Are all security consultants useless?

[-]

Low_Researcher4042@reddit

Some are great but most just tick boxes and leave

Reply

[-]

a60v@reddit

Most consultants in general are useless. This isn't limited to IT.

Reply

[-]

We used to hire $300 “brilliant” consultants that suggested the exact same changes we told the stakeholders about. But we were “free” I guess you only get listened to if you charge a butt load of money. Most of the suggestions by the consultants were implemented

Reply

[-]

a60v@reddit

Sounds about right. What was the result when the suggestions were implemented?

Reply

[-]

Stonewalled9999@reddit

I wish I could tell you. We went bankrupt after paying millions for consultants

Reply

[-]

Go_F1sh@reddit

in my experience anyone in IT who didnt start in helpdesk and work up from there is basically useless

Reply

[-]

Stonewalled9999@reddit

Agree 99 percent. I didn’t start in HD and I am pretty useful. But I also started in the DOS 5 and Netware 286 days.

Reply

[-]

IamHydrogenMike@reddit

When I used to work support roles, I always felt that product managers and developers should spend a few shifts working with a support engineer to see what issues we see and how customers actually use the product.

Reply

[-]

kaiveg@reddit

There is software development methodologies where this is one of the core pillars. Extreme Programming. But working that way is too costly for many companies.

Reply

[-]

CallistaMouse@reddit

I spent years trying to suggest this to the management team at a previous company. One of them spent about an hour and a half shadowing a field engineer once and couldn't keep up, but decided he'd done enough and disappeared for the rest of the day. And then when they outsourced us all they were surprised by the amount of stuff we all actually did.

Reply

[-]

samtresler@reddit

I freelance at a major restaurant review site where people bought subscriptions quite a while ago. They located customer service in the block of open office desks right beside the developers. The brilliance of this became apparent when we relaunched a whole new version of the site one day, and as we're all sitting there patting ourselves on the back for finally putting the beast into the wild it began. First one phone ringing.... then two.... then five.... Within 15 minutes it was beautiful pandemonium. Not a single developer (or me, the transition sysadmin) didn't realize the consequences of what was happening or the urgency. Thankfully, they managed to push a few patches instead of a total rollback. But knowing you just ruined 40 people's entire day definitely put it in sharp focus that what the developers thought were minor issues for a future release needed to be fixed *now*.

Reply

[-]

tankerkiller125real@reddit

And this is why come companies actually do this, I know Cloudflare has this policy and it even applies to the CEO.

Reply

[-]

kuroimakina@reddit

The only exception is home labbers. Some people don’t start at help desk, and end up in a different role (developer, junior sysadmin, etc). The best people are usually the ones who do sysadmin type stuff for fun, because then you know they’re in it because they want to be - which makes them much more likely to actually take it seriously and learn as much as possible. Beware anyone who just went out, got a bunch of certs, but has very little experience on their resume and just considers tech a “job.”

Reply

[-]

Go_F1sh@reddit

Agreed, love when people have the curiosity to learn up for the sake of it.

Reply

[-]

SchizoidRainbow@reddit

Agree but in IT there was this huge meltdown in the early 2000’s, Nortel, IBM, all these tech jobs just vanished. At the same time India Online was just becoming a thing, and “Outsourcing” began. Most of the laid off people here found other work. No new jobs really started here for ten years. Then it kind of shifted back this way, and new techs started coming up again. So there’s this weird generational gap in IT. Those of us who survived the purge like feathered dinosaurs are harder to find. Now is the age of mammals.

Reply

[-]

Go_F1sh@reddit

Interesting, I came in later in the 2010s like you described, so I missed out on the big shakeup there. I appreciate the perspective

Reply

[-]

-RFC__2549-@reddit

I'm glad I'm not the only one who things this. I'm tired of talking to security people that don't have a clue how things work but want to tell people how to manage them.

Reply

[-]

ArticleGlad9497@reddit (OP)

Yeah I've butted heads with this same guy on things like this too. He wanted me to implement some ridiculous lockout policy before because of a "low level bruteforce attack" We already had a 14 character minimum password, complexity enabled, lockout after 3 attempts and auto clear after half an hour so at a rate of 146 passwords per day it would take millions if not billions of years to get anywhere near brute forcing a password of that length.

Reply

[-]

Lethalspartan76@reddit

Usually my consulting is related to telling people they need to shoot for a complex 15 character passphrase and other sensible measures, MFA, do most of what Microsoft defender asks you to do, update everything, run scans (partial is not the same as full), get a complete asset inventory, yes even printers, OT, network stuff, etc. train users, dump old guest or employee user accounts, cleanup your AD groups, and write down this stuff in policies. The actual work is when there’s malware or some type of breach and you have to do remediation. Or fleshing out the disaster recovery & BC processes.

Reply

[-]

DeathIsThePunchline@reddit

I usually just pin them down to prove how fucking stupid they are. well usually the first thing I do is ask what we are out of compliance with to see if they can actually provide any kind of documentation to substantiate their position. and then I tear it apart.

