Re: My Frustrations

On Wed, Dec 17, 2008 at 2:19 PM, Adriel T. Desautels
<ad_lists@xxxxxxxxxxxxx> wrote:
I recently wrote this blog entry and wanted to get some comments from
readers of this list. I'm frustrated with the caliber of the people that are
offering security services and posing as experts, thats the subject of the
post. Please comment, insult, whatever... I'm interested.

Adriel T. Desautels

As security curmudgeon pointed out, this is not a new problem. I think
it has gotten worse with the advent of PCI and other requirements. A
rush of companies wanting to "buy" security.... "how much is 10 pounds
of security please?". Nature abhors a void. I've seen competent people
at large firms and I've seen competent people at small firms.
Conversely I've seen incompetents at both types as well.

I've pretty much always worked client side. I think the answer is that
it really comes down to caveat emptor. Most potential clients don't
even have the ability to ask the right questions and parse the
answers. Even if someone hands them the questions they may have
difficulty evaluating the answers. There are ways for client side
staff to mitigate the issue.

The first is to participate in local IT security groups. I'd offer as
an example The Northeast Ohio Infosec Forum which meets once a month
( Maybe 30-40 people show up at a meeting.
Mix of vendor side and client side. This provides someone local an
opportunity to ask questions (who do you use for ______ and what do
you like/dislike about the service they provide you). Ask enough
different people about someone and you should start to get a sense of
whether they are real or memorex.

This also works if someone checks around on companies that are not
local...use lists, forums, etc.
Ask for references.... and check them.

Attend conferences. Blackhat would be a good choice for meeting other
client side folks and comparing notes. If someone wanted free they
could go to that one put on by the searchsecurity folks in Chicago
each year or something comparable.

Anyone remember gobbles rant at DC10 (I might be off a year) about not
getting paid for "doing security" like others? What about CDC or other
folks back in the day? They certainly didn't look "professional". They
didn't act professional. They certainly knew what they were talking
about in the areas they were talking about, doing or writing

Remember the discussions about whether a "real" security company would
hire a hacker?

I'm going to assert that over time things will sort themselves out.
The incompetents will be weeded out (because their clients will suffer
pain and sue them perhaps...or break their kneecaps). The barrier to
entry will probably rise a bit higher.

This too shall pass.

I guess in fairness someone should do a blog post about the clients <G>.

H.D. if you don't want clients checking up on postings then use a
pseudonym, preferably one that you hold a little close. I don't make a
big deal about hiding behind this one. I jsut use it to show that my
postings are personal and not on behalf of my employer. Another
alternative to the issue is to have closed lists where the
participants are vetted. I'm on a few of those and they vary in
quality as well... go figure.

Just a few rambling thoughts.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now