Is it normal for sysadmins to own tickets on vulnerability reports?

[-]

brispower@reddit

Sysadmin role is not as defined as a lot of people think

Reply

[-]

My company thinks the SysAdmin role means one guy should own the entirety of IT, Networking, Infrastructure, Email, Cloud apps, Helpdesk, CyberSecurity, Contract management, Asset purchasing and management. I am this guy.

Reply

[-]

Bogus1989@reddit

🤣 my role people think is all those, and not exactly what you listed, but basically anything besides running commands on the actual switches….but everything connected to it onsite is my team besides medical equipment… My absolute favorite thing and joke (only the it dept and maybe some end users would get)is that im the MDM guy and the one people see ipad/iphone in the ticket…and dont even try, HURRDURR I NOT KNOW UNGAH BUNGAH, send to. yes it pissed me off….. but when anyone asks me ANYTHING…just any general question nowadays(even my coworkers, and director) I say: “I dunno? 🤷‍♂️ I just do iphones? 🤷‍♂️” its gotten to the point they have no idea if im joking or im actually serious…🤣🤣🤣😭😭😭😭😭 lots if times I know the answer but they think im serious and by the time i come out of my office to tell them they are gone

Reply

[-]

rosseloh@reddit

> and dont even try I got this a fair bit at my old job doing....well, everything, but it was for a small town shop slash "MSP" that supported both businesses and walk-in regular folks. We'd get a call about someone not being able to connect to their wifi and without even the slightest bit of diagnostics attempted, "let me transfer you to our network guy" and there I am stuck on the phone with grandma who had just accidentally pressed her wifi toggle key, when I was originally busy with some issue with one of our business clients...

Reply

[-]

Bogus1989@reddit

yeah, i learned to train people and build their confidence, without them even knowing what i was doing…😭 just to make it easier for me. actually those skills i have helped my mother and I become super close, I taught her how to “teach yourself” with anything….how to hold yourself accountable and have confidence in your new skill. im now learning things from her.

Reply

[-]

Yupsec@reddit

You have your leadership and peers convinced that you "just do iPhones", then you get annoyed when you come back from leave with a stack of phone related issues waiting for you. So you redistribute those tickets? I bet your team loves you.

Reply

[-]

Bogus1989@reddit

lmao… I meant that mdm is entirely in everyones scope. it is not just my job. i do everything they do as well…im saying its a bad mindset that our former team lead, lead terribly…infact when we got a new person who had never touched mdm in their life, they were more well versed and helped me complete half a project on their first 2 weeks…..they had more experience now than our team lead did in 7 years. Its a problem of refusing to help or learn.

Reply

[-]

Yupsec@reddit

I think I get what you're saying. The original comment makes it sound like you're the bad guy, though.

Reply

[-]

Bogus1989@reddit

yeah, i edited that whole thing above, i appreciate you pointing that out…really no ones a bad guy… Hope you have a good rest of your weekend.

Reply

[-]

Bogus1989@reddit

yeah. i kinda figured so…well thats my fault for its not really that bad. since we have a new team lead…her willingness to learn and learn and lead from the front has re-ignited my spark and inspired me.

Reply

[-]

SideScroller@reddit

While getting the pay for 1 of those roles.... if we got paid for all the hats we wore we'd be getting CEO level salaries

Reply

[-]

networkn@reddit

You are still doing an approx 40 hour week I presume. It means you spend less time on each task, or do each role less conpletely.

Reply

[-]

SideScroller@reddit

If you need to spend 40 hours a week doing your job then you fail to understand the automation portion of the work. It's not about the time, it's about productivity.

Reply

[-]

dustojnikhummer@reddit

And maybe one day you realize most people's work can't be automated anyway.

Reply

[-]

SideScroller@reddit

Most peoples work can be automated and then some, especially in IT. I dont know what you do, but you seem to live under a delusion that people are special and their work important.... not the case, everyone is replaceable and you arent some special being. Go bug someone else, you refused to explain yourself and continue to be an obnoxious little kid, grow up.

Reply

[-]

networkn@reddit

You utterly missed the point.

