Sudonix

Sudonix

We DON'T Need Blinky Lights

Blog
  • phenomlabundefined

    1631810017053-netsecurity.jpg.webp
    I read an article By Glenn S. Gerstell (Mr. Gerstell is the general counsel of the National Security Agency) with a great deal of interest. That same article is detailed below

    The National Security Operations Center occupies a large windowless room, bathed in blue light, on the third floor of the National Security Agency’s headquarters outside of Washington. For the past 46 years, around the clock without a single interruption, a team of senior military and intelligence officials has staffed this national security nerve center.

    The center’s senior operations officer is surrounded by glowing high-definition monitors showing information about things like Pentagon computer networks, military and civilian air traffic in the Middle East and video feeds from drones in Afghanistan. The officer is authorized to notify the president any time of the day or night of a critical threat.

    Just down a staircase outside the operations center is the Defense Special Missile and Aeronautics Center, which keeps track of missile and satellite launches by China, North Korea, Russia, Iran and other countries. If North Korea was ever to launch an intercontinental ballistic missile toward Los Angeles, those keeping watch might have half an hour or more between the time of detection to the time the missile would land at the target. At least in theory, that is enough time to alert the operations center two floors above and alert the military to shoot down the missile.

    But these early-warning centers have no ability to issue a warning to the president that would stop a cyberattack that takes down a regional or national power grid or to intercept a hypersonic cruise missile launched from Russia or China. The cyberattack can be detected only upon occurrence, and the hypersonic missile, only seconds or at best minutes before attack. And even if we could detect a missile flying at low altitudes at 20 times the speed of sound, we have no way of stopping it.

    Something I’ve been saying all along is that technology alone cannot stop cyber attacks. Often referred to as a “silver bullet”, or “blinky lights”, this provides the misconception that by purchasing that new, shiny device, you’re completely secure. Sorry folks, but this just isn’t true. In fact, cyber crime, and it’s associated plethora of hourly attacks is evolving at an alarming rate - in fact, much faster than you’d like to believe.

    You’d think that for all the huge technological advances we have made in this world, the almost daily plethora of corporate security breaches, high profile data loss, and individuals being scammed every day would have dropped down to nothing more than a trickle - even to the point where they became virtually non-existent. We are making huge progress with landings on Mars, autonomous space vehicles, artificial intelligence, big data, machine learning, and essentially reaching new heights on a daily basis thanks to some of the most creative minds in this technological sphere. But somehow, we have lost our way, stumbled and fallen - mostly on our own sword. But why ?

    Just like the Y2k Gold Rush in the late 90’s, information security has become the next big thing with companies ranging from a few employees as startups to enterprise organisations touting their services and platforms to be the best in class, and the next “must have” tool in the blue team’s already bulging arsenal of tools. Tools that on their own in fact have little effect unless they are combined with something else as equally as expensive to run. We’ve spent so much time focusing on efforts ranging from what SEIM solution we need to what will be labelled as the ultimate silver bullet capable of eliminating the threat of attack once and for all that in my opinion, we have lost sight of the original goal. With regulatory requirements and best practice pushing us towards products and services that either require additional staff to manage, or are incredibly expensive to deploy and ultimately run. Supposedly, in an effort to simplify the management, analysis, and processing of millions of logs per hour we’ve created even more platforms to ingest this data in order to make sense of it.

    In reality, all we have created is a shark infested pool where larger companies consume up and coming tech startups for breakfast to ensure that they do not pose a threat to their business model / gravy train, therefore enabling them to dominate the space even further with their newly enhanced reach.

    How did we get to this ? What happened to thought process and working together in order to combat the threat that increases on an hourly basis ? We seem to be so focused on making sure that we aren’t the next organisation to be breached that we have lost the art of communication and the full benefit of sharing information so that it assists others in their journey. We’ve become so obsessed with the daily onslaught of platforms that we no longer seem to have the time to even think, let alone take stock and regroup - not as an individual, but as a community.