Reply

[-]

1996Primera@reddit

I feel attacked I never did helpdesk And never needed it I started in mainframes.back in the day (2004), pivoted to aix around 2008 Did server work for Dell and HP Then landed a professional services role for emc for a few years Then pivoted to systems engineering around 2010 and hone'd my craft since then. Fuck end user support , that shit sucks and 99.9999999% of them lie as to what caused their issue Now as a sr architect I still do not miss or give a flying fuck about helpdesk services desk w/e fancy name you give it...fuck that shit

Reply

[-]

Go_F1sh@reddit

Sounds like someone should've done a tour in helpdesk

Reply

[-]

serverhorror@reddit

I started as a SysAdmin. Hell of a ride, small company. Was even a RIPE member with our own AS. Dealt with everything. I never considered myself being "help desk". Did I respond to the secretary who can't send email? Definitely! But sure, I'm useless. Achievement unlocked, I guess ...

Reply

[-]

Dizzy_Bridge_794@reddit

I agree. I was offered a job back in 1993 to run IT at a small Bank with no other staff because they had all just quit. Thrown into the frying pan and didn’t go home until it worked. Those thirty years of experience can’t be replaced. I consulted cyber for six years at 250.00 an hour. Way too many paper consultants who know nothing.

Reply

[-]

TheLegendaryBeard@reddit

I tend to agree with this. I started in IT 14 years ago on the help desk. Went to network admin, server admin, manager, and now specialize as a security consultant. You need (or should) know how things work from the bottom up. Makes your job as a consultant so much easier. Definitely know that isn’t the case though.

Reply

[-]

WorthPlease@reddit

100% agree, I will never hire somebody no matter how good their degree or certs are unless they have help desk or desktop support. It's so easy to cheat that stuff, I've done it myself. Congratulations, you passed some tests, guess what? There's no multiple choice in the real world.

Reply

[-]

Draoken@reddit

Im a pentester who started in help desk and worked my way up through a pretty respectable chain, with exposure to lots of companies in between both small and fortune 500. I also have a degree. I still feel pretty fuckin useless. I wish I had spent a few years as a sys admin instead of just adjacent. I cannot imagine being a new grad with nothing but a degree or boot camp trying to tell sysadmins what to do.

Reply

[-]

FlibblesHexEyes@reddit

Imposter syndrome is normal. It’s when you stop feeling that that you should start feeling concerned.

Reply

[-]

ProfessionalWorkAcct@reddit

I'm sure you're great but the useless part is because you can't know everything.

Reply

[-]

OgeFace@reddit

As a security consultant I couldn't agree more with this.

Reply

[-]

jaydizzleforshizzle@reddit

Symptom of the times, things have gotten big, systems can’t be maintained by one person anymore, sure you can have a young helpdesk guy built up, but often corporations need a singular thing done, so they hire those skills. Not realizing a single thing outside of that domain is a black box to the hire, so they hand off black boxes to other people who do a singular role and they black box it all to an admin who then has to piece it all together, without specific domain knowledge, cause admins are systems people, not domain experts. We find the glue, we don’t decide what gets glued together.

Reply

[-]

popegonzo@reddit

Hey hey hey, I started in helpdesk and am still basically useless!

Reply

[-]

QuietGoliath@reddit

This! I detest 'specialists' and 'consultants' who have never picked up a first line ticket in their life. Let alone designed, deployed and rolled out a full production system for anything.

Reply

[-]

Zombie13a@reddit

"Consulting: If you're not part of the solution, there's good money in prolonging the problem". Truer words have never been spoken (or typed), and nothing in the last 30 years has changed my opinion.

Reply

[-]

dasreboot@reddit

started in the NOC, but had to do tier one for web designers, who can be just as stupid sometimes. Does that count?

Reply

[-]

phantomtofu@reddit

I stole my flair for this sub from someone else years ago - I like to think it adds credibility to my posts.

Reply

[-]

sysacc@reddit

This is a surprisingly good take on things.

Reply

[-]

ProfessionalWorkAcct@reddit

I think this too

Reply

[-]

ArticleGlad9497@reddit (OP)

I won't argue with you there, I think every discipline could benefit from the broad range of knowledge you pick up doing this. That said I also know plenty of people that have started through helpdesk and are still absolutely useless 🤣

Reply

[-]

Then-Chef-623@reddit

Security industry is 98% snake oil and grifters.

Reply

[-]

Scary_Bus3363@reddit

The best are Help Desk to MSP to sysadmin to engineer. Help desk starts you out and MSP is baptism by fire. You can do almost anything after those two and sometimes they are the same job at the same time.

Reply

[-]

tankerkiller125real@reddit

There are some good ones out there, they just cost a lot of money, and more importantly actually understand what they're doing and have often times written their own tools.