Reply

[-]

SideScroller@reddit

Pretty sure i didnt, but enlighten me. What is the point you are trying to make?

Reply

[-]

networkn@reddit

Go read my original comment again and think about it. Your response seems to indicate you missed the point as it addresses an unrelated point.

Reply

[-]

SideScroller@reddit

You were the one who responded to me first. Explain your point or dont, but this type of "i wont explain to you" response shows me why you would try to defend 40 hrs worked instead of amount of work produced.

Reply

[-]

Old_Acanthaceae5198@reddit

Lololol the vast majority of this sub does not have the communication or understanding of business value to be a manager much less ELT.

Reply

[-]

fakename4141@reddit

Not to mention anything with that runs on electricity.

Reply

[-]

spittlbm@reddit

Why is it so cold in my office?

Reply

[-]

ec1548270af09e005244@reddit

According to some around here also plumbing, furniture, and fixtures.

Reply

[-]

hurkwurk@reddit

And anything too heavy for the ladies up front to handle

Reply

[-]

architectofinsanity@reddit

Including the VP’s home WiFi and entertainment system. ಠ_ಠ

Reply

[-]

fio247@reddit

A couple months ago I was tasked with connecting an iphone to one of the owners car system. They have no idea what I actually do on the daily, I swear.

Reply

[-]

architectofinsanity@reddit

Oh they’ll question it hard when something breaks and they get one call from someone unhappy about it.

Reply

[-]

BoomSchtik@reddit

This is the way

Reply

[-]

hou6_91@reddit

This.

Reply

[-]

thecrabmonster@reddit

Sys admin for too may years lol. I make sure wherever I go they redefine it as systems engineer. That role brings more money. Sys admin is a way for companies to get engineers for cheap. sys admin does not pay as well as "sys engineer". Sys admins/engineers do everything in the IT stack and building domain..

Reply

[-]

tf_fan_1986@reddit

Especially if the phrase "other duties as assigned" is in the official job description...

Reply

[-]

TubbaButta@reddit

Wait... SysAdmin doesn't mean the whole technology department?

Reply

[-]

cowprince@reddit

It's defined as "support of all things software, hardware or electrical".

Reply

[-]

brispower@reddit

Anything that requires cognitive thoughts

Reply

[-]

Wickedhoopla@reddit

Especially in msp worlds. They just made up titles when I worked for them

Reply

[-]

Downinahole94@reddit

But yet they keep coming in this sub.

Reply

[-]

chemcast9801@reddit

Amen brother.

Reply

[-]

Artistic-Still-837@reddit

Yes security belongs to everyone. If your server OS is vulnerable you are responsible.

Reply

[-]

Rhythm_Killer@reddit

Is it normal for security people to attempt to own absolutely nothing? Yes yes it is

Reply

[-]

px13@reddit

So you’d prefer them taking action on systems you own when they only know the vulnerability and not the details of the system?

Reply

[-]

Zenkin@reddit

I think the question is "why are we paying for a warm body instead of just using a small shell script?" Any asshole can run a scan and filter for Warning and above.

Reply

[-]

Cheomesh@reddit

I get you, but there's value in separating these duties.

Reply

[-]

bonebrah@reddit

It's a bit reductive to think a vulnerability management program is someone running a scan and sorting it. That's not to say it isn't at many places, but their program must be severely lacking if that's the case.

Reply

[-]

maziarczykk@reddit

Is it normal for security people to contribute nothing, own nothing and create only [security theater](https://en.wikipedia.org/wiki/Security_theater) ? Yes yes it is.

Reply

[-]

inaddrarpa@reddit

Why should they?

Reply

[-]

Cheomesh@reddit

I've never had a role where I, the sysadmin, wasn't also the guy reading and acting on vuln reports.

Reply

[-]

TurboHisoa@reddit

In smaller companies, people wear multiple hats. I personally work in a NOC that is also a SOC and do some sysadmin and netadmin stuff on top of being a service desk, so I do at least 3 different job roles. Honestly makes it annoying to list on my resume. So yeah, not really abnormal and tbh, maintaining system security kind of is a sysadmin function like it is for any other aspect of maintaining systems.

