So, quick confessional: I've been so busy lately that I forgot about a deadline that I actually set in the first place. That's the bad news.
The good news is I've made a lot of progress in the last week and a half. Regarding my final project, I've created an Entity Relationship Diagram (ERD) that maps out all of the tables, their fields, primary and foreign keys, etc. I used a tool called MySQL Workbench, which is written by Oracle for MySQL users.
https://www.mysql.com/products/workbench/
It's pretty great if you're going to develop databases to be used in production, but it's also just super-rad if you need to design the schema and then reverse-engineer some SQL. I used it for the latter. I'm now at a point where I think I can begin working on my Python parsers to put the raw XML data from our network discovery and vulnerability scans into a format more easily imported into a database (most likely .csv).
Aside from that, we've been working on a new project at the office. I don't think I can talk much about it publicly right now, but the guys that I work for are incredibly smart and are onto something big that will likely change the way people look at security in the area.
This brings me to an observation that I've made since starting with this security consulting company; there's a lot of people that probably don't care enough about security. I understand that it's difficult to maintain perspective when you take on a specialization. All of the network engineers probably say, 'we don't have enough people to manage these firewalls, and they buy us crap to work with!'. The help desk specialists say, 'people don't care about the equipment or how to use it! We need to spend more on training and better hardware!'. Everyone probably thinks their specialization is a little more important than the rest.
That's how I've recently started to feel about security. I don't understand why people aren't more concerned. You install fire alarms and sprinklers to protect your physical assets (which are totally replaceable), but you won't lift a finger to protect your digital assets? I use the generally 'you' here, which really means 'some of the companies I've run across'.
Granted, there are many clients that are very involved in the development of their security program. These clients are motivated to receive assessments and get better. That's the attitude everyone should have. Unfortunately, I think some people won't learn until it's too late.
In other news, the only other thing worth mentioning is that I've been doing a lot more lately with Social Engineering. I think it's very interesting, and I enjoy it a ton, but I'll save that for next time!
No comments:
Post a Comment