[attrition] Is your "cyber security expert" full of shit?
security curmudgeon
jericho at attrition.org
Mon Sep 26 04:05:27 CDT 2011
This is a great read and very accurate.
---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
http://www.haftofthespear.com/?p=1913
By Mike
Haft of the Spear
August 7, 2011
Hundreds if not thousands of cyber security practitioners converged on Las
Vegas this past week. They came to see and be seen, to occasionally share
some newfound insight, but largely for the same reason everyone goes to
Vegas . . . do I really need to elaborate?
The media love these conferences because it?s easy to get quotes from
"experts" since, well, no one admits to not knowing everything once they
realize a reporter is within earshot. Therein we find a serious problem:
how to tell the difference between a real expert and a pseudo one. Who
truly has a broad base of knowledge about a wide range of related topics
(exceedingly rare), or who is a mile deep in one area of emphasis
(plentiful)? Who is the actual, technical guru (mildly Asperger-ish), and
who is the security celebrity (glib, speaks in sound bites, blindingly
white smile)?
He calls something "sophisticated" or "advanced" without justification
Just about every adjective applied to things-malicious online cannot be
supported in any objective fashion. If the analysis applied to malicious
software or attack methodology were applied to any other phenomenon that
we apply scientific methods or practices to, it would be treated like
astrology. There is no commonly accepted lexicon for what is advanced or
difficult or sophisticated or complex. You could focus on a threat actor?s
motivations and ascribe something more complicated at play than simple
profit (say, Stuxnet, for which there are pretty clear political-military
implications) but it has been a very long time since anyone has done
something truly original (read: for which we have no defense -- no matter
how woefully inadequate -- and is a complete surprise to everyone) or
something has been discovered that is not simply evolutionary, in the
cyber security realm.
[...]
More information about the attrition
mailing list