Reply

[-]

fdeyso@reddit

“Security did security”, there’s no way in hell security goes in there and installs patches or changes configurations… Cybersec is there to advise and push you to do it, there are CVEs on routers/switches/appliances/hypervisors/vm-s/applications. Some security tools constantly whine about “remote user from random IP accessed this and this document, we’re all going to die”, response : “calm the F down, it’s a public webserver”, there are also some applications even by MS that require EOS .net versions for some of their features even in the latest supported version.

Reply

[-]

Fatality@reddit

Most brain-dead career path for real

Reply

[-]

Fatality@reddit

At an MSP you do everything, "security audit" usually means run a vulnerability scanner and provide the report. Some scanners make really nice presentable reports.

Reply

[-]

bbqwatermelon@reddit

MSP I was at was trying to get me to be responsible for vulns and remediation for the title and pay of help desk. Long story short I left that MSP as the owner did not want to pay for that level of work. The longer you stay at a company, the more roles they will tease out of you; that is just the nature of the beast. It takes time to establish boundaries and if they will not listen to reason or meet you halfway, brush up on that resume.

Reply

[-]

_TR-8R@reddit (OP)

Yep that's the impression I'm getting. My position is weird bc I don't like the MSP and can tell I don't want to be here long, but the client is actually awesome and super cool to work with. Being the only onsite rep mean I interact with them way more than my MSP so for the mostpart I'm happy. They've even stuck up for me when they saw my MSP was overworking me on some stuff. Definitely not sustainable long term but I think I'm going to stick it out for a bit to learn what I can while I'm still youngish, build up my resume.

Reply

[-]

Steve_78_OH@reddit

It's a company of 60 people, with you being the only IT "employee". Who else would be doing it? In larger companies it would be managed by a Cyber Security engineer or team, but for you...yeah, it's all you. If you want to keep working for that MSP, I would recommend talking to your boss on getting you some sort of security training and certification so you know what you're doing. Advise him that not doing so could result in you, as untrained as you are in cyber security, missing something critical and leaving the client open to attacks, which could leave the MSP open to a lawsuit.

Reply

[-]

illicITparameters@reddit

OP works for a MSP…. MSPs dont have ONE IT person if they’re 60 people….. what are you even talking about?

Reply

[-]

Steve_78_OH@reddit

Huh? He works for an MSP, but he's supporting one of the MSP's clients. And it sounds like he's the only MSP resource assigned to that client. This isn't about him doing support for his own company.

Reply

[-]

illicITparameters@reddit

I’ve never worked for, or known of a MSP that’s bigger than 2 people that only has a single person assigned to an account full time…. Also, a MSP of 60 people should probably have a security anaylst on staff.

Reply

[-]

Steve_78_OH@reddit

Again, it's the CLIENT that has 60 employees, not necessarily the MSP. Also, I worked for a MSP where we only had a single team member supporting smaller clients, with another designated as backup. But the primary generally did everything for the clients. I hate to make personal attacks like this, but as an IT director, I really hope you're more attentive to detail with work stuff than you seem to be when commenting on Reddit posts.

Reply

[-]

illicITparameters@reddit

Nah thats my bad. I didn’t see he was “onsite”. My apologies.

Reply

[-]

Steve_78_OH@reddit

I don't understand...someone on Reddit apologized, and admitted they were wrong? I'm so confused right now... j/k It's all good.

Reply

[-]

inshead@reddit

? OP works for an MSP and is assigned as the sole onsite resource for a customer of the MSP. It sounds like he may be dedicated to that customer/account. It’s not uncommon especially considering he is new to the MSP world. This role sometimes comes with a different title like “dedicated account engineer” or whatever mumbo jumbo terminology they are using now.

Reply

[-]

illicITparameters@reddit

My bad, I totally did not see “onsite” I retract my comment.

Reply

[-]

d3rpderp@reddit

Yes. Fix your shit.

Reply

[-]

_TR-8R@reddit (OP)

"Stop whining" my guy I haven't worked less than 60 hours in a week for the past month, I've gotten done literally everything I've been asked and some. I'm handling 100% of end user deskside work, user administration and doing projects and reporting to boot. All I did was ask "is this normal" and even specified I am not trying to get out of work. So kindly stuff it.

