We Are Infosec Professionals - Who the Hell Are You?

Thursday, July 14, 2011

Javvad Malik



After I explained to someone that I worked in Information Security, they commented, “well there’s not much you guys do given all the hacking that’s gone on lately.”

Deep breath. Control pulse. Be calm.

I could have just explained how a lot of the so-called hacking attacks were actually DDOS. Or the fact that human error was responsible for a lot. But my mind wandered to a few things.


Last winter my boiler stopped working, so I had no hot water or heating. With temperatures not going far above zero degree’s I was glad I had emergency home cover provided by NatWest bank…

Unfortunately due to their sheer incompetence (a long story) I still had no hot water or heating despite promises and engineer visits. Eventually I got a private engineer in who fixed it all and saved my kids from hypothermia.

Not too long ago, I returned home with my family to find our house had been broken into. Jewellery and other valuables had been taken and the whole house turned upside down.

The police couldn’t do much beyond provide a crime reference number and closed the investigation a week later.

On the other hand, a couple of months on and the insurance company (NatWest surprisingly) are still conducting their investigation to try and determine how little was taken so they can compensate me with a McDonalds voucher. In essence, the thieves have robbed me and now NatWest is doing its best to rob me too.

When you look at the recent news columns dedicated to the News of the World phone hacking scandal, you begin to see not only the depths to which the media sink to in order to get a bit of tabloid gossip, but also how incompetent the police are in actually stopping any crime whatsoever.

Unless you happen to be a driver who is stopped doing 33mph in a 30mph zone at midnight… just think of the kids you could have killed driving like that you irresponsible person!

You go to Doctors and they are just as incompetent. Firstly, they have never done any research into medical conditions themselves or the effects of medication. They leave that to pharmaceutical companies to sort out. They just end up trying to match symptoms to a drug.

Knowing full well that hardly any of their medication actually cures and will only serve to block the pain or provide temporary relief. For example, if you’ve got a headache, a painkiller will suppress the pain without actually fixing the root cause (ask anyone who suffers from migraines).

Alternatively, if you’re diabetic, they’ll get you on insulin which you then have to inject daily for the rest of your life. It doesn’t cure the root cause and surprise surprise only puts more money in the pockets of the pharmaceutical companies who do all the so called research to start with.

*back to original conversation*

So I responded:

“I work in an industry with people who have more talent in one finger than you have in your entire existence. A place where hundreds of thousands of websites take payment online without being hacked, where billions of records are stored in databases which are secured by people like me."

"Where investigators actually trawl through logs line by line to piece together where things went wrong to prevent them happening again. We don’t give up like the police because we can’t be bothered. We don’t put in temporary fixes like doctors to keep you dependant upon us unnecessarily and we certainly don’t provide you with a false sense of security like insurance companies."

"We’re the people who do our jobs – who the f*&^ are you?”

Possibly Related Articles:
Information Security
breaches Cyber Security hackers Information Security Infosec Professional
Post Rating I Like this!
Kenneth Bechtel not to detract from the point of the article, but you like many people, have fallen for a simple myth. Unlike the Computer Security industry, the police are NOT there to prevent anything. If they witness a crime in progress, good on them, they can stop a crime in progress. If they are present at the scene of a crime and the criminal sees them, they MAY rethink and do their crime elsewhere or another time, but on occasion they do commit the crime with the police present. The job of the police is to take reports, investigate crimes, and arrest wrong doers, essentially an armed historian (to borrow from a friend of mine). To "prevent" crime would require mind reading, and 1984 type laws of "thought crimes", and I don't think any of us wish to live in that type world.
Josh Stemp I believe that this article is quite true. So many people I know are getting all bent out of shape and losing all heart and faith in what infosec professionals are saying and doing that they are thinking that we are all full of it. I understand that paranoia is the best way to stay safe in the digital era; but when it is hard enough to convince people to understand the importance of what we advise in the first place, this only makes it that much harder for us to do our jobs from day to day.
Trent Williams @Kenneth, I think Javvad's inclusion of the police as an example is great because it highlights the fact that our job as infosec professionals is not only to prevent an incident, but also to respond to one. To liken his point about the police investigating the home robbery, that would be like an incident response specialist (which cops are) quickly coming to the conclusion that something was taken, we've got some notes on who it might be (between 15 and 45 years old, possibly in Eurasia) and will keep an eye out for any more suspicious activity, case closed. Would we get fired on the spot? Probably, yet this is status quo for many other professions.
Vulcan Mindm3ld Nice article and I think it captures the sentiments of most security professionals. If I hear one more non-technical person say, “Those kids are running circles around you so-called professionals” I am going to punch someone in the throat.

The author's reference to “human error” and Josh's statement on “the importance of what we advise in the first place” just drives a knife through my heart. Yes, some of the recent attacks are prime examples of how an infrastructure can collapse like a house of cards regardless of the technology.

The most basic password best practices were not followed and lack of processes (or simply not followed) allowed the victims to be socially engineered too easily – changeme123.