    There are a number of ”communities” that offer “free” forums and products under the open source banner, but sadly, these seem to be turning into paid-for products at a rate of knots. I understand people need to live and make money, but if awareness was raised to the point where users wouldn’t click links in phishing emails, fall for the fake emergency wire transfer request from the CEO, or be suddenly tempted by the latest offer in terms of cheap technology then we might - just might - be able to make the world a better place. In order to make this work, we first need to remove the stigma that has become so ingrained by the media and set in stone like King Arthur’s Excalibur. Let’s first start with the hacker / criminal parallel. They aren’t the same thing folks.

    Nope. Not at all. Hackers are those people who find ingenious ways of getting into networks and infrastructure that you never even knew existed, trick you into parting with sensitive information (then inform you as to where you went wrong), and most importantly, educate you so that you and your network are far more secure against real attacks and real criminals. These people exist to increase your awareness, and by definition, security footprint - not use it against you in order to steal. Hackers do like to wear hoodies as they are comfortable, but you won’t find one using gloves, wearing a balaclava or sunglasses, and in some cases, they actually prefer desktops rather than laptops.

    The image being portrayed here is one perpetuated by the media, and it has certainly been effective - but not in a positive way. The word “hacker” is now synonymous with criminals, where it really shouldn’t be. One defines security, whereas the other sets out to break it. If we locked up all the hackers on this planet, we’d only have the blue team remaining. It’s the job of the red team (hackers) to see how strong your defences are. Hackers exist to educate, not infiltrate (at least, not without asking for permission first :))

    I personally have lost count of how many times I’ve sat in meetings where a sales pitch around a security platform is touted as a one stop shop or a Swiss army knife that can protect your entire network from a breach. Admittedly, there’s some great technology on the market that performs a variety of functions to protect your estate, but they all fail to take into consideration the weakest link in any chain - users. Irrespective of bleeding edge “combat platforms” (as I like to refer to them), criminals are becoming very adept in their approach, leveraging techniques such as social engineering. It should come as no surprise for you to learn that this type of attack can literally walk past your shiny new defence system as it relies on the one vulnerability you cannot predict - the human. Hence the term “hacking humans”.

    I’m of the firm opinion that if you want to outsmart a criminal, you have to think like one. Whilst newfangled platforms are created to assist in the fight against cyber crime, they are complex to configure, suffer from alerting bloat (far too many emails so you end up missing the one where your network is actually being compromised), or are simply overwhelming and difficult to understand. Here’s the thing. You don’t need (although they do help) expensive bleeding edge platforms with flashing lights to tell you where weak points lie within your network, but you do need to understand how a criminal can and will exploit these. A vulnerability cannot be leveraged if it no longer exists, or even better, never even existed to begin with.

    And so, on with the mission, and the real reason as to why I created this site. I’ve been working in information technology for 30 years, and have a very strong technical background in network design and information security.

    What I want to do is create a communication, information, and awareness sharing platform. I created the original concept of what I thought this new community should look like in my head, but its taken a while to finally develop, get people interested, and on board. To my mind, those from inside and outside of the information security arena will pool together, share knowledge, raise awareness, and probably the most important, harness this new found force and drive change forward.

    The breaches we are witnessing on a daily basis are not going to simply stop. They will increase dramatically in their frequency, and will get worse with each incident.

    Let’s stop the “hackers are criminals” myth, start using our own unique talents in this field, and make a community that

    • is able to bring effective change
    • treats everyone as equals
    • The community once fully established could easily be the catalyst for change - both in perception, and inception.

    Why not wield the stick for a change instead of being beaten with it, and work as a global virtual team instead ?

    Will you join me ? In case I haven’t already mentioned it, this initiative has no cost - only gains. It is entirely free.

    Author of OGProxy, Swatch, Threaded, and most of Sudonix's bugs…

    0

  • Madchatthewundefined

    Link vs Refresh

    Solved Customisation
    20
    8 Votes
    20 Posts
    501 Views
    phenomlabundefined

    @pobojmoks Do you see any errors being reported in the console ? At first guess (without seeing the actual code or the site itself), I’d say that this is AJAX callback related

  • phenomlabundefined

    Do you need a degree to succeed?