Reply

[-]

genscathe@reddit

This. I am hiring and the applicants im getting are fkn terrible. Total package is 250k including bonus + super in AUS, but its not enough to entice anyone good >\_< They will have to be trained up.

Reply

[-]

TaiGlobal@reddit

Took us a year to find a decent one and he actually came with a some baggage. His background check had something not too serious but somewhat questionable. He hadn’t been charged with anything however he was being investigated with something that did eventually get dropped. But it’s one of those things that if the hiring pool was any decent probably would have eliminated him just because you don’t want to deal with it. In any event he’s already got other potential job offers for more than what he’s making. Makes me think damn I’m in the wrong niche of this industry.

Reply

[-]

Scary_Bus3363@reddit

Background checks need to be reformed so that anything not resulting in a conviction is not allowed to be used against someone. Innocent until proven guilty

Reply

[-]

SteveJEO@reddit

How many of them have started the interview by giving you the entire history of the company, a copy of it's accounts and the entire employee list + public media profiles?

Reply

[-]

genscathe@reddit

That would be weird right? None lol

Reply

[-]

MendaciousFerret@reddit

I ran a cyber team for four years in AUS, part of a wider platform engineering team. One of our junior security engineers told me that most of her colleagues had two jobs...

Reply

[-]

genscathe@reddit

Because underpaid or just too much free time?

Reply

[-]

MendaciousFerret@reddit

The demand is there and the expectations are low. I was told that if you are a skilled cyber engineer you can add +10% premium to salary expectations or more.

Reply

[-]

genscathe@reddit

Sorry this comment doesn’t explain your point in the previous and now I’m just confused

Reply

[-]

MendaciousFerret@reddit

There is so much demand for security talent that is was easy for a junior to secretly have two jobs. Good for them as far as I'm concerned.

Reply

[-]

genscathe@reddit

Gotcha

Reply

[-]

Maro1947@reddit

I'm almost tempted to get back into it after dealing with so many spivs It's astounding how useless some of them are

Reply

[-]

NSFW_IT_Account@reddit

How do you know they're good before paying them a lot of money?

Reply

[-]

tankerkiller125real@reddit

They should be able to provide an anonymized findings report from a previous engagement. Also they can actually talk the technical talk, the good ones don't just send the sales guy out to chat but someone who actually does the work as well.

Reply

[-]

aes_gcm@reddit

I think that's right on the money, absolutely.

Reply

[-]

RikiWardOG@reddit

Also, you can talk to other people in your network that have used them and find out what they thought of their experience.

Reply

[-]

CluelessPentester@reddit

On top of what the others already said, you can also ask about methodology. How do they go about a pentest for your specific environment/service? Ask for specifics, where they usually find vulnerabilities, etc. If they just say "We do a Nessus scan" or "Yeah yeah we totally do some manual techniques", they are probably bullshitting you.

Reply

[-]

Craptcha@reddit

They ask you to exclude their IP from your waf and turn off your edr

Reply

[-]

genscathe@reddit

You look at their resume, see their experience. Get them in for an interview, ask them about their experiences, then follow up with some technical shit to see if they are bullshitting. They often always bullshit.

Reply

[-]

gandraw@reddit

Ask them to explain how something technical works. Like SQL injection, or XSS, or stack overflows. If they immediately start with the typical executive level description "they're bad computer things that make you lose a lot of money" insist that you want to know how they happen.

Reply

[-]

derpingthederps@reddit

Deffo not all but... I work in a uni, about 100 IT staff. We have around 6 people working in IT security. What do they do? Fuck all but waste time because they don't know anything hands on. It's all well and good to study cyber security, but it's useless if you don't know about business computing. I had our security team request I reinstall windows for 50 user devices in order to remove some out of service software because they were unable to uninstall it.. The uninstall commands were literally in the registry. I was pissed. I'd sooner higher good infra + endpoint management people rather than a single sec guy.

Reply

[-]

ReflectedImage@reddit

Well you got to have a designated fall guy for when the hackers inevitably get in.

Reply

[-]

accidentalciso@reddit

It depends.

Reply

[-]

Fresh_Dog4602@reddit

wasn't this discussed when defining the scope of the pentest?

Reply

[-]

Sir__Swish@reddit

If they were from a Big 4, yes. They were probably a graduate, given no direction and basically given a checklist to run which they didn't understand. The sad thing is they probably cost the same amount as a decent company but they get the contracts by dint of the company reputation. But hey, you got the tick box mark.

