A Cynics guide to Infosec Consultancy

Friday, June 18, 2010

Javvad Malik


So you want to be an infosec consultant? If you’re like most guys, its better you consider a career in risk management or audit. Or maybe you’ve already got some variation of “security” in your job title but are stuck in a rut. Results are coming slowly and career progression is almost non-existent. What you need is a dose of cynic motivation to deliver a swift kick in the complacency. I’m going to introduce the cynics philosophy that has worked wonders for me and many others.

Cynic method of inspiration?

 There are two parts to the infosec cynic trainer method of getting great results quickly.  

   1. Work for a large bureaucratic organisation.
   2. Have your own bureaucratic toolset to supplement the organisations bureaucracy

Signs of a good infosec consultant

 No-one understands what you are truly saying, but believe that what you are saying is of the utmost importance

 The project manager resigns after you send your first draft of security requirements

 The second project manager over doses on a cocktail of alcohol and painkillers once they’ve seen the security requirements.

 The project doesn’t move at all for two months

 During meetings you hear a lot of swearing, then realise its all being directed towards you.

 All risks are either rated as “catastrophic” or “Armageddon” no less.

 No evidence is sufficient to close an identified risk

 “Sounds great but how do I do it?”

I’m glad you asked. The first thing you need is a fellow cynic or two to be your partner. (two is better than one, as it reduces the possibility of one person wimping out and dragging the intensity of security requirements down to a sane level.) Whether the colleague is senior or junior to you is irrelevant, attitude is everything (the more sadistic, the better).

 “I’m ready, what can I do to become cynic partner?”

To truly become a cynic, we need to study one of the most motivating people of our current day and age and emulate them. Rent the film “full metal jacket” and pay close attention to the drill sergeant. This is possibly the best role model for a cynic. He elevated recruits to a physical level that they didn’t think they could reach, all through fear, intimidation, force of will and humiliation. This is a good thing. You can also push organisations to reach a level of security they could never reach on their own.

Beware the slacker

The arch nemesis of the cynic is the slacker. You need to find when and where your partner is slacking, and this may not be obvious. If your partner manages to sign off a project without pushing the project manager to the verge of breakdown where your bosses bosses boss is feeling the heat then it’s a sign he needs to turn up the heat. Sometimes he’ll “take the techies word for it”. Don’t let him do it, make every person provide evidence and then verify that evidence against an independent source.

 Don’t ever take the application developers word for it that the design is secure, get it pen tested, then pen tested again. Pick holes in it and even run it on obscure operating systems to ensure all eventualities are considered.

 If someone shows you a PCI DSS or ISO27001 certificate, rip it up in their face, laugh at them and then start the whole process all over again.

Everyday consultancy rut and the lying principle

Lying to seniors is one of the best ways to snap out of a usual rut. If you’re doing a risk assessment and say the director tells you that some fancy audit company found only 5 minor vulnerabilities. You say that you found 20 serious flaws in the process that are probably leading to 50 billion in losses annually. Senior managers don’t understand anything other than numbers. As soon as you’ve assigned an arbitrarily high figure to any loss, they’ll be interested.

Keeping motivated is important

Total effort should be given to each and every consultancy task. There is no excuse for simply rattling off policy requirements and walking away. You have to instil within the project team, business area and technology support geeks an urge to take security seriously. Anger, fear and humiliation are the cornerstones of the motivation.

 You call this a project plan? From where I’m from they would call this toilet paper!

 Secure this application you worthless piece of s**t.

 This department is like an old person, slow and ugly.

 Of course its difficult, its security

 That’s not bad… for a girl

 Worthless must have been on sale, it appears you stocked up

 Feel free to improvise on the above list.

Pay attention, demand more

If you see that its possible to close down 1 vulnerability, insist that 3 get closed down. Know your business, know its limits, push it beyond those limits. Only then can true security be achieved.

This article was orginally published on www.infoseccynic.com

Possibly Related Articles:
Enterprise Security Security Awareness
Post Rating I Like this!
Taz Wake Brilliant.

I will take all this advice to heart and ensure I begin using it at tomorrows project meetings.

Vulcan Mindm3ld Excellent.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.