    Moved Blog
    5
    5 Votes
    5 Posts
    210 Views
    phenomlabundefined

    @qwinter very well put. Great points and I can certainly align with these. I personally don’t see no university as a barrier to progression. My old boss said that he’d take preference with anyone who had a degree because of their “ability to think logically” (I kid you not). I said “well, you hired me and I don’t have a degree…”.

    He paused for a moment realising that he’d literally dug himself a hole and fell in it. He then said “ah yes, but you’re an exception”.

    “Exception” or not - it’s still a bigoted reasoning mechanism, and elitist to put it mildly. Class distinction springs to mind here.

  • phenomlabundefined

    Why do I need a pentest or vulnerability assessment ?

    Blog
    1
    0 Votes
    1 Posts
    107 Views
    phenomlabundefined

    1622024819274-security1.webp

    If you are new to the security industry, then penetration testing may be one of those topics you are starting to look at in more detail. If you’ve been in the industry for a while, then you will already know (I hope) the importance of this particular exercise. Penetration testing and ongoing vulnerability assessments are essential given today’s risk of cyber crime and data breaches, and most clients when performing due diligence will probably ask when the your most recent test was conducted. If you’ve never completed a test, and your client asks the question, don’t be surprised if you detect a glimpse of a raised eyebrow, or even a loss of confidence - and ultimately a loss of business because of this.

    The mitigating factors here are risk and gap analysis. If you have multiple potential entry points into your network, be it intended, or unintended, a vulnerability scan should be completed at least once a year (my personal preference is once a quarter, but this depends on budget) to verify the security of endpoints exposed to the public. Such endpoints are typically firewalls, routers, and essentially, anything that is hosting an externally accessible service.

    What does a penetration test involve ?

    The main concept is the word “penetration”, meaning to enter. Be it lawfully, or illegal, the principle remains the same - if a device can be accessed, it needs to be tested. Most services that are public facing are designed to be entered, but what if the entity utilising such access decides to violate the intended purpose ? A hacker could circumvent your controls and gain access to other areas, or leverage a flaw in the system that negates the intended service. Such a compromise can either provide access to personally identifiable data, or make the affected system vulnerable to another form of attack. Before any testing is performed, the penetration testing company will need to sign an NDA (Non Disclosure Agreement). This protects both their client in the form of confidentiality, and their reputation. After all, if they do find a weakness, you wouldn’t want them telling everyone about it. This may seem glaringly obvious, but you will be unpleasantly surprised if you knew how many companies had been duped over the years by a fake penetration testing entity that actually turn out to be hackers !

    Any penetration testing company that is legitimate will be more than aware of the importance in terms of client confidentiality and security, and will normally make the NDA their first discussion point before even asking about your network. If any potential penetration testing company does not raise this point, or attempts to deviate when asked questions around confidentiality, they should immediately be treated as a risk, and certainly never provided privileged information about your network topology.

    Due diligence

    In all cases, you should check and verify the identity and integrity of any company before entering into any contractual agreement. My suggestion here is to only accept reviews or recommendations from people you can actually meet or speak to over the phone without the penetration testing company facilitating any meetings or phone calls on your behalf. This removes the potential for fraud, and reduces the overall risk.

    Testing scope

    The penetration test scope depends on the criteria predefined - If an external penetration test is conducted, then this will typically be limited to devices or services exposed to the internet. The usual practice is to provide a list of IP Address ranges and associated subnets, and allow the penetration testing company to “walk” these ranges looking for services. Additionally, if you are looking to conduct a test of your internal network, then (at least to me), this is not a penetration test, but a vulnerability assessment. Why ?

    Because if someone is already inside your network, you aren’t testing the ability to penetrate something you already have access to - you are testing to see how effective your internal infrastructure is

    Testing process

    The penetration testing company will begin by scanning all IP Addresses and subnets to see what will respond. If the tester finds an exposed service (normally one you’d expect in an ideal world), they will perform an array of tests against the address to determine (but not limited to)

    The type of device The operating system Device fingerprint What services are running What ports are open

    Once the penetration tester has this information, further interrogation is possible. This part of the exercise is often automated using custom tools and scripts - most of these are often enhanced by the penetration testing company themselves, which provides a unique testing style (more on why this is important later). For example, if the penetration tester finds SNMP exposed on a device, they will then attempt to exploit known vulnerabilities in the protocol in order to get the device to “cough up” other details it wouldn’t normally divulge. A weak SNMP configuration can expose the running configuration of a router for example, meaning that the attacker then gains intelligence about your network and adjacent devices.

