securitythought.com

Recently, I had the opportunity to hang out with a friend I hadn’t seen in years, Ryan Jones. Over a few beers at a local pub, Ryan, our mutual friend Tim, and I caught up on what’s been going on in our lives, other old friends, and recent happenings. Ryan is one of those guys who it’s easy to be a little envious of, because he has seen and done it all, and has the stories to prove it. Right now he’s got one of those dream jobs for any security geek: penetration tester.
Ryan is skilled in various areas of both electronic and physical security, and he gets to use both in his 9-5. Needless to say, when he talks about his job, it’s clear he’s very happy. And, we’re not just talking about remote testing over the Internet either. He’ll dress up in a suit and tie to sneak into the target’s offices, gather information, and learn faces and names. Then that information will be used to get deeper into the clients environment, both physical and electronic, until the test goals are achieved. Anyway, over drinks and after discussing what little he could about his latest assignment, Ryan showed us the pilot for a TV show that he had filmed with some co-workers for a cable network called Tiger Team. In the pilot, Ryan and his co-workers are tasked with breaking the security of an exotic car dealership without being caught. I won’t spoil how it ends, but think of it as Sneakers with a much younger cast, and some interesting behind the scenes looks at what it really takes to break physical security done in real time and completely real. It’s an interesting watch, and I suggest keeping an eye out for it. When the plans for airing it are finalized, I’ll post more information on it.

I started this blog almost 6 months ago because of another article I read entitled “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security” by Noam Eppel. Unfortunately, I was so busy moving that I never got the chance to write up the response I wanted to. On the whole, I agree with his assertion that Information Security is a failure, but I disagree with some of his points. 6 months, to me, is a little too long to post comments now. However, today he posted a follow up based on the responses he received from his previous post, and it’s an interesting read. It is localted here.

Again, I don’t agree with him entirely in some areas, but it’s important to read viewpoints different from our own from time to time to make use analyze what we believe and see if it still holds up.  You’ll find my comments in his comments and feedback section, but I’d like to expand on them here.

Addressing “But It’s Not My Fault!”

First and foremost, I think placing blame on Information Security professionals as being responsible for the problem isn’t necessarily accurate or appropriate.  As a consultant, I’ve worked with many companies.  Some of them take information security seriously and some do not.  In almost all instances, the desire for a security culture comes not from management, but from people working in the trenches.  Management, traditionally, wants to be “secure enough,” and that’s usually in relation to some form of regulatory compliance like HIPAA or Sarbanes-Oxley.  We can suggest as many secure solutions as we like, but ultimately the business makes the decisions on what to implement and how it is implemented.