Reply

[-]

d3rpderp@reddit

That's fair but being overworked is entirely separate from the type of work. I read in your other comments there's a security team. This is their job. They should be able to give you a list of patches to apply and then you manage the application with the rest of your team, which I'm not sure even exists.

Reply

[-]

phoenix823@reddit

Absolutely. The InfoSec team's job is to find the vulnerabilities and it is up to IT/DBA/NetEng/DevOps/Developer to fix the issue depending on what it is. Windows patch? IT. DBA version upgrade? DBA. End of life network gear? NetEng. SQL injection? Developers. In my experience it gets a little cloudy when you start talking about Tomcat/Websphere because they tie closely to the app, so I generally put those on the developer to drive the upgrade with IT following their direction.

Reply

[-]

iheartrms@reddit

Patching and configuration fixes are exactly what a sysadmin does. I'm in security and often specify and operate the security infrastructure like vuln scanners and I help sysadmins interpret CVEs and advise on how to remediate and what severity the CVE really is for us but I don't patch it. We always have more sysadmins than security people so we scale security by letting sysadmins do that.

Reply

[-]

_TR-8R@reddit (OP)

I think I wasn't clear, I'll handle the patching and remediation, what seemed like a lot was the responsibility of reviewing the reports, creating the remediation plans and then remediating them myself. Personally I would feel more comfortable with security monitoring those reports then telling me what to remediate, ill happily manage the rest.

Reply

[-]

Hotshot55@reddit

You're responsible for the OS so you should be driving the remediation plan for it.

Reply

[-]

BiscottiNo6948@reddit

You own the reports and manage its distribution and follow-up its resolution. Not necessarily you doing the actual work on areas that is not under your expertise. So the Database vulnerability needs to be sent to the DBA's. the network/firewall issues goes to the network engineer, the OS goes to the sysadmin and so on. This is where you create the ticket, attach the vulnerability and send to the correct group to remediate. Now each SME will evaluate and plan how to address the vulnerability. For some, they may involve DevOps to test if the replacement/workaround is compatible with the existing application. Once tested on the lower environment, they will do the actual deployment on production (via Change Management). Other than those under your expertise (ie. OS patching, Security Hotfixes), these are the tickets you assigned to yourself. Still Overall, your boss will want you to coordinate, do the follow-up with the teams to insure everyone is doing their part. Excel is our best friend and it is all the report you need to send to your boss if he ask for progress.

Reply

[-]

IMplodeMeGrr@reddit

Vuln team should own distribution of these tasks to the appropriate teams based on a list of systems, processes/applications assigned to team owners. It is common that if a system/app owner is not identified, sysadmin gets stuck with it, or stuck finding the owner for it. Once owners are found, owness then belongs to vuln team.

Reply

[-]

BiscottiNo6948@reddit

Yes in a well-oiled/organised environment. But the circumstance of the OP is that he is the lone specialist sent to that client. And his boss gave him this work. We can only guide him to lighten up his load at the same time still meet his manager's expectation of "managing" the vulnerability patching cyclle.

Reply

[-]

IMplodeMeGrr@reddit

I agree with this, just, his manager is paying too much for that defined work. LoL

Reply

[-]

maziarczykk@reddit

To me it is. I do it every month.

Reply

[-]

Royal_Bird_6328@reddit

The joys of working for an MSP unfortunately ☹️ most not all are like this, heavy work loads.

Reply

[-]

serverhorror@reddit

Well, you're a SysAdmins now. Not your job is not an option ![Choose SysAdmin](https://www.adminspotting.org/Adminspotting-600x600w.png) (Source: https://adminspotting.org/)

Reply

[-]

byteme4188@reddit

Ah man this brings me back to the days I worked as a "sysadmin" for an MSP. I was the L1, L2, L3, Cloud engineer, Network Engineer, and the entire SOC Team 😂

Reply

[-]

_TR-8R@reddit (OP)

yeah... yeah I'm beginning to feel that lol. I think while i'm young and relatively new in my career this is a good thing, I'm getting a ton of experience and learning a lot, but this doesn't feel sustainable long term.