Reply

[-]

VacantlyCloudy@reddit

I’ve interacted with a few sec consultants and they fall into three buckets generally: 1. Not the most well versed in the topics but reading from the playbook and making an effort. I can see being upset about this but, also in my experience, there has been multiple levels of higher-up unfamiliarity with the space but a lot of “strong decision making” to coordinate the engagement. 2. Competent, and potentially creative and smart, people on our engagement who hampered by constraints that **my org** has put on the engagement. I don’t know that we’re unique but we’re definitely paying down bad decisions for several years ago. I’ve also had folks in my org asking the wrong questions of the consultants. 3. Rubber stamp consultancies that say “yes” to everything and then hope that they can figure it out later with billable hours. I’ve relayed specifics as to the issues that were running up against pre-engagement. Same issues in the engagement kick-off. And then asked to clarify again and confirm their findings that they cannot achieve what they were being asked to achieve when I also pointed out that it is unachievable at least twice. They’re hustling for hours and they’ll pitch parallel-thinking solutions that we have already dismissed, and I think everyone ends up unhappy on those. They’re my least favorite of the bunch. They say yes to anything. I haven’t come across anyone who is outright incapable of doing their job, but I have seen a range of job-doing ability and my org is not the easiest to just show up in as a consultant so that probably emphasizes the aspect of experience. We have some major configurations that are just straight up inadvisable, and we’ve struggled to get that in black and white from a lot of people because they’re scared to upset the client. Subsequently, time and money have been wasted. My recommendation is to enter into an engagement only when it is very clear what the statement of work is. And I mean so clearly that it should probably have an implementation plan because we’ve been left hanging mid-engagement on things. So maybe there is another layer of soft skill that needs to be in play here to figure out if the consultants mean business and they’re capable of executing it. And that has to be coming from someone who is ok pulling the plug on the engagement, if not the project.

Reply

[-]

VacantlyCloudy@reddit

I don’t know how to post a numbered list, apparently.

Reply

[-]

rootsquasher@reddit

>Are all security consultants useless? Short answer: **yes!**

Reply

[-]

kerosene31@reddit

This has been an issue with consulting in general, not just security. Some are good, some are horrible. The typical thing about consultants is they sell you on their team with X number of years experience, then when the work starts, they send some 25 year old kid as the only person showing up to meetings. So much of it is just checking boxes on forms, which is where security comes in. There's two approaches to security: \-Actually locking things down. \-Creating a pile of forms and checks and look like people did something. Usually, you get what you pay for.

Reply

[-]

420GB@reddit

I'd say Mike Ehrmentraut was well worth his paycheck

Reply

[-]

ElectroSpore@reddit

We do annual pen tests now. 1. External tests are always with all protection in place.. The most we have had suggested to us was non optimal SSL cert strength. 2. They then try WiFi / localized attacks. 3. They will ask to simulate a compromised user, we provide them user level permissions (our users are not privileged). 4. Lastly they will give us a pen test box to hook to the network in the office. Our infosec team is not informed of this before it is done. So far we have detected it and found it each time within 1-4 hours. At this point it is confirmed to be a test and we let them "TRY" to gain access anyway. Note that actively scanning for vulnerabilities is extremely noisy if you have a good SEIM in place.. the last test seems like it should be hard but we normally find them AS SOON as they fire up a scan of any kind. It took a few years but lately we have been passing. In previous years they would find holes in all three steps, these days they suggest things that MIGHT be weak that they could not specifically break during the test.

Reply

[-]

Check123ok@reddit

Cool what company?

Reply

[-]

ElectroSpore@reddit

We rotate companies but again we are looking for ones that do more than a scan, as we already have both internal and external 3rd party scanning in place.

Reply

[-]

ArticleGlad9497@reddit (OP)

Test 1 feels a little off..general guidance is you need to disable the security. Pentesting software isn't trying to bypass your security and so will always trigger your IPS, web application firewall etc. Unlike a proper hacker who will know how these solutions work and try to fly under the radar. If you're not testing the external facing stuff with the security functionality turned off then you could have some vulnerabilities there which the security tools are covering up. It might be your other tests are covering this but I'd recommend an external test that bypasses your security tools.

Reply

[-]

ElectroSpore@reddit

>Unlike a proper hacker who will know how these solutions work and try to fly under the radar. If your pentester isn't capable don't use them.. We have our own automated scans.. We are paying them to try and bypass our protections. And yes some of the other tests let them have access the thing is we are mostly zero trust so no end user has direct access to any of the systems other than via protection.

Reply

[-]

ClericDo@reddit

A real world attacker has the luxury of unlimited time, a pentest does not. It’s stupid to leave up all the extra protections like WAFs if doing an external application pentest, because you limit what gets tested. If they have to spend a chunk of their time bypassing WAF rules then that is time spent not testing your application.

Reply

[-]

ElectroSpore@reddit

> It’s stupid to leave up all the extra protections like WAFs if doing an external application pentest We continually test the other parts.. AGAIN waiting for a pen tester to run an automated script is STUPID. Find out you screwed up right away.

Reply

[-]

n0p_sled@reddit

Ideally you want to remove the WAF and test the app directly. WAF bypass techniques are updated daily, so your WAF that stopped XXS today might not stop it directly. Manual testing, not vulnerable scans, would be the way to test. And running your own scans is great, but you're obviously marking your own homework so may miss things that are picked up by a 3rd party.

