[ISN] Is your "cyber security expert" full of s***?

From: InfoSec News <alerts_at_private>
Date: Mon, 26 Sep 2011 03:42:01 -0500 (CDT)
http://www.haftofthespear.com/?p=1913

By Mike
Haft of the Spear
August 7, 2011

Hundreds if not thousands of cyber security practitioners converged on 
Las Vegas this past week. They came to see and be seen, to occasionally 
share some newfound insight, but largely for the same reason everyone 
goes to Vegas . . . do I really need to elaborate?

The media love these conferences because it’s easy to get quotes from 
"experts" since, well, no one admits to not knowing everything once they 
realize a reporter is within earshot. Therein we find a serious problem: 
how to tell the difference between a real expert and a pseudo one. Who 
truly has a broad base of knowledge about a wide range of related topics 
(exceedingly rare), or who is a mile deep in one area of emphasis 
(plentiful)? Who is the actual, technical guru (mildly Asperger-ish), 
and who is the security celebrity (glib, speaks in sound bites, 
blindingly white smile)?

He calls something "sophisticated" or "advanced" without justification

Just about every adjective applied to things-malicious online cannot be 
supported in any objective fashion. If the analysis applied to malicious 
software or attack methodology were applied to any other phenomenon that 
we apply scientific methods or practices to, it would be treated like 
astrology. There is no commonly accepted lexicon for what is advanced or 
difficult or sophisticated or complex. You could focus on a threat 
actor’s motivations and ascribe something more complicated at play than 
simple profit (say, Stuxnet, for which there are pretty clear 
political-military implications) but it has been a very long time since 
anyone has done something truly original (read: for which we have no 
defense -- no matter how woefully inadequate -- and is a complete 
surprise to everyone) or something has been discovered that is not 
simply evolutionary, in the cyber security realm.

[...]


_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/
Received on Mon Sep 26 2011 - 01:42:01 PDT

This archive was generated by hypermail 2.2.0 : Mon Sep 26 2011 - 01:48:18 PDT