Reply

[-]

dio1994@reddit

Yup. Just get it done and make sure you log your time so they can bill for all of it. :-) I don't miss those days.

Reply

[-]

byteme4188@reddit

Yup. Used to send weekly reports of all my work I completed. Unfortunately I never really saw any of that money they were billing for so I built up my experience and left for a company with an in house IT. Much better. Working remotely now

Reply

[-]

dio1994@reddit

COVID-19 worked out for me personally. I ended with like 5 Intune and migration to SharePoint projects at once. The engineers reporting to me mostly didn't have that experience and I got burnt out. I took that knowledge and ran. I have managed to almost triple my salary since then. Now inflation since hasn't helped. But in general, the MSP world overworks, over-promises, under-delivers, underpass, has empty promises and lies to all sides they deal with. You will see a ton and learn a lot though. Generally how NOT to run projects. 🤣

Reply

[-]

chalbersma@reddit

Assuming you have no budget (because nobody has budget anymore am I right!). You might want to consider spinning up a [Defect Dojo instance](https://github.com/DefectDojo/django-DefectDojo); there's also a IMHO reasonably priced hosted version of it. It can accept a large number of common reports and report formats, dedupe reports on them and then help you file and manage those issues as tickets (in theory in a number of systems but generally as Jira).

Reply

[-]

_TR-8R@reddit (OP)

Pretty sick. Fortunately my client shelled out the $$$ for E5 enterprise licenses, so we've got defender for endpoint on all devices on top other stuff I probably shouldn't disclose so for endpoints we're fairly locked down. I'm interested in automated remediation though, to my knowledge defender doesn't do that.

Reply

[-]

chalbersma@reddit

Ya Dojo won't help you auto-remediate items. It really going to help you catalogue and track the items you've got. It's been my experience that auto-remediation is never really as good as it could be.

Reply

[-]

halodude423@reddit

Hell, i was at a gov contractor and the desktop techs owned them.

Reply

[-]

siscorskiy@reddit

Common in my org yes

Reply

[-]

Character_Deal9259@reddit

My last job decided that there would no longer be any specialization within the company roles. Project Manager? SysAdmin. CyberSecurity Engineer? SysAdmin. Compliance Manager? SysAdmin. CyberSecurity Manager? SysAdmin. Network Engineer? SysAdmin. NOC Manager? SysAdmin. Server Admin? SysAdmin. No unique titles, no salaries based on the specific roles that you do. Nothing. Additionally, everyone was meant to do every single one of those above specific fields. Everyone was assigned projects, everyone was assigned cybersecurity work. Everyone was assigned compliance work. And so on. This was a back track after they had originally been working towards hiring people to work specific roles within the company in order to better streamline processes. We were an MSP, and they hired a new Team Leader who had never worked in an MSP before, and he convinced the owner that generalizing everyone's roles was the best route to streamline the business.

Reply

[-]

midwest_pyroman@reddit

There is one thing missing in the comments so far - the Risk Mangement. Security team yes runs vulnerability scans, systems admin / network admin does fix - but the risk manager / team has to review the scans to decide on course. I used to work for an MSP and encountered this many times where some vendor would run a scan, kick out a pdf then it was sent to the grunts to read, try and figure it out and "just fix it". And if you broke ops or caused impact to VIP you were hauled on the carpet. This is one part of the MSP model that is badly broken.

Reply

[-]

Bogus1989@reddit

YES THIS! we have a system that scans abnormal things as well as regular IT stuff…like smart appliances or medical equipment or security cam systems…basically checking out firmwares and what not…and yes theres a million “red flags” in the console, but some of them are stupid and worthless and domt apply

Reply

[-]

Bogus1989@reddit

how about just make it so each team has access to whatever youre looking at…so they get the vulnerabilities?

