This is one of those things I'm saying for the sake of educating people, not the sake of subtweeting or being trite:
I just got a LinkedIn ping from a recruiter. I am a relatively polite and prudent person and I like to decline politely instead of ignoring those. (1/n)
The recruiter told me the job was "vulnerability engineer". No description attached. My immediate response was, "I'm sorry, but I'm an incident responder / DFIR. This isn't an applicable posting for me."
Clearly, vulnerability management & research are very different fields.
The recruiter replied that the company is actually seeking an incident responder.
Folks. You need to be careful what you're naming your job positions. I'm not looking, but a lot of people who are might have ignored this note entirely.
We are simple folks, niche cybersecurity analysts. Getting clever or cute with your context-free position titles (or simply being uninformed about what you're asking for) is probably costing you good candidates.
I'm sorry this thread read as pretentious. I am very tired, and unsure how to make it less pretentious. I'm honestly just trying to help you hire people. Off to another G&T.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I find it a lot more telling that their executive blames security issues on an intern than that a large organization had a weak password on an exposed server. The latter is unfortunately common, but it will never be remediated with the former.
Think back to the companies that had a major, public incident and then drastically changed their cybersecurity culture because of leadership buy-in. Target. Motorola. Norsk. Maersk. Then think about the ones who didn't.
Target and Motorola became noteworthy cybersecurity community participants and pipelines for junior talent.
A thing I do at Dragos (not a plug, just thought you might find interesting), is elaborate functional and crown jewel analysis of industrial facilities where I spend days interviewing staff to figure out all the horrible things that could happen and what device could cause them.
Like I literally spend days of my life figuring out what PLC on what shelf could cause places to explode under specific operational and security conditions
It's interesting. I found out how to spoil eggs en masse and also cause cataclysmic chemical chain reactions.
Fun Fact: The first widely-documented attack against a digital industrial control system which caused a major physical disaster was at a sewage treatment plant in Australia.
Homeboy was mad he didn’t get hired on after his contract and used his insider knowledge to dump a metric shitton of well, shit.
This was years before Aurora and Stuxnet and AyPeeTees.
Good morning to all of you well rested infosec folks who are just now waking up to this newest catastrophe :)
Fine, fine, I’ll be nice. While you were sleeping, Google security notified of a long term (allegedly DPRK) SE campaign targeting infosec researchers on Twitter, ingratiating themselves into the community with minor research and blogs, then sending them malicious links and code.
The list of accounts is in the blog and 3 or 4 accounts were very active, messaged and drew in a ton of researchers, and successfully got some to execute malicious code in the name of exploit research. My thread is full of stories and screenshots. They hit a ton of people.
Stop blaming users for security issues caused by *your security team* failing to give them widely usable and secure ways to perform their part of the *mission of your organization*.
*the mission of your organization is likely not keeping malware out.
JFC... with regards to this Facebook phone data leak I see people blaming users for SIM hijacking, even even locks don’t reliably prevent it at carriers, and blaming them for using SMS 2FA, even though most banks still don’t offer another MFA method.