Reply

[-]

ElectroSpore@reddit

We have at least 2 3rd party tools that are able to look at that level, again in context. NOT what we are paying the annual pen tester for.

Reply

[-]

m1stymem0ries@reddit

If it’s a black box, fine, but there’s no point in applying it to other testing models, because the tests shouldn’t focus on which tool finds what, but rather on what flaws exist in the business logic overall. WAFs and similar tools only delay what really matters, which are the *manual* tests behind those walls. I don’t see a problem with testing with WAF enabled occasionally, but treating it as a requirement for a test doesn’t make sense.

Reply

[-]

n0p_sled@reddit

You keep mentioning tools, as if they're a panacea. Tools should not be compared to manual testing, and are highly likely to miss issues related to business logic etc I must be missing something as I don't understand why you're paying for someone to test a 3rd party WAF.

Reply

[-]

cybergibbons@reddit

Best practice is to test applications with authentication with WAF and other protections turned off so that you find most of the issues quickly, reducing the cost and duration of the testing. It can then be beneficial to turn the WAF on and check that it is protecting against the issues found. As you say, they very rarely protect against business logic errors. From time to time I test WAFs independently to see how effective they are, but these are often long duration and we need the ability to run arbitrary applications behind them. Generally you can find bypasses of some form.

Reply

[-]

ClericDo@reddit

Oh yeah I may have misunderstood your post. The “””pentests””” that amount to sending you the equivalent of a Nessus scan report are a plague on the industry. Especially ones who don’t even the decency to sort through false positives for you.

Reply

[-]

itishowitisanditbad@reddit

> Unlike a proper hacker who will know how these solutions work and try to fly under the radar. ...what? What stops a 'proper hacker' doing the pentest? Baffling statement.

Reply

[-]

renderbender1@reddit

Time and money

Reply

[-]

ArticleGlad9497@reddit (OP)

Misunderstood that they were having a person actually testing and thought this was an automated external scan which will set off all sorts. If it's an actual security expert who's actually simulating a real attack then fair enough, never worked somewhere that's be able to afford that sort of testing.

Reply

[-]

reegz@reddit

This is pretty in line for what your pentest consists of. If you’re doing it right, pentests are 3rd party validation of your controls. There can be new findings but realistically they should provide validation of where your security program is and not really tell you anything you shouldn’t already know. It’s not a bad idea to rotate the companies you use for these tests (if you don’t already). Some testers/companies may be more skilled in specific techniques, it can help make sure you’re not leaving gaps.

Reply

[-]

ElectroSpore@reddit

> It’s not a bad idea to rotate the companies you use for these tests (if you don’t already). Some testers/companies may be more skilled in specific techniques, it can help make sure you’re not leaving gaps. We do that as well.

Reply

[-]

topinanbour-rex@reddit

For the pen test box, are they given access to the place, or they have to success to infiltrate it firstly ?

Reply

[-]

reegz@reddit

It’s called a greybox. It’s an attacker controlled machine on the network. It’s used to simulate a compromised asset in a “assumed breach” type of test. If the test consists of 50 hours you don’t want them spinning their tires externally for 40 hours.

Reply

[-]

ElectroSpore@reddit

If they fail all remote attacks they get a box connected on the lan. So they get a stab at everything but have to try the hard way first. if we pass, they get to bypass a layer basically to test deeper.

Reply

[-]

Good_Amphibian_1318@reddit

Yeah. There's a surplus of people jumping into cyber security with no background in IT, thinking it's a starter field. Then there are schools and cert farms selling the idea that they can get in without experience. It's a mess. However, it is plausible that they were asking for documentation purposes and that they were specifically doing an externally facing pen test. For instance, our SOC escalates a potential issue to me for investigation. Often, I know the answer but I need an infra admin to tell me it's good in writing to document the ticket and close the alert. From a pen test, especially an automated one, more than likely, they got alerts and have to document each properly to clear them.

Reply

[-]

sohcgt96@reddit

Damn diploma mills man, especially post COVID. "Get your career started in Cyber Security with our 6 week course! You'll 100% Guaranteed to make 6 figures and work from home with no prior IT Experience!" - I mean we know how ludicrous it is, but lots of people are paying for it.

Reply

[-]

Perfect-Tek@reddit

The problem is you need someone without only the book learning, but with some experience in the industry as a foundation. Otherwise they won't understand anything outside of what they know by rote.

Reply

[-]

sohcgt96@reddit

100% the thing, Security is not an entry level role. You need to know the fundamentals for context. Its developing a specialty withing your profession.

Reply

[-]

ArticleGlad9497@reddit (OP)

It's certainly for their documentation and compliance but essentially they have pentested nothing. They could have achieved the same thing by just trying to access the site from a location which wasn't approved. It'd be like me saying I'm going to test the banks alarm system and then giving them a pass because the front door was locked instead of testing what happens when it isn't...

