tag:blogger.com,1999:blog-8539880144347728238.post3259748395752359501..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: The Biggest Problem in Computer SecurityUnknownnoreply@blogger.comBlogger16125tag:blogger.com,1999:blog-8539880144347728238.post-25334452671989305052012-11-04T03:46:32.494-05:002012-11-04T03:46:32.494-05:00Great article. Also, great comments. The little i&...Great article. Also, great comments. The little i've learned so far about infosec, spending close to 20 years in ict, repeatedly being ahead of the curve, gutfeeling/vision. None of this matters. Ego's are huge where I live, often cause for 'mistakes'. For far too long emotionally challenged personality's defined who got a chance. Often from backroom conversations.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-37501320895793471852012-11-02T17:32:29.829-04:002012-11-02T17:32:29.829-04:00Val,
Your post was an excellent litany of the pr...Val, <br /><br />Your post was an excellent litany of the problems we face as an industry – no question. But, like most litanies, it’s a set of supplications – wouldn’t it be nice if… Well, yeah, it would great if things were better. Also, if your aunt had balls she’d be your uncle. <br /><br />Don’t get me wrong, your points are spot on. Ultimately, they distill down to your unicorn argument: hyper-technical, divergent, but fractally similar skill sets in an individual are a rare a precious commodity; market driven scarcity defined! <br /><br />So, when the stakes are high, and markets confused, solutions unclear, what is one to do? It simple, breed unicorns.<br />Since you live in Mordor, um, New Mexico, we can look a set of solutions that were tried out in your neck of the woods that history proved workable. <br />When faced with scarcity for technical knowhow, Kelly Johnson and Robert Oppenheimer redefined the resource, protected it ferociously and, in the face of mind-blowing secrecy grew cultures that attracted and retained the best minds in physics and aerospace the world had ever seen. <br />The obviously question is, how did they do it? For Johnson, he defined his 14 management rules. He built and demanded an environment of excellence using positive peer pressure and a hard-core nerd culture that naturally arrived at solutions to hard problems. Solution had to be based on elegance, usability and consensus. Everyone recognized when a hack was the answer, they sensed when a solution to a requirement was optimal. If it wasn’t, or the technology didn’t exist, they invented it, put it on a bird and flew it. If you made the cut to join the skunk works, even as a junior member, that culture drove you to the limits of your ability and beyond. <br /><br /><b>Answer One:</b> Nerd Culture, Reward Excellence, Stay Hungry, and Push Capabilities. Start with natively intelligent people, inculcate them in the business and let them excel. (Rinse, repeat) <br /><br />Oppenheimer was a different story, unlike Johnson who ruled with an iron fist; he had to answer to Leslie Groves (The very definition of a hard ass major general). Faced with an intensely smart team (multiple future and current Nobel winners) an impossibly hard problem, and the fate of the free world on his shoulders he did what needed to be done.<br /><br />Imagine that you had a project team of 200 people, when you finally wrap your mind around the magnitude of the task; you realize you need to grow that by 30x, in the next 24 months! <br /><br />Reading Hans Bethe’s book you find that Oppenheimer was a hands on manager. He understood the nature of the work in detail, he had a mind that was able to understand the technical details of the sub-tasks in a project and most importantly, he knew how to integrate that knowledge into the whole. <br /><br />That talent in a manager is as rare as a fucking magical mite riding on the back of a gold bug stuck in the ass crack of a unicorn! <br /><br />If that wasn’t enough, he also insulated his team from the hierarchical structure of the US Army during war time. He created a team of spectacular geniuses, with egos to match. Egos, that where well and truly justified. (How many people do you know that have fundamental constants or families of sub-atomic particles named after them?) <br /><br /><b>Answer 2:</b> Create a culture of technical exceptional-ism: Make your people earn entrance to it. Protect them from false hierarchies; take bullets for them. Settle for nothing less than extraordinary. Understand your business and your customer’s; drive solutions that fit them flawlessly. Find genuinely smart people --even outside your industry, listen to their insights. Finally as a leader, be present in every sense of the word. Present physically where the work is done. Present when listening to customers, employees and advisers. <br /><br />There you go. Thanks for making me think today. <br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-40850163201156859082012-11-02T17:08:18.487-04:002012-11-02T17:08:18.487-04:00It's this the same challenge any business / te...It's this the same challenge any business / team has?<br /><br />regardless of deliverables or ideal skill set ? <br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-85001072807903497222012-11-02T12:20:14.159-04:002012-11-02T12:20:14.159-04:00"we are approaching a point in which its not ..."we are approaching a point in which its not feasible to have as many full spectrum experts as we currently do and still be effective"<br /><br />@ Chris Sanders : An excellent point, and one that I think about a lot now that I have somewhat of the perspective about how it would even be "possible" to divvy up the work that would normally require a full-spectrum expert.