It makes me wonder about an organization's culture which has top-level executives with root level access and admins jumping through hoops at a moment's notice to help via email. The same executive using the same passwords over and over.

This is not limited to executives. :-(
Josh Stemp @Vulcan, I can agree with you about the fact that it is not only executives that can cause an infrastructure to crumble and that an organization's defenses are only as great as the least educated user in that organization, but the reason I made that comment regarding "the importance of what we advise in the first place" was directed primarily towards executives, but can be pointed really at anyone in the organization.

I was recently in a meeting with other IT network and security folks in my organization and we were discussing policies on mobile devices. All of us IT folks were pressing for a 5 minute screen lock after which would require a pass/pin to re-access the device. All of us thought this was great from a security standpoint, however one of the folks in the room had already attempted this in his department and the admin within that department was, well needless to say, upset. The admin required the screen lock time then be pushed to 20 minutes. After the admin pushed the limit, so did all of the users and IT was essentially forced out to 20 mins due to lack of equipment to enforce this policy on users' devices.

Now this wasn't my department, but rather a story from the IT manager in that department. But regardless, we security staff recommend against certain policies for a reason, as this is how we are trained to think, but nobody cares what we have to say until something happens-something that everyone thinks we should have prevented.

I also agree that users need to be educated so that they are not so susceptible to social engineering, and follow standard guidelines on security that absolutely must be followed, just like complex passwords as you mentioned. I did not mean to offend you, but to simply underline the idea that security isn't always as easy as dropping the ban hammer on something and that the public really doesn't understand (or appreciate) what we do daily; not to mention that the non-technically savvy media doesn't help much either.
Vulcan Mindm3ld You didn't offend me! And I only added "not limited to executives" because I didn't want to offend any of them!

Thanks for the great feedback!
Rod MacPherson What surprises me is hearing that in response to the PSN hack Sony hired a CISO. ...wait, Sony, the big media company with all kinds of IP to protect, not to mention the customer data that got hit in this (these) incident(s) didn't have a CISO already?

To me that's like hearing that a Las Vegas casino got robbed and decided they should have a head of security.
Robb Reck I find the article interesting, but I actually see some stark similarities between what we do in Information Security, and what the medical professionals do. My wife practices family medicine, and I find her job and mine to be startlingly similar.

We both are working in a field where the perfect is unachievable. If you let me design a company (not an IT department or some systems, but an entire company) from the ground up, on a piece of paper, I could make it totally secure. And a medical professional could design a totally healthy human. It's the reality of life that makes things difficult. We are exposed to risk because that's how we do business or live our lives.

As for the medical people trusting the pharma companies... security people are just as guilty when it comes to trusting our vendors. For every security vulnerability there's a product you can buy! And they're happy to show you a nice ROI and let their own pro services do the install for you.

Of course, real security people know that risk isn't best addressed by a tool, just like medical professionals know that real cures don't come from chronic medication. But when you've got 100 risks to address without proper staffing, or when you have a doctor seeing 35 patients a day, sometimes the quick fix is all that's available.

Anyway, just my thoughts on the subject, from a guy who thinks the medical field and the security field are practically the same thing.
Javvad Malik Thanks everybody for your comments - it's discussions like these that make things so interesting.

@Robb, great comment and I have the upmost respect for your views and articles. I do agree that there are many similarities between infosec and the medical professions. However, I will respectfully disagree that they are practically the same thing.

There are two reasons for this.

1. Medicine faces a losing battle. i.e. we are all going to die at some point. Nothing can change that. So the objective of doctors isn't really to "save" lives, rather it's about making life more comfortable over the years. Doctors won't even entertain the thought of immortality, whereas when you're dealing with information it is possible to maintain security indefinitely (at least in theory).

The second and more important reason in my view is the fact that with medical issues there is a very high emotional attachment. You could be a Sony exec for example, be breached left right and centre - at the end of the day it's unpleasant and embarrassing, but nothing you can't eventually recover from. You can throw money at it, get in some great security experts and fix all your problems eventually.... now take that very same person and tell him his newborn baby has *insert a chronic disorder here* meaning they will never lead a normal life and have a low life expectancy.... no matter how much money he throws at it, he can't fix the problem. It's something he has to live with every day. It eats away at a person's soul right to his core... there is nothing but helplessness, anger, acceptance, despair... sometimes all at the same time.

A doctor has the option to say, "sorry there's nothing we can do about it"

An infosec professional can't.
Krieger . Hi Javvad, great post. However, I respectfully disagree. :)

My rationale: http://hackeroutfit.wordpress.com/2011/07/07/we-have-not-failed-as-an-industry-we-are-right-on-par/
Javvad Malik @Krieer:
I'd reply with an analogy within an analogy within an analogy a bit like inception... but last time I tried that I didn't get the "kick" and had to wait 30 years before getting back out!

Sorry I digress ... what I'm saying is I like your post and have not retort :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.