Reply

[-]

Good_Amphibian_1318@reddit

Yeah. I get that. I'm still convinced they were running a black box pen test, hence not requesting WAF or IPS exceptions.

Reply

[-]

ArticleGlad9497@reddit (OP)

Trust me, that's not the case. If it were then it should have been phase 1 and now turn it off so we can test the web app. It's not the first time this guy has forgotten that he even asked us to implement the whitelist.

Reply

[-]

Good_Amphibian_1318@reddit

Heh. I tried. Good luck with him. O7

Reply

[-]

Good_Amphibian_1318@reddit

Or.... They're just useless ...

Reply

[-]

SteveJEO@reddit

There are some very very good ones out there but...to be honest a lot are worse than shit. Sec audits for a lot aren't security audits.. they're check lists for management used to affirm their own decisions.

Reply

[-]

Obi-Juan-K-Nobi@reddit

If you take “security” out of the question, I’ll agree. The number of good consultants has been one-hand count over my almost 30 years. It’s just easier to do a little research and keep it in-house for the majority of things.

Reply

[-]

m1stymem0ries@reddit

That's because a lot of pentests are just checklists, unfortunately, at least the cheap ones. And the companies are a mess, what you described sounds like someone at an entry level was pentesting alone, without any support. Sadly, it's easier to focus on easy money than on aligning test cases with the customer's business rules. This process of understanding the business rules should begin on day one, when sales and someone technical talk to the client to sell the pentest. It should continue until it reaches the pentesters, who should have a clear panorama to begin the test, and from there, align more and more as the findings come in. It's not "run this tool, if we find something, good, if not, we say 'they passed the test'". I mean, it's not about earning a star for passing a test. And contrary to what’s being said in this thread, I don’t see why new people in IT would be a problem, they just need to be pushed to learn and do things right. That says more about a flaw in the company’s structure.

Reply

[-]

Perfect-Tek@reddit

I've truly gotten tired of dealing with so called security professionals that don't understand networking. I truly understand your pain. Where I work, someone connected to a website in a restricted country. The solution demanded by the security team was to remove the physical computer used from the site.

Reply

[-]

pc_jangkrik@reddit

Just today i work with a guy who try to run ping https://websitename...

Reply

[-]

kaiveg@reddit

I mean at least he didn't fuck up any systems. 2-3 months ago the sysadmin of one of my customers, who did some security certs recently, decided every device needs EDPR, even if it ain't an endpoint. Including the databse server. To make things worse he didn't even exclude the databse file itself. Shortly after users start compaining that the application is slow af. He doesn't see a correlation. New entries/edits sometimes don't get saved in the DB as well, because the EDPR is locking the relevant part of the DB file. Yet he won't budge. After a week or so he got overruled by the higherups.

Reply

[-]

Frothyleet@reddit

in his defense I've accidentally done similar many times because of web browsers hiding "https://" in the URI bar but including it in the copy/paste

Reply

[-]

wideace99@reddit

Any impostor can claim to be a sysadmin or security consultant for the money... so the industry is full of them for many years. Those who actually have practical experience can ID the crooks based on their knowledge, but due to crappy payment there is no incentive.

Reply

[-]

ArticleGlad9497@reddit (OP)

Yeah and I guess it's true that I also have dealt with a multitude of crappy SysAdmins over the years. The difference is I'm yet to make contact with a good security consultant. It's funny isn't it in my last role I did hundreds of interviews and it still blows my mind why people lie about stuff on their CV or go and braindump certs... Oh I see you passed your Windows Server MCSA earlier this year...explain to me what a FSMO role is. *Blank look of confusion* ok thanks for coming in..bye!

Reply

[-]

TheGreatAutismo__@reddit

Boys, Hang on, hang on, hang on. He says he's NHS IT, I gotta make sure he's on the level: Fuck NHS Mail right?

Reply

[-]

ArticleGlad9497@reddit (OP)

I'm not NHS IT, the guy running the test of our system was. However we do interact with NHS mail and every time it's not working it's our fault emails didn't get sent apparently so yeah. There was an issue a couple of weeks ago and I had to go and find the outage notification on the NHS.net site somewhere and forward it to them so they would accept it wasn't our fault. So yeah fuck NHS mail.

Reply

[-]

TheGreatAutismo__@reddit

Mah brother from another mother. Even separated we are united. 😂

Reply

[-]

CryktonVyr@reddit

I worked with many different cybersec people. One of them An IT director that had a zealous approach to cybersec. Very knowledgeable, could back every breach claim he made with detailed proof. But one of the most unlikable high horse condescending ass hat I had the displeasure of working with. All the others that I really liked had 3 points in common. 1. Cybersec Passion 2. Down to earth 3. Able to teach their vast knowledge. To OP. Like any other profession, there will be shining examples of what that type of professional should be and the "I wouldn't trust them to turn water into piss" people.