<br /><br />In my mind, you actually DO need a full-spectrum expert as valsmith describes. However, that person doesn't have to be on HQ (e.g. US/Canada or UK/EU) soil and doesn't have to attend official meetings. They can be offshore and provide the partial automation and partial analysis necessary to pass that info on to a full-spectrum and involved analyst.<br /><br />For example, there is no way that I could pass on any of my job to an offshore person unless that person did understand network, operational, and app pen-testing, and be able to utilize sufficient HTTP/TLS/TCP/IP/Unix-systems knowledge along with sufficient object-oriented programming knowledge (as well as the specific target managed code frameworks, underlying patterns and libraries involved, etc). This person may not need valsmith's number 1 ("soft skills") but they would definitely need 2-8. In fact, I may even add some to his list!<br /><br />There is a reason that full-spectrum analytic capability is required. It all comes down to combinatorial explosions. If you can't analyze the issues (e.g. issues between HTTP/TLS and the OO apps that service that type of traffic) and how they relate, then there is no way to take Issue A (from HTTP/TLS space) and relate it to Issue B (from OO space) in order to uncover Issue C, which may or may not lead to Issues D,E,F,etc. Note that this applies to pen-testing, incident handling, and really any technically-focused activities in infosec.<br /><br />Scaling and dividing individual capital is the real challenge here. This actually is a hiring manager problem, but this does not obscure the "biggest problem", which is acquisition and retention of these nearly non-existent full-spectrum analysts. You can't scale or divide something that you don't have in the first place.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-67027087174444338052012-11-02T11:38:38.252-04:002012-11-02T11:38:38.252-04:00Great post. I agree with the majority of everythin...Great post. I agree with the majority of everything here. However, I think we are approaching a point in which its not feasible to have as many full spectrum experts as we currently do and still be effective. <br /><br />I compare this to medicine. Less than a hundred years ago, you simply had "doctors". A doctor was a general practitioner, an internist, a surgeon, an ENT, and even a dentist. The scope of everything you could know about medicine was small enough that individuals could have all of this knowledge and do all of these things.<br /><br />However, as our understanding of the human body grew, it became impossible for individuals to gain all of the necessary knowledge and experience in every area and still be effective. As a result, specialities came about. Effective patient care now relies on the combined efforts of specialists.<br /><br />That said, what do physicians have that we don't? Training standards, licensing requirements, residencies, and things like that which are all very effective. Every doctor has to get a baseline of skills required for all specializations, and then they complete further training for their speciality. Not only that, they are trained in how to effectively work with other specialities.<br /><br />Unfortunately, I'm not sure if our industry will every accept anything like that.Chris Sandershttp://www.chrissanders.orgnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-73586047874377650022012-11-02T09:31:37.936-04:002012-11-02T09:31:37.936-04:00I agree with you but I think there is another pers...I agree with you but I think there is another perspective that you are missing. I worked as a pentester for small companies and have never worked with/for a company with a 12 person IT staff much less a 12 person security staff. Most of the companies I work for lack the <a href="http://wp.me/p1jUmx-2x" rel="nofollow">infosec maturity to even have a pentest</a>, but they are required to/want to for a myriad of reasons. For these companies, doing deep packet analysis, writing 0-days, etc doesn't make sense because they don't have anyone on staff that would even understand it.<br />For these companies, points 1, 2, 6, and 8 become vitally important while the others tend to fade a way. So, yes, the problem in infosec is a lack of good people but no, you don't have to spend 6 extra hours a day training to be a unicorn to be relevant or useful in the infosec industry.AverageSecurityGuyhttp://www.averagesecurityguy.infonoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-12329331394401697302012-11-02T09:20:12.674-04:002012-11-02T09:20:12.674-04:00I have been invited for an interview at Dell Secur...I have been invited for an interview at Dell SecureWorks next week. There are x5 vacancies. I worry the whole team just left because of problems you describe. I am not a security expert and actually turned down the interview, but they want me to interview anyway. Your post helped me quickly gain an understanding. I am out of my depth (and admitted so) yet intrigued to interview.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-41759500683476533492012-11-02T09:13:38.018-04:002012-11-02T09:13:38.018-04:00Dude! I think you nailed it! Thanks for this great...Dude! I think you nailed it! Thanks for this great blog post! I will definitly share it as I think it's a great wake up call for the infosec community / security industry. I think it provides some really good advice for many us to build ourselves a roadmap on how to better use our spare time in the next months/years ;-) - Michelhttps://www.blogger.com/profile/08693279815506663174noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-24189046037201820462012-11-02T04:35:58.404-04:002012-11-02T04:35:58.404-04:00Fine man, I'm not taking you out for beers nex...Fine man, I'm not taking you out for beers next time your in Houston :). Nice post though.