todbatx

http://www.reddit.com/user/todbatx

Highest Rated Comments

todbatx267 karma

Those background checks are rough.

Also, I can't take polygraph tests seriously. Since they're garbage science.

todbatx99 karma

Security Programming

There are a zillion other good to great resources, I'm sure others can chime in.

Best way to get experience

Contribute to open source. I know that's a self-serving answer, but even before I was involved in Metasploit directly, if I saw someone had Metasploit commits on their resume, it was easily 50 bonus points, out of the gate.

todbatx60 karma

We discuss this some in our paper, Under the Hoodie. Turns out, there's not a ton of difference between industries, which we found kind of surprising.

You'd think that places like financial institutions and healthcare providers would have better security than a retail outlet, but the fact of the matter is, everyone runs pretty much the same stack -- Microsoft desktops, Linux servers, and Cisco switches and routers (and if not those, their top two or three competitors).

So, broadly, techniques and tech really don't change much from site to site. There's always something new you run into on every site, but the basics are the same where ever you go.

todbatx60 karma

So, what accounts for all the win in the network, or what accounts for all the fail? I'll cover both, since oddly, the answer is the same.

Most network and computer resiliency -- the stuff that makes the target hard to hack -- is due to decent patch management. If your organization is diligent in getting updates out to servers, desktops, and mobile, you're 80% of the way there, for sure.

When it comes to exploiting vulnerabilities, though, most of the time, it's due to that small population of machines that don't see automatic updates. They may be "too critical to reboot," or they're some goofy IoT thing that can't get updated reasonably. That's where pentesters (and criminals) live.