Reply

[-]

kirksan@reddit

I owned a consulting company for a number of years and we did a lot of security and network stuff. I like to think we were pretty good, we certainly tried to be; a lot of times the problem lies with the client, though. Many clients aren’t willing to pay what it takes to do the job correctly, or they aren’t willing to enact policies and procedures that they think are too cumbersome. Even more often were clients that didn’t give a damn about security, all they cared about was passing some ISO or ISMS compliance review.

Reply

[-]

nv1t@reddit

there is difference between a pentest and a vuln scan. look out for companies with crest or offensive certificates, they are usually fine, because they follow a certain standard with their employees. look into finding reports (usually they should have one). for UK, contextis was one of the best, until Accenture bought them :-/ there is usually a scoping call involved. I have "tested" sich scenarios and I agree, there should be multiple faces to something like this. but that is a money issue, most of the time. it should be the job of a consultant to tell the customer this test is useless and burnt money....

Reply

[-]

ArticleGlad9497@reddit (OP)

It wasn't a pentest we commissioned, it was run by a customer using a tool. It goes a bit further than a vulnerability test as it should in theory try SQL injection methods and stuff like that. This guy works for the customer and is supposed to make sure their security is upto scratch and this includes the products and services they use. He ran his "pentest" as part of that remit and yet he tested nothing because all the tests his application is capable of would have just been blocked. Despite me pointing out his test would have returned a specific issue with security headers because it was from a blocked IP address he didn't cotton on to the fact this meant all the tests would have been blocked before they even had the chance to run.

Reply

[-]

PurpleFlerpy@reddit

This isn't the first time I've seen this question. Please don't be so dismissive to security professionals. We're trying, dammit. He might have seemed like a wanker, but he tested the castle walls as is. A bad pentester will be like "gimme all your admin passwords and disable the firewall". Defeats the purpose of testing your defenses.

Reply

[-]

cybergibbons@reddit

A pen tester who asks for the passwords and asks for the WAF to be turned off is generally the better tester. If you don't let them test the application fully with authentication then you are just using obscurity. Really you should be providing source code, logs and even a console so they can really find the deeply hidden issues. Unfortunately the black box mindset persists.

Reply

[-]

ArticleGlad9497@reddit (OP)

Not sure you read my initial description properly. This guy isn't a pentester, he's a security consultant for an NHS trust. He ran a pentest against our web application using a 3rd party app. He is supposed to sign off that our application is ok for them to continue using as there is some PII data. He should be testing for things like SQL injection. Instead all he did was confirm our whitelist was working.

Reply

[-]

n0p_sled@reddit

Was this a proper penetration test or Cyber Essentials Plus? Organisations don't "pass" a pentest, so it's odd that the consultant would have used that term.

Reply

[-]

ArticleGlad9497@reddit (OP)

It was a customer running his own pentest against our service. He didn't use those exact words but essentially he was satisfied with the pentest results despite the fact he had pentested absolutely nothing...

Reply

[-]

n0p_sled@reddit

ah ok - yeah, not good.

Reply

[-]

AncientWilliamTell@reddit

>>It probably doesn't help that their standard pay seems to be much higher and yet their ability to apply knowledge sensibly is completely lacking. oh, so management?

Reply

[-]

Kemaro@reddit

Can't speak for all of them, but ours definitely are. We call them IT Job Security team because all they do is create work for the rest of us.

Reply

[-]

DharmaPolice@reddit

Like most professions there are people who are passionate and knowledgeable and also a bunch of people who are just there tick boxes and may or may not be blagging it. I would say in terms of actual pen testers the ones I've dealt with were all pretty clued up. The sales /consultant people who worked with them were the usual corporate clueless types but the actual ones doing the technical assessments generally knew their stuff and were happy to share knowledge of how they exploited vulnerabilities etc. Also the UK public sector for the most part. I helped run an introduction to IT course a few years ago. It attracted a strange mix of people (it was free for residents). Multiple people told me they were thinking of getting into a career in IT and most mentioned cyber security. Nothing wrong with that but I suspect the field attracted an above average number of people who read an article saying they could earn a good salary without a strong technical background. These might be the people you're now dealing with.

Reply

[-]

giovannimyles@reddit

The problem with most of the consultants is they have a set "script" they go by and hardly ever deviate from it. I had a guy once tell me something I 100% knew to be false. I called him on it, he doubled down and then I forwarded him the article and he ghosted me for the rest of the day, lol. I never trusted a word out of his mouth the rest of the engagement. Some consultants are great and knowledgeable and I pick their brains as much as possible. Others are just no better than we are but are with an MSP so we should "trust" them. Never trust them blindly, question everything. A good engineer welcomes questions to educate you. The ones who just want to click buttons because its what they do get no love.

Reply

[-]

PizzaUltra@reddit

Not all, but most unfortunately. Source: Am security consultant. I'd like to think I'm one of the better ones, but who knows really.