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-88577470816330487572012-11-02T03:44:15.688-04:002012-11-02T03:44:15.688-04:00So True. Excellent post.So True. Excellent post.Manos Galhttps://www.blogger.com/profile/17027706658406826944noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-38284170848642136912012-11-01T21:36:50.040-04:002012-11-01T21:36:50.040-04:00I agree that hiring managers and HR departments ar...I agree that hiring managers and HR departments are often looking for skill sets that are extremely rare. It's not necessary to find individuals that have broad experience with as broad a range of tools and responsibilities as you laid out though. It's more realistic to acquire and develop staff that are specialists in some areas and generalists in others and build a culture and processes that allow them to function well as a team.<br /><br />I'd argue that traditional soft skills, critical thinking, and prioritization/negotiation are the biggest gap areas for those entering the information security field. Universities, conferences, and people that have an opportunity to emphasize this need and develop those entering the field or are preparing to are doing an inadequate job. It's a complicated problem and we're our own worst enemy because it's not something most of us want to dedicate our time towards addressing proactively via blogs, conferences (not that it would appeal to many since it's not sexy), podcasts, outreach, etc.Steve Werbyhttp://justifiableparanoia.com/noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-47925381738564265072012-11-01T19:25:32.065-04:002012-11-01T19:25:32.065-04:00Anonymous, I can't say I disagree with you in ...Anonymous, I can't say I disagree with you in principle. You don't have to be so grouchy though!valsmithhttps://www.blogger.com/profile/08392905099646494750noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-78929380052771718632012-11-01T17:48:15.328-04:002012-11-01T17:48:15.328-04:00Oh yes, qualified infosec professionals are magica...Oh yes, qualified infosec professionals are magical unicorns and special snowflakes that deserve mountains being moved just for them. Seriously, the real problem in information security is egotism.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-1801817855000096522012-11-01T17:40:51.506-04:002012-11-01T17:40:51.506-04:00Another quick comment because I had another though...Another quick comment because I had another thought.<br /><br />The book, "IT Security Metrics" from Lance Hayden has an interesting chapter which covers staffing. Chapter 9 on "Measuring Security Cost and Value" goes over how to staff to the number of incidents (based on probability using Poisson distribution), as well as how to make sure that the necessary skill-types/man-hour fit into the business operational processes.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-33341475099078986492012-11-01T17:11:32.460-04:002012-11-01T17:11:32.460-04:00The curriculum at pentest.cryptocity.net is nice.
...The curriculum at pentest.cryptocity.net is nice.<br /><br />What I have found is that you need the right kind of learner. They don't have to be autodidactic to the point of Aspergers. What hiring managers need to acquire is a mix of individuals who not only learn differently, but also view risk differently.<br /><br />There are three frameworks I use to judge these learning-capabilities and risk-perspectives. The first, for learning, is the Howard Gardner theory of Multiple Intelligences. The best information security professionals will be "on the map" in terms of intrapersonal learning, just as their hiring managers will excel at interpersonal learning. The other frameworks I use to understand a person's risk-perspective is to model using the OCAI framework as well as the Competing Values Framework.<br /><br />Personally, I learned about Multiple Intelligences from Mercury Interactive's train-the-trainer programs (having been involved with many TTT programs at Cisco Systems in the late 90s/early 200s), which has extended in the HP product/services (disclaimer that I currently work for HP). I learned about OCAI and the Competing Values Framework from the Krag Brotby book on Information Security Management Metrics. I've been searching for equivalent work in other related fields, but feel somewhat unimpressed/underwhelmed by books such as Pre-Employment Background Investigations for Public Safety Professionals.<br /><br />The most difficult information security expertise area that I have found (besides the communication, instructional capital, and individual capital problems that you describe so clearly -- which really become issues of human resource organizational behavior and organizational development) has been with the merging of the fields of application development and full-scope penetration-testing. Application development has its own set of mirrored problems for instructional/individual capital. I think most of these application development issues are described well in the book, "Emergent Design: The Evolutionary Nature of Professional Software Development". This book specifically mentions problems in the software profession: 1) Lack of a specialized language, 2) No clear path to entry, 3) Little, if any, peer-review, and 4) No authoritative standards and practices. Sound familiar?<br /><br />Valsmith, I really value your views on operational penetration-testing. I think one of the most underrated expertise areas in our field is actual IT/Ops "in-the-trenches" experience, which only comes by doing simply just that. You can study and play all you want for 2 years or however long, but until you see the cogs move and how computers stay up (the "A" in CIA) and perform correctly -- you might be completely lost compared to someone with this exposure.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-72978111370109457212012-11-01T17:02:20.974-04:002012-11-01T17:02:20.974-04:00Very good post!!Very good post!!fluffyblockchainhttps://www.blogger.com/profile/14604190495182189977noreply@blogger.com