    Such intelligence allows the penetration tester to leverage other vulnerability checks, and ultimately, they may gain access through a route you did not expect - or even know existed.

    Testing responsibilities

    The remit of a penetration tester is not to hack your network, steal data, or bring the infrastructure to it’s knees, but to expose and report vulnerabilities to their client in a responsible and professional manner. This is typically in the form of a confidential findings report that is delivered to a predefined and authorised contact within your company.

    Testing findings and exceptions

    If the penetration testing company finds a vulnerability or exploit that is considered high risk, then they are duty bound to inform you of this discovery within a predefined time frame. This varies depending on the severity of the issue or potential exploit. In cases such as this, the penetration testing company provide documentation on the steps taken to reproduce the vulnerability, and provide an example of what they were able to do by leveraging it. This provides the client with sufficient knowledge to prepare to rectify the issue before the main findings report is produced. Seeing as penetration testers have other clients, the report can take some time to compile, and they wouldn’t want you to have an unknown exploit in the report when it does finally arrive.

    The implications of high risk vulnerabilities are wide ranging, can cause significant reputation damage for the tester if unreported (although this is at the discretion of the tester to report if they deem it important enough), and worse, could be exploited if left unpatched.

    Testing report

    The report should be protected with a strong password, and be in a format that cannot easily be manipulated or altered. A secured PDF with the ability to edit removed is the preferred medium. The method of delivery should be as secure as possible to prevent it from falling into the wrong hands. An ideal solution is to provide the report via a Secure SFTP server, or encrypted email. Most penetration testers use certificates when sending email, and are secure by default.

    Remediation

    This part is up to you. A thorough and respectable penetration testing company will provide all relevant information in relation to the risk levels they have identified, and will also provide a means to work towards remediation. Depending on the issues identified, the remediation will obviously be different for each device in scope, or each vulnerability identified. In most cases, penetration testing companies offer a reduced rate for performing the same test against devices and vulnerabilities subject to remediation provided all steps have been completed within a defined time period - typically 30 days. Look at it this way - if you are presented with a report that shows your infrastructure (external and internal) alluding to a block of Swiss Cheese and you chose to ignore it, then you deserve to be hacked in my view. Harsh ? Yes. A reality ? Very much so. Ignore vulnerabilities at your peril.

    Look at it this way - it’s much easier to avoid spilling milk in the first place than it is to mop it up afterwards

    Should I perform my own testing ?

    Yes, but your test results could be seen as one sided, or biased given that you have conducted the test yourself. My advice here would be

    Perform your own interim testing. The frequency really depends on attitude to risk, I personally consider once a quarter as a sane value Complete remediation as far as possible, and perform as much post-testing as you can to identify any further risk Engage a recognised penetration testing company to carry out their own independent testing to validate and confirm your remediation

    The report generated by this entity will carry much more weight, and can be used for client evidence if they request it. There’s much more to this topic, so if you’d like any further information, just ask - I’ll be more than happy to answer questions.

  • phenomlabundefined

    Hacked because you didn't listen ?

    Blog
    1
    0 Votes
    1 Posts
    140 Views
    phenomlabundefined

    1622032930658-hacked_listen-min.webp

    I’ve been a veteran of the infosec industry for several years, and during that time, I’ve been exposed to a wide range of technology and situations alike. Over this period, I’ve amassed a wealth of experience around information security, physical security, and systems. 18 years of that experience has been gained within the financial sector - the remaining spread across manufacturing, retail, and several other areas. I’ve always classed myself as a jack of all trades, and a master of none. The real reason for this is that I wanted to gain as much exposure to the world of technology without effectively “shoehorning” myself - pigeon holing my career and restricting my overall scope.

    I learned how to both hack and protect 8086 / Z80 systems back in 1984, and was using “POKE” well before Facebook coined the phrase and made it trendy (one of the actual commands I still remember to this day that rendered the CTRL, SHIFT, ESC break sequence useless was

    POKE &bdee, &c9

    I spent my youth dissecting systems and software alike, understanding how they worked, and more importantly, how easily they could be bypassed or modified.

