In 1837, Hans Christian Andersen penned "The Emperor's New Clothes."
The story for those who are unaware of it goes like this: Two charlatan weavers promise an Emperor a new suit of the world's most glamorous clothes however, the clothes are invisible to those unfit for their positions, stupid, or incompetent.
It is only after the Emperor is on a parade wearing these immaculate clothes that a child cries out: "But he isn't wearing anything at all!" And so the story went, and so I begin.
Present time has brought forth some of the best minds in computer security as well as some of the absurd. It has also brought about a flurry of self-imposed experts on security.
Normally I do not like being so brash as I too am still learning the ropes when it comes to this field however, do not mistake this learning for in-experience. I have accomplished a lot throughout my years and the education is something I heap on myself to stay a-top of the game.
Moving slightly away from security for just a moment, I will talk to you about Osteosporosis. Not because I am a doctor, have ever had to treat or diagnose anyone for it, but simply because I have worked in the medical arena and have overheard many talks about it. Not only talks, but I have also read what everyone else is muttering and I couldn't agree more; Osteosporosis weakens your bones, and weaker bones will likekly mean your bones can break.
With that out of the way, would anyone care to label me a subject matter expert in the medical field? Then why are we doing this to many of these quote on quote "Security Experts" or as they have painfully signed their e-mails: "Security Evangelist."
Many times, when I see the term "evangelist" I always equate it with "televangelist. Then I think of people like: Jim Bakker, Ted Haggard, Leroy Jenkins and Jimmy Swaggart. Criminals and charlatans  all pitching "God" while picking the pockets of innocent victims. In this instance, the victims are businesses and governments that have less of a clue than the "evangelist" themselves.
Make no mistake, I am the biggest culprit calling the kettle black. Anyone who has ever read anything I have written can point out the self-exaltation in my writings from a mile away. Sitting around the keyboard, I blindly spew re-hashed information in an effort to promote the company I work for. Why the hell should I care, a sucker is born every minute and should I need to scare the bejeezus out of government for contracts, so be it.
After all, this is the method of the Beltway no? Lest I choose to further step on toes and rub garlic on any wounds I take it all back, companies would never do such a thing. Besides, I also never promote any product and have yet to disclose where I work. So both are false - companies telling the truth and me lying in my writings.
As of this writing, there are very real threats against every network. This is not limited to governments and or businesses. Any device that is networked is targeted for compromise and it is not necessarily that someone is "targeting" the device per se, but rather it is a resource to be used.
This is common logic on the Internet. If a criminal organization or random attacker or even "focused" attacker could get their hands on a device either via way of a log-on, they will do so. They can re-use this device as a gateway at some point. Aside from that, data is king and data is always a good thing for an attacker.
Ever-present attacks out of the way, we still have all sorts of attackers. The disgruntled employee, disgruntled vendor, corporate espionage types, governments, anyone under the sun. This is not new, nor is it newsworthy. What should be newsworthy is how far too many "security sharks" are now in the water.
Just about every other week I see no less than a dozen new experts in the field. I try to be optimistic in the hopes that I can learn something new from some of the guys but most often shake my head in disgust at what is being passed as "security" nowadays.
Imagine going into a trial at say a federal court and telling either a district attorney or a judge: "Your honor, I read it from John Doe who was quoting Jane Doe who got the dibs from a respected security guy who sells antivirus. While he has never analyzed a virus or instance of malware, he has read a lot about it and he theorizes that..."
See the problem with this scenario? Nevertheless this is what security has become and it is definitely spiraling out of control.
Disturbing as that may be, more disturbing is whenever some of these "experts" start believing their own hodge-podge of truths. It spreads like a cancerous tumor and ends up in the ears of politicians and decision makers who do not know any better. While I can pound the podium in hopes that politicians and key decision makers start thinking logically, the fact is, some of these "evangelists" are in some pretty serious positions.
One would have thought once upon a time: "Man, Richard has grown throughout the years. I remember him as a nobody. Now he is CTO Company X. Maybe he will make an impact!" Only to turn around and sigh: "Man, there he goes with his APT BS."
One would think that some of these "evangelists" were perhaps bullied by Asian kids growing up. Last year, we had what appeared to be someone who took things to an extreme that bordered on the line of "Taxi Driver" crazy with his ramblings . And I am constantly asking myself "When will this cease?"
When will some of you security professionals take a step back and instead of focusing on marketing BS, in hopes of selling shares of the Brooklyn Bridge, focus on collaborating to actually secure something.
Far too many experts in this field, yet these same experts are in companies that were compromised by low level hackers forget about the "advanced" ones. The irony. Eventually the emperor will wake up, what will you the "evangelist" say to him then?
Cross-posted from Insinuator