to a specific technology we use in that particular job.  For example, if we are interested in IoT security research and we spend our free time in our home labs tearing down the latest IP camera to see how it works, we don’t want to share that time with going through the vendor training for our latest spam filtering service.  That should be done with reserved time in the office.  Now if you offered the latest in SANS training, then you might peak our interest.  This is vendor agnostic training that promotes principals and techniques over various subject matters in InfoSec.  Sure the classes are expensive, but they are worth every penny.  Many can be done remotely or in self-paced virtual classes.  That means no travel expenses!

So money isn’t everything, do you offer decent enough vacation time and will your prospects be able to take it?  Time off is no good if the prospect is the only member of an incident response team and is on call 24/7.  Be realistic in your expectations of the position and be able to support time off for your staff.  But even vacation time may not be a big seller, specially if it includes sick time as part of the bank (generic PTO vs separated vacation and sick time).  Maybe your prospect is looking for an employer who is active in the community and in turn encourage speaking opportunities both inside and outside of the company.  One other possible opportunity is what career paths are available to your prospects?  Will there be manager opportunities or senior lead/sme positions available?  Not everyone wants to be a CIO and there are usually plenty of managers.

So how do we fix this?

There will be no simple solutions to this, in many cases, you have to realize there is not a lot of difference between your org and the one next door.  You both have similar problems to solve and need similar positions filled.  At the end of the day it makes little difference to your prospect if you sell X widget and they sell Y.  In the end we like puzzles that have possible solutions, not a mess of knotted Christmas lights that keep coming.