Reply

[-]

MaxTheV@reddit

I think most companies have barely any money for cybersecurity. When they hire consultants, they hire the cheapest of the cheapest options. Good consultants with very strong technical background exist, but most organizations would rather save money than get quality work

Reply

[-]

thortgot@reddit

Scope matters. If they are testing for a true external test you shouldn't disable or bypass the WAF. They were likely validating you correctly scoped the external IP auth. Authenticated and internal pentests are more involved but not required for most compliance.

Reply

[-]

ArticleGlad9497@reddit (OP)

No that's definitely not what they were doing. They're meant to be checking the web application for vulnerabilities, the initial scan flagged some missing http headers which are definitely not missing. We already do the same scan ourselves on behalf of a different NHS trust but for some reason this guy insists on doing it himself. The first time he did it he didn't even ask first and generated a shit load of alerts, there was no provision for him doing this in the contract either so technically illegal. Since then he's run it a number of other times and generally there's a few low scoring vulnerabilities which we know are there and have all signed off on until our new release later this year where they will be fixed. That's what should have happened again this year but yeah he's only tested that our IP whitelisting is in place and that's definitely not sufficient for what he should be testing.

Reply

[-]

B4rberblacksheep@reddit

Allegedly there’s some out there that actually think before implementing their “solutions” but every single one I’ve met has barely got enough brains to cover a thin water biscuit.

Reply

[-]

whatsforsupa@reddit

The best security consultants have good backgrounds in systems, networking and scripting. Someone who understands how the vulnerability works, not just reading it off a CVE. Someone who understands how patching works, how GPOs work, how firewalls work, how email systems/sec gateways work, how EDR policies work, etc. Unfortunately for most companies, this is a bit of a unicorn employee that, if they know their worth, should be demanding $$$.

Reply

[-]

Direct-Mongoose-7981@reddit

Try hiring one full time, honestly it’s impossible. Even harder are security engineers, technical security people with an infrastructure and network background as well as security are almost impossible to find.

Reply

[-]

Layer7Admin@reddit

I did a pentest where we had to create an instance in our AWS environment for them to run the pentest from. Our policies are default deny. So I asked what rules I should put in. They told me none. So they did a pentest from an instance with no outbound traffic allowed. We passed. But we paid for that.

Reply

[-]

Pyrostasis@reddit

Are you tired of incompetent security folks and their appliances? Me too. Lets schedule a quick 15 minute call where we can discuss my tool which is better than theirs and works! Ill throw in my free ebook. /s ![gif](giphy|l1KsFYiPtEv9qYY6Y)

Reply

[-]

TheOhNoNotAgain@reddit

Pen tester tester - your new career?

Reply

[-]

malikto44@reddit

Security consultants who were sysadmins are one thing. People who don't know what is going on, but blame all your problems by having FIPS not set to `1` are another, the ClickOps people who run a tool, it finds some (mostly irrelevant) stuff, then crow about how insecure things are.

Reply

[-]

PokeMeRunning@reddit

No but highly paid security consultant is sounding like a better and better gig.

Reply

[-]

raip@reddit

It's absolutely great - although than having to deal with continuing education credits and sponsorships (both giving and receiving) for certifications - it's a great fucking time.

Reply

[-]

RikiWardOG@reddit

FR, I really just need to get off my lazy ass and do some certs/study and move into security. TBH not a huge fan of typical security work though. That said, would love to be part of a physical pentest red team.

Reply

[-]

tectail@reddit

Security pen testers have turned into checklist followers. They run the things the company tells them to run and document pass or fail. It's a good thing hackers only have those specific things that they use to try hacking people ... Ohh wait.

Reply

[-]

Zombie13a@reddit

Our security team explicitly stated, in policy and writing, that Google Chrome doesn't belong on \_any\_ windows servers. They then were shocked with the security teams own RDP servers had Chrome on them; and when confronted, said "well, we need it" without a trace of irony.... smdh I \_hate\_ security teams; they seem to be the biggest security threat to a company.

Reply

[-]

Gadgetman_1@reddit

There is no 'Pass' in a PenTest. There's only 'This is fucked up' and 'this is adequate but could be better'. Anyone telling you that you passed doesn't know his job very well. Probably just ran a couple of automated tools and copy-pasted the logs from those into the final report.

Reply

[-]

ericjgriffin@reddit

>Are all ~~security~~ consultants useless? Fixed that for you and yes they are all worthless.

Reply

[-]

TheBestHawksFan@reddit

It would seem to me that many, many security jobs are what have been referred to as "box ticker" jobs. Bullshit jobs that don't provide value, the whole goal is to simply tick a box.

Reply

[-]

Outside-After@reddit

Relatable. 9/10 aren't technical from my experience having crossed the threshold from internal auditing.

Reply

[-]

ConfusionFront8006@reddit

Not all, the good ones just cost more and are fewer in number. Pen tests aren’t a pass or fail thing either. Pen testing is very much so a ‘you get what you pay for skillset’ so we see this type of thing a LOT. But then again a lot of areas in tech are like that. Meh.

Reply to Post

150 Comments