Reply

[-]

Bogus1989@reddit

I will happily do those extra duties, hut I would like my pay to show that. bare minimum. double my pay. sounds good

Reply

[-]

aXeSwY@reddit

1-In our world, the scope of responsibilities really differs from one company to another. You will be surprised how many ITs do things without certification, so don't shoot yourself in the foot, this could help make your resume more interesting in the future and if you opt for a certification you will have the sweet sweet experience as well that companies look for. 2- unless you done the report you cannot claim it will be too much work, do it once , take note of work effort and hours require for a monthly report, and discuss it with your manager, they will claim probably the first time doing something it's always more difficult but beat them to that point and tell them you will do it one more time hopefully you find a better way to optimize the workflow ( throw fancy IT terms, they love it) , if it takes 20-30% of your total bandwidth let them know so you are off the hook if they ask about other responsibilities. 3- I understand that different teams own different products, If you can gather their reports, find the one that you think will be best as a template for reporting, ask the others to adapt something similar, this way it's less workload for you. 4- you be surprised how many vendors/service owners don't cover their vulnerabilities because of misunderstood of the phrases "If it ain't broke don't fix it". 5- having visibility over all the risks is a good thing for a sysop, because you will be responsible for ensuring every team will patch their vulnerabilities ASAP and if something stops working suddenly you know that the patching that team X did last night may be the cause and worth looking into, your bridge call attendees now is that team, because during an outage, trust me, getting the responsible people on the call may not be as easy as you may think.

Reply

[-]

Djblinx89@reddit

The only thing that would be your responsibility is patching to resolve said vulnerabilities. Not every single vulnerability will fall under your purview, but most will.

Reply

[-]

BoomSchtik@reddit

I would say yes.

Reply

[-]

Cutoffjeanshortz37@reddit

My team of 8 ppl is the apps team. We get vulnerability tickets for the servers and the apps on user machines. How is security supposed to know what to do besides identify the problem?

Reply

[-]

owlwise13@reddit

It is usually better defined in bigger companies were you have various groups that manage different parts of the IT infrastructure. At smaller companies, you are the jack of all trades, just because they lack the manpower to have fully defined groups. The upside, you get to do a lot of stuff, that sysadmins at big firms never do and your work is very varied, so it is less boring and you learn a lot more.

Reply

[-]

pegz@reddit

SysAdmin alot of the time means everything falls onto you ultimately.

Reply

[-]

number4drunkenuncle@reddit

I wouldn't consider this outside my scope of responsibilities as a sysadmin. They're paying you to be there. If this is what they want you to do while you're there then do it. InfoSec's job is to identify the problems and provide policies governing their mitigation. It isn't their responsibility to fix it, so why would managing the fixing process be? You could look at this as a great opportunity to grow. You're getting to see, learn, and understand how to resolve and verify all of your customer's vulnerabilities under the guidance of an experienced security engineer. You're interacting with them regularly and owning a process that is important to them. You're also interacting regularly with your customers, and getting the opportunity to show them your talent and reliability. Youll notice patterns pretty quickly in the process that means you can automate them making this easier over time. I would jump on this if I were you. It'll be a pain in the ass for a while for a great long time reward. Dive in and own that shit!

Reply

[-]

Consistent-Baby5904@reddit

you may still need to do some of the ground work before it can be realized. document what needs to be done and try to automate it. work with the info sec engineer and review the concerns of the client in totality of protecting their data & assets and mitigating as much as possible where you can. but don't assume that you're going to be doing it forever. approach it like a project manager and leader. you have to weigh in your weight of the effort before you can truly calculate how the proposal of different avenues can be taken. if you don't have a jr tech helping you, then try to problem solve with ideas and document how you can automate and support the process. MSP admins you may be involved in sales engineer negotiation later, so always be sharp with the numbers and storytelling. influence works in your favor when you can approach the situation like an expert. something to keep in mind, that your clients will not always be in the same revenue park. many orgs grow and fall, so if your one client grows and onboards their own IT, your reputation falls on the idea of you being able to hand work back to clients or promote from within your org when another tech takes your place.

