The Emperor's Advanced Persistent Clothing

Monday, March 12, 2012

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

In 1837, Hans Christian Andersen penned "The Emperor's New Clothes."

The story for those who are unaware of it goes like this: Two charlatan weavers promise an Emperor a new suit of the world's most glamorous clothes however, the clothes are invisible to those unfit for their positions, stupid, or incompetent.

It is only after the Emperor is on a parade wearing these immaculate clothes that a child cries out: "But he isn't wearing anything at all!" And so the story went, and so I begin.

Present time has brought forth some of the best minds in computer security as well as some of the absurd. It has also brought about a flurry of self-imposed experts on security.

Normally I do not like being so brash as I too am still learning the ropes when it comes to this field however, do not mistake this learning for in-experience. I have accomplished a lot throughout my years and the education is something I heap on myself to stay a-top of the game.

Moving slightly away from security for just a moment, I will talk to you about Osteosporosis. Not because I am a doctor, have ever had to treat or diagnose anyone for it, but simply because I have worked in the medical arena and have overheard many talks about it. Not only talks, but I have also read what everyone else is muttering and I couldn't agree more; Osteosporosis weakens your bones, and weaker bones will likekly mean your bones can  break.

With that out of the way, would anyone care to label me a subject matter expert in the medical field? Then why are we doing this to many of these quote on quote "Security Experts" or as they have painfully signed their e-mails: "Security Evangelist."

Many times, when I see the term "evangelist" I always equate it with "televangelist. Then I think of people like: Jim Bakker, Ted Haggard, Leroy Jenkins and Jimmy Swaggart. Criminals and charlatans [1] all pitching "God" while picking the pockets of innocent victims. In this instance, the victims are businesses and governments that have less of a clue than the "evangelist" themselves.

Make no mistake, I am the biggest culprit calling the kettle black. Anyone who has ever read anything I have written can point out the self-exaltation in my writings from a mile away. Sitting around the keyboard, I blindly spew re-hashed information in an effort to promote the company I work for. Why the hell should I care, a sucker is born every minute and should I need to scare the bejeezus out of government for contracts, so be it.

After all, this is the method of the Beltway no? Lest I choose to further step on toes and rub garlic on any wounds I take it all back, companies would never do such a thing. Besides, I also never promote any product and have yet to disclose where I work. So both are false - companies telling the truth and me lying in my writings.

As of this writing, there are very real threats against every network. This is not limited to governments and or businesses. Any device that is networked is targeted for compromise and it is not necessarily that someone is "targeting" the device per se, but rather it is a resource to be used.

This is common logic on the Internet. If a criminal organization or random attacker or even "focused" attacker could get their hands on a device either via way of a log-on, they will do so. They can re-use this device as a gateway at some point. Aside from that, data is king and data is always a good thing for an attacker.

Ever-present attacks out of the way, we still have all sorts of attackers. The disgruntled employee, disgruntled vendor, corporate espionage types, governments, anyone under the sun. This is not new, nor is it newsworthy. What should be newsworthy is how far too many "security sharks" are now in the water.

Just about every other week I see no less than a dozen new experts in the field. I try to be optimistic in the hopes that I can learn something new from some of the guys but most often shake my head in disgust at what is being passed as "security" nowadays.

Imagine going into a trial at say a federal court and telling either a district attorney or a judge: "Your honor, I read it from John Doe who was quoting Jane Doe who got the dibs from a respected security guy who sells antivirus. While he has never analyzed a virus or instance of malware, he has read a lot about it and he theorizes that..."

See the problem with this scenario? Nevertheless this is what security has become and it is definitely spiraling out of control.

Disturbing as that may be, more disturbing is whenever some of these "experts" start believing their own hodge-podge of truths. It spreads like a cancerous tumor and ends up in the ears of politicians and decision makers who do not know any better. While I can pound the podium in hopes that politicians and key decision makers start thinking logically, the fact is, some of these "evangelists" are in some pretty serious positions.

One would have thought once upon a time: "Man, Richard has grown throughout the years. I remember him as a nobody. Now he is CTO Company X. Maybe he will make an impact!" Only to turn around and sigh: "Man, there he goes with his APT BS."

One would think that some of these "evangelists" were perhaps bullied by Asian kids growing up. Last year, we had what appeared to be someone who took things to an extreme that bordered on the line of "Taxi Driver" crazy with his ramblings [2]. And I am constantly asking myself "When will this cease?"

When will some of you security professionals take a step back and instead of focusing on marketing BS, in hopes of selling shares of the Brooklyn Bridge, focus on collaborating to actually secure something.

Far too many experts in this field, yet these same experts are in companies that were compromised by low level hackers forget about the "advanced" ones. The irony. Eventually the emperor will wake up, what will you the "evangelist" say to him then?

Just sayin...

[1] http://www.ondoctrine.com/00shame.htm
[2] http://attrition.org/postal/asshats/joe_black/

Cross-posted from Insinuator

Possibly Related Articles:
5467
Network->General
Information Security
Enterprise Security Marketing Security Information Security Infosec FUD Professional Security Solution vendors Security Evangelist
Post Rating I Like this!
1de705dde1cf97450678321cd77853d9
Ian Tibble Self-proclaimed titles. Gotta love it really. Subject Matter Expert is the best - slightly more recent. Evangelist? I think the first time I heard this was 2001 or so which was roughly when the age of self-promoting MBA marketing "i'm a hacker but I grew out of it" started - the same ones who are advising western governments on cyberwarfare and why we're now hearing about cyber grenades and advanced persistent middle-person cyber nukes...but they do have CISSP so that's ok.
There is no professional accreditation program for "evangelist" or "subject matter expert" as far as i'm aware. Evangelist is used a lot...seen it on Linkedin quite often. Why "subject matter expert" anyway? Is something like SIEM or Incident Management such a wide and varied field that it even requires a subject matter expert? Does one need to be burning the midniight oil every night for 10 years before one can call themselves a SME in some particular product in the IdM genre? A well-rounded tech enthusiast with 5 years+ experience as a plain boringly titled Security Analyst (with no "senior" qualifier) would be the one for the job. How about subject matter expert for holding the ladder of the SME in light bulb ingress/egress consultancy?
Anyway...bleating aside. We need better accreditation - a sort of graduation program with a clear path of accreditation from tech background to security manager. I give a proposal for this in chapter 11 of my book. Ground breaking stuff? Not really. In fact I suspect that many in our beloved field are quite aware of current deficiencies but wouldn't endanger their career by publicly discussing such issues. Talk of accreditation usually gets some fairly emotional outbursts also, from lovers of democracy in the information security industry of the 21st century.

1331702600
Default-avatar
Jeffrey Faucheux Security is mostly a superstition. It does not exist in nature.... Life is either a daring adventure or nothing.
Helen Keller, The Open Door (1957)
US blind & deaf educator (1880 - 1968)
1331826165
De3c528c39a0c5e1645b59a7c27888c6
Don Jackson Yeah... one needs only to look as close as the latest "Gartner Magic Quadrant" to see proof of this.
1331912127
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.