Do you get the feeling that the information security industry has really changed the last 3-5 years? Remove the obvious: the industry is much larger, of higher public profile, and much better funded across the board. I would venture to guess, that way back when, say, in the dark ages of 1999, the primary reason people chose to get into the field of information security was to “live the Hacker Culture 24×7″. To better define what I am talking about, let’s venture over to linkspamopedia for a definition:
“In academia, a hacker is a person who follows a spirit of playful cleverness and enjoys programming. The context of academic hackers forms a voluntary subculture termed the academic hacking culture.”
This is why I got into the security industry. I like to take things apart to see how they work, break things, and try to put them back together. After college, I could have easily gone the route (which was much higher paid and more high profile at the time) of a full time programmer. I chose to take a route where I would make less, but do much more interesting things on the job.
In 2009, I get the feeling that professionals are entering the information security field to become some sort of a “digital security guard”. Let’s check the definition again:
“A security guard or security officer, is usually a privately and formally employed person who is paid to protect property, and/or assets, and/or people. Often, security officers are uniformed and act to protect property by maintaining a high visibility presence to deter illegal and/or inappropriate actions.”
I think there are too many InfoSec professionals looking at their job duties as sort of an IT rent-a-cop. Don’t mistake what I am driving at here, I am by no means saying we do not need a monitoring function as part of a wholistic information security practice! Let’s take an example to further illustrate my point, take the job of an IDS/IPS analyst.
As a subscriber to the Hacker Culture School of Information Security, if I get an IDS/IPS analyst job, the first thing I am going to do is take my IDS/IPS equipment apart. Blast it with all sorts of horrendously mangled traffic, see what gets by it. I’ll try to understand what types of shellcode can defeat its monitoring capabilities, perhaps it can detect covert channels by looking at the randomness in the distribution of character sets. Perhaps it can’t detect a simple shell that is XORed with a predetermined value. You get the idea. I can then apply what I have learned about the chinks in the armor of my primary defensive weapon, so I know know which attackers are going to be able to defeat my tools.
A subscriber the Rent-a-cop School of Information Security will likely spend his first month implementing signatures to catch employee’s playing fatasy football. He’ll push for even more draconian policies to restrict something that is actually useful to the business and poses little to no threat, such as not allowing employees to use a non-standard file compression. All the while, the 21st century digital security guard quietly plays fantasy football and runs Winrar on his corporate laptop. Meanwhile, the Canadian Mafia (Yes, there is a Canadian Mafia, No it’s not always the Russian Mafia) snags 21 million credit cards through his IDS/IPS he hasn’t bothered to understand.
Well, enough ranting for one year.
Related Posts: On this day...
- Ubuntu 11.10 will not ship with "classic" GNOME desktop - 2011
- I just opened up my brand new Apple iPad and was SHOCKED with what the internals looked like. - 2010
- Blu-ray Discs expand to 128GB under new BDXL spec - 2010
- Behind the scenes at Netflix - 2009
- Public Search Engines Mine Private Facebook Details - 2009
- Obama may have turned the Queen of England into a copyright crook - 2009
- Thank God, BBC Reports: "Daily caffeine protects brain" - 2008
- loopback.girlscouts-hawaii.org is the new ftp.warez.org - 2008
- Server Room In A Rain Shower - 2008