Reply

[-]

mrcluelessness@reddit

Yes. Im a network engineer for a Fortune 100. We have a very large cyber security team due to our industry. Cyber creates and run scans. Then they send me an email "there's vulnerabilities fix it in X days/weeks/months". I got through the vulnerabilities, look for configuration changes or updates to address them, test the fix, make a spreadsheet of devices to be fixed, then go through and address all the concerns. Security's job is to find out an industry's security regularions, be aware of new major hacks, new major vulnerabilities, and identify if their systems are vulnerable. They take that information and set standards and tell admins/engineers to meet said standards. A lot of cyber security isn't super technical they're administrative. Also, it's an honest thing. I got security to let me run my own scans. I have full access to the systems. I could block scans to make them look better. If I had full rights I can edit scans to not see things I don't want to fix. So I don't get access to change what's being scanned, core settings, normal scheduled scans, etc. I can just review reports of scans, run my own for new devices/seeing if an concern is addressed, and advise what should be scanned. You separate IT and security to hold each other accountable so someone's laziness doesn't get us hacked.

Reply

[-]

androsob@reddit

What I think should happen is that that vulnerability report should include mitigation in a detailed and specific way. Your responsibility is not to mitigate, only to apply what security tells you. If they do a bad analysis in mitigation, the responsibility is theirs. It is up to you to evaluate whether the mitigation generates a small or large impact and whether it should be executed or not. Not all vulnerabilities should be mitigated, that is, they should not run their process and send you the raw report without further ado. Security has to evaluate both at the security level and at the business level if mitigation is really required or if the impact is very great, the vulnerability should be treated in another way. At the resume level, it will help you to see security issues and you will learn a lot, so I do not recommend that you avoid that type of work.

Reply

[-]

inshead@reddit

My guess is that since you are assigned as the dedicated resource for this account/customer that you will (with more time) have the best insight into why a vulnerability exists and how to best approach handling it. I doubt they are looking for you to provide an in depth breakdown on each vulnerability and more likely just information about the business process involved in each vulnerability.

Reply

[-]

Rolli_boi@reddit

If you’re doing VM for 60 personnel running the same machines it’s not that bad. If you’re doing it for 60 personnel running different machines from different vendors, databases, different OS. It’s a nightmare to do in addition to other duties.

Reply

[-]

michaelpaoli@reddit

>normal for sysadmins to own tickets on vulnerability reports Yes, quite normal/common. Security is a fundamental part of sysadmin's job/responsibilities. Really part of essentially everyone's job - but that's another topic. So, e.g. as part of my sysadmin(/DevOps) job/role, one place I worked not that long ago, we'd get these security/vulnerability reports - based upon some scans. They'd be like 10,000+ like worksheets - not exactly highly useful/actionable in that format. Yet I'm handed 'em and basically "deal with it". So, I wrote some programs ... mostly Perl - but whatever, Python or the like could probably do it too. So ingest all that data - IPs, severity, specific vulnerability details, etc., and greatly simplify it into highly useful actionable information. For all relevant IPs, added hostnames, simplified a lot of redundant verbiage, grouped hosts having matched sets of vulnerabilities giving single entry for each such grouping and containing the list of host and count of hosts impacted, had adjustable severity threshold to cut out the "noise", and turned it into a highly actionable summary report that would typically be between 6 and 25 rows of worksheet output, ranked by highest severity in a matched set of vulnerabilities, then within that sorted by number of hosts having that same set of matched vulnerabilities, and on down to whatever cutoff had been selected. This then gave us highly useful intelligent information both for overview of the situation and highly actionable, as we could target a specific set of vulnerabilities as a group, across and entire range of hosts (all having such) at once (or chop it down into smaller subsets thereof for operational reasons - e.g. don't reboot all 600 prod hosts at once to address the same kernel issue). So, yeah, all part of a day's work - pretty routine stuff as far as I'm concerned. Yeah, I'm not at all uncommonly the one who spots and reports vulnerabilities - creating tickets or the like, handles vulnerabilities and other security issues, makes security and other recommendations, implements fixes, much etc. Even taught sessions on security. E.g. one I've presented multiple times, I titled something like "security for developers from a sysadmin perspective" - not so much that developers don't pay attention to security, they (generally/hopefully) do ... but mostly tend to come at it from a different perspective, and often miss things that are quite relevant, or make mistakes or poor design decisions that could be much better handled - notably with some more attention to relevant OS considerations. And I'd oft give many examples of security problems that originated from development side, that could've been well avoided with some better knowledge and/or attention to relevant OS considerations. (developers are often mostly focused down within the code itself, and perhaps also thinking about common network and related exploits, and oft mostly or entirely overlook everything else that's rather to highly relevant to security).