    Was I a hacker in my youth ? If you understand the true meaning of the word, then yes - I most definitely was.

    If you think a hacker is a criminal, then absolutely not. I took my various skills I obtained over the years, honed them, and made them into a walking information source - a living, breathing technology encyclopedia that could be queried simply by asking a question (but not vulnerable to SQL injection).

    Over the years, I took an interest in all forms of technology, and was deeply immersed in the “virus era” of the 2000’s. I already understood how viruses worked (after dissecting hundreds of them in a home lab), and the level of damage that could be inflicted by one paved the way for a natural progression to early and somewhat infantile malware. In its earliest form, this malware was easily spotted and removed. Today’s campaigns see code that will self delete itself post successful execution, leaving little to no trace of its activity on a system. Once the APT (Advanced Persistent Threat) acronym became mainstream, the world and its brother realised they had a significant problem in their hands, and needed to respond accordingly. I’d realised early on that one of the best defences against the ever advancing malware was containment. If you “stem the flow”, you reduce the overall impact - essentially, restricting the malicious activity to a small subset rather than your entire estate.

    I began collaborating with various stakeholders in the organisations I worked for over the years, carefully explaining how modern threats worked, the level of damage they could inflict initially from an information and financial perspective, extending to reputation damage and a variety of others as campaigns increased in their complexity). I recall one incident during a tenure within the manufacturing industry where I provided a proof of concept. At the time, I was working as a pro bono consultant for a small company, and I don’t think they took me too seriously.

    Using an existing and shockingly vulnerable Windows 2003 server (it was still using the original settings in terms of configuration - they had no patching regime, meaning all systems were effectively vanilla) I exhibited how simple it would be to gain access first to this server, then steal the hash - effortlessly using that token to gain full access to other systems without even knowing the password (pass the hash). A very primitive exercise by today’s standards, but effective nonetheless. I explained every step of what I was doing along the way, and then explained how to mitigate this simple exploit - I even provided a step by step guide on how to reproduce the vulnerability, how to remediate it, and even provided my recommendations for the necessary steps to enhance security across their estate. Their response was, frankly, shocking. Not only did they attempt to refute my findings, but at the same time, dismissed it as trivial - effectively brushing it under the carpet so to speak. This wasn’t a high profile entity, but the firm in question was AIM listed, and by definition, were duty bound - they had a responsibility to shareholders and stakeholders to resolve this issue. Instead, they remained silent.

    Being Pro Bono meant that my role was an advisory one, and I wasn’t charging for my work. The firm had asked me to perform a security posture review, yet somehow, didn’t like the result when it was presented to them. I informed them that they were more than welcome to obtain another opinion, and should process my findings as they saw fit. I later found out through a mutual contact that my findings had been dismissed as "“unrealistic”, and another consultant had certified their infrastructure as “safe”. I almost choked on my coffee, but wrote this off as a bad experience. 2 months later, I got a call from the same mutual contact telling me that my findings were indeed correct. He had been contacted by the same firm asking him to provide consultancy for what on the face of it, looked like a compromised network.

    Then came the next line which I’ll never forget.

    “I don’t suppose you’d be interested in……”

    I politely refused, saying I was busy on another project. I actually wasn’t, but refused out of principle. And so, without further ado, here’s my synopsis

    “…if you choose not to listen to the advice a security expert gives you, then you are leaving yourself and your organisation unnecessarily vulnerable. Ignorance is not bliss when it comes to security…”

    Think about what you’ve read for a moment, and be honest with me - say so if you think this statement is harsh given the previous content.

    The point I am trying to make here is that despite sustained effort, valiant attempts to raise awareness, and constantly telling people they have gaping holes in systems for them to ignore the advice (and the fix I’ve handed to them on a plate) is extremely frustrating. Those in the InfoSec community are duty bound to responsibly disclose, inform, educate, raise awareness, and help protect, but that doesn’t extend to wiping people’s noses and telling them it wasn’t their fault that they failed to follow simple advice that probably could have prevented their inevitable breach. My response here is that if you bury your head in the sand, you won’t see the guy running up behind you intent on kicking you up the ass.