Reply

[-]

Vortech03Marauder@reddit

It's normal for me. I'm the senior sysadmin at my company and server vulnerability scanning and management are 100% my job. And your boss wants it done monthly? I'm scanning and addressing issues weekly.

Reply

[-]

rootkode@reddit

Yes. This is why it sucks sometimes to work for smaller shops.

Reply

[-]

GoodLyfe42@reddit

Information security usually just reviews scan results and prioritizes vulnerabilities. They rarely have access to actually remediate. It be dangerous to have the person monitoring also fixing. The remediation goes to whoever maintains/patches/upgrades the machine with the vulnerability.

Reply

[-]

_Cold_Ass_Honkey_@reddit

Just wait until you get called into a move and become the "Jr. Facilities Manager."

Reply

[-]

LeTrolleur@reddit

If a vulnerability is found for something under my responsibility, then it is my job to either fix the problem myself or find the right person who can. It's quite common for vulnerability scanners to also offer advice on how to fix. I imagine this specific question can vary in terms of answer based on type and size of company though. But no, I wouldn't say it's out of the ordinary, it could be as simple as disabling outdated TLS versions on a system you admin.

Reply

[-]

LenR75@reddit

Sure, sysadmins are the ticket oeners of last resort.

Reply

[-]

JankyJawn@reddit

Dude with 60 people, if you're the IT you are the sys/net/sec admin/engineer and the help desk. It is what it is. Your "title" is pretty much just fluff at that point.

Reply

[-]

fireandbass@reddit

In our shop, if you have to do something, anything, it gets a ticket. If theres a AV alert and you have to check on it, thats a ticket.

Reply

[-]

syberghost@reddit

This has been one of my primary job responsibilities for most of my career.

Reply

[-]

SirLoremIpsum@reddit

> I'm not sure if this is normal but this feels like a lot of work and also like I'm owning/driving security issues, which I'm not specialized in and don't even have certs for When you're the only IT person for a 60 user shop you have to wear many hats. In my experience the Security team doesn't "do the work", they identify problems and it's only the infra owner / app owner / service owner to make those changes. So honestly if you're in a small shop and you get a security report... Yeah I can see it's on the only IT person to remediate those vulnerabilities. But again you're the only person on site. Sysadmin is nebulous by definition. There is no work contract laid out with specific goals. Let alone having a specialised position in such a small team. A team of 100 IT people yeah sure say I'm not security but a team of 1 or even 10...? Does it matter...? You're going to end up doing lots of different things that are a bigger company would have an Identity Management Team, a network team, a security team, a dedicated helpdesk.

Reply

[-]

ISU_Sycamores@reddit

In my org it’s normal for us to own business apps, their configuration and change management. So it’s not abnormal for us to own a ticket to remediate a vulnerability.

Reply

[-]

ZeroT3K@reddit

Security engineers aren’t responsible for making changes in my experience. Most security engineers are auditors or penetration testers. It normally falls to the system engineers managing infrastructure to apply configurations that remediate vulnerabilities found by security teams. In our MSP, it’s not uncommon to get clients who have received audits from other companies that then shop around for others to do the remediations.

Reply

[-]

FerryCliment@reddit

To my eyes depends on the actions needed. I think its fitting that you own the last action on the Security life cycle (applying the fix) ensuring it is rolled out, or working with users to fix disruptions that might come from applying fixes to those vuls. However, I also think that those actions need to be somewhat tailored to your role, like the report should contain, what, when, who, and a next steps, something that help you understand quickly what it is, and what Security team gives you as next steps to fix or cover the hole. The question is, regardless what shows up in the title, that report what does look like, a Security Jargon or there is a Next steps highlighted when its passed to you?

Reply

Reply to Post

116 Comments