    Security situations can easily be avoided if people are prepared to actually listen and heed advice. I’m willing to help anyone, but they in return have to be equally willing to listen, understand, and react.

  • phenomlabundefined

    Think 10,000 hours makes an expert? It doesn't!

    Blog
    1
    0 Votes
    1 Posts
    203 Views
    phenomlabundefined

    expert.webp
    One thing I’ve seen a lot of over my career is the “expert” myth being touted on LinkedIn and Twitter. Originating from psychologist K. Anders Ericsson who studied the way people become experts in their fields, and then discussed by Malcolm Gladwell in the book, “Outliers“, “to become an expert it takes 10,000 hours (or approximately 10 years) of deliberate practice”. This paradigm (if you can indeed call it that) has been adopted by several so called “experts” - mostly those within the Information Security and GDPR fields. This article isn’t about GDPR (for once), but mostly those who consider themselves “experts” by virtue of the acronym. Prior to it’s implementation, nobody should have proclaimed themselves a GDPR “expert”. You cannot be an expert in something that wasn’t actually legally binding until May 25 2018, nor can you have sufficient time invested to be an expert since inception in my view. GDPR is a vast universe, and you can’t claim to know all of it.

    Consultant ? Possibly, yes. Expert ? No.

    The associated sales campaign isn’t much better, and can be aligned to the children’s book “Chicken Licken”. For those unfamiliar with this concept, here is a walkthrough. I’m sure you’ll understand why I choose a children’s story in this case, as it seems to fit the bill very well. What I’ve seen over the last 12 months had been nothing short of amazing - but not in the sense of outstanding. I could align GDPR here to the PPI claims furore - for anyone unfamiliar with what this “uprising” is, here’s a synopsis.

    The “expert” fallacy

    Payment Protection Insurance (PPI) is the insurance sold alongside credit cards, loans and other finance agreements to ensure payments are made if the borrower is unable to make them due to sickness or unemployment. The PPI scandal has its roots set back as far as 1998, although compensatory payments did not officially start until 2011 once the review and court appeal process was completed. Since the deadline for PPI claims has been announced as August 2019, the campaign has become intensively aggressive, with, it would seem, thousands of PPI “experts”. Again, I would question the authenticity of such a title. It seems that everyone is doing it, therefore, it must be easy to attain (a bit like the CISSP then). I witnessed the same shark pool of so called “experts” before, back in the day when Y2K was the latest buzzword on everyone’s lips. Years of aggressive selling campaigns and similarly, years of FUD (Fear, Uncertainty, Doubt - more effectively known as complete bulls…) caused an unprecedented spike that allowed companies and consultants (several of whom had never been heard of before) to suddenly appear out of the woodwork and assume the identity of “experts” in this field. In reality, it’s not possible to be a subject matter expert in a particular field or niche market unless you have extensive experience. If you compare a weapons expert to a GDPR “expert”, you’ll see just how weak this paradigm actually is. A weapons expert will have years of knowledge in a field, and could probably tell you which gun discharged a bullet just by looking at the expended shell casing. I very much doubt a self styled GDPR expert can tell you what will happen in the event of an unknown scenario around the framework and the specific legal rights (in terms of the individual who the data belongs to) and implications for the institution affected. How can they when nobody has even been exposed to such a scenario before ? This makes a GDPR expert in my view about as plausible as a Brexit expert specialising in Article 50.

    What defines an expert ?

    The focal point here is in the comparison. A weapons expert can be given a gun and a sample of shell casings, then asked to determine if the suspected weapon actually fired the supplied ammunition or not. Using a process of proven identification techniques, the expert can then determine if the gun provided is indeed the origin. This information is derived by using established identity techniques from the indentations and markings in the shell casing created by the gun barrel from which the bullet was expelled, velocity, angle, and speed measurements obtained from firing the weapon. The impact of the bullet and exit damage is also analysed to determine a match based on material and critical evidence. Given the knowledge and experience level required to produce such results, how long do you think it took to reach this unrivalled plateau ? An expert isn’t solely based on knowledge. It’s not solely based on experience either. In fact, it’s a deep mixture of both. Deep in the sense of the subject matter comprehension, and how to execute that same understanding along with real life experience to obtain the optimum result. Here’s an example   An information technology expert should be able to

    Identify and eliminate potential bottlenecks Address security concerns, Design high availability Factor in extensible scalability Consider risk to adjacent and disparate technology and conduct analysis Ensure that any design proposal meets both the current criteria and beyond Understand the business need for technology and be able to support it

    If I leveraged external consultancy for a project, I’d expect all of the above and probably more from anyone who labels themselves as an expert - or for that fact, an architect. Sadly, I’ve been disappointed on numerous occasions throughout my career where it became evident very quickly that the so called expert (who I hasten to add is earning more an hour than I do in a day in most cases) hired for his “expertise and superior knowledge” in fact appears to know far less than I do about the same topic.

    How long does it really take to become an expert ?

    I’ve been in the information technology and security field since I was 16. I’m now 47, meaning 31 years experience (well, 31 as this year isn’t over yet). If you consider that experience is acquired during an 8 hour day, and used the following equation to determine the amount of years needed to reach 10,000 hours

    10000 / 8 / 365 = 3.4246575342 - for the sake of simple mathematics, let’s say 3.5 years.

    However, in the initial calculation, it’s 10 years (using the basis of 90 minutes invested per day) - making the expert title when aligned to GDPR even more unrealistic. As the directive was adopted on the 27 April 2016, the elapsed time period isn’t even enough to carry the first figure cited at 3.5 years, irrespective of the second. The reality here is that no amount of time invested in anything is going to make your an expert if you do not possess the prerequisite skills and a thorough understanding based on previous events in order to supplement and bolster the initial investment. I could spend 10,000 practicing a particular sport - yet effectively suck at it because my body (If you’ve met me, you’d know why) isn’t designed for the activity I’m requesting it to perform. Just because I’ve spent 10,000 hours reading about something doesn’t make me an expert by any stretch of the imagination. If I calculated the hours spanned over my career, I would arrive at the below. I’m basing this on an 8 hour day when in reality, most of my days are in fact much longer.

    31 x 365 x 8 = 90,520 hours

    Even when factoring in vacation based on 4 weeks per year (subject to variation, but I’ve gone for the mean average),

    31 x 28 X 8 = 6,944 hours to subtract

    This is only fair as you are not (supposed to be) working when on holiday. Even with this subtraction, the total is still 83,578 hours. Does my investment make me an expert ? I think so, yes - based on the fact that 31 years dedicated to one area would indicate a high level of experience and professional standard - both of which I constantly strive to maintain. Still think 10,000 hours invested makes you an expert ? You decide ! What are your views around this ?

  • phenomlabundefined

    How to destroy a community before it's even built

    Blog
    4
    +0
    5 Votes
    4 Posts
    227 Views
    phenomlabundefined

    @crazycells I guess the worst part for me was the trolling - made so much worse by the fact that the moderators allowed it to continue, insisting that the PeerLyst coming was seeing an example by allowing the community to “self moderate” - such a statement being completely ridiculous, and it wasn’t until someone else other than myself pointed out that all of this toxic activity could in fact be crawled by Google, that they decided to step in and start deleting posts.

    In fact, it reached a boiling point where the CEO herself had to step in and post an article stating their justification for “self moderation” which simply doesn’t work.

    The evidence here speaks for itself.

  • phenomlabundefined

    Surface Web, Deep Web, And Dark Web Explained

    Blog
    3
    0 Votes
    3 Posts
    184 Views
    phenomlabundefined

    @justoverclock yes, completely understand that. It’s a haven for criminal gangs and literally everything is on the table. Drugs, weapons, money laundering, cyber attacks for rent, and even murder for hire.

    Nothing it seems is off limits. The dark web is truly a place where the only limitation is the amount you are prepared to spend.

  • phenomlabundefined

    RESOLVED: Blog offline for maintenance

    Announcements
    9
    3 Votes
    9 Posts
    300 Views
    gotwfundefined

    Well, just remember - No matter where ya’ go, there you are. 🏇 🐎 🐴