Recently I was presenting at a large conference and a sponsoring vendor's sales rep made the comment, in front of peers and friends alike, that I painted a gloomy picture of the state of security in organizations. When I asked him what he meant, he said "In short, you sell FUD." - Being a member of polite society where its frowned upon when you begin dunking an offenders head in the community punch bowl, I asked him if he cared to expand on how anything I had spoken on would constitute "FUD"? He then informed me that he had "not been able to see the presentation, but knew the type." -- A note for Sales Reps "know what you're talking about before you go poking a extremely Jaded Information Security Professional" - just saying.
So how did I respond in this case? I decided the best way was to just "Slay the FUD Dragon!"
That's right - it's time for an accounting, and guess what? Accountability Sucks.
So I'm going to approach this by dispelling what is "FUD" vs. "What is Really Going On". The information I'll share and will speak about is not vendor backed, sponsored, endorsed or approved. I definitely know it's not going to be desired by most business leaders who take the stance of "Plausible deniability" and I know I'm going probably going to upset one or more people.
So what is FUD? Fear, uncertainty and doubt (FUD) is a tactic used in sales, marketing, public relations and general propaganda campaigns. It is used in an attempt to influence others by disseminating negative, dubious or false information.
So let's define these so we can level set the stage, to further clarify the definitions:
"negative" -- harmful or bad.
"dubious" -- not to be relied upon; suspect.
"false" -- not according with truth or fact; incorrect
Now, for those of you who aren't familiar or who have never attended any of my trainings, presentations or ramblings, I don't sell or endorse any specific technology; I actually tend to remain vendor agnostic. I do however leverage real world experiences and events from the various projects, consultations and engagements I have been directly involved in. These are the topics to which I tend to speak on and they are pulled right out of those engagements (names changed to protect those of course).
So I had this sales rep who we'll call Jack Weasel who accused me of promoting FUD. Jack Weasel actually works for a well known, global Information Technology security - that has its own share of security issues in the past few years. He hadn't seen my presentation and was speculating and guessing. At this particular venue I was presenting on the issues regarding the improper, and often over bearing emphasis on Compliance versus that of Security, specifically in regards to penetration testing -- not the "we'll run a vulnerability assessment tool against the network" type of penetration testing but the Red Cell/Team mentality -- basically, what the bad guys are doing. So this included everything from physical intrusion, insertion of specialized equipment, multi tiered social engineering campaigns, wireless, web application; basically everything short of actually kidnapping an employee and threatening them with bodily harm.
Its what I like to call the business driven pen test, because we're not going after the toxic data that is regulated right off the bat. We're going to get a way in, pivot around your environment, start siphoning off intellectual property, sales information like customer databases, statements of work, contracts; board minutes, basically everything that makes your business unique and valuable long before going after the commodity information like credit cards. By the time we're siphoning off the credit card or personally identifiable information, we've already established command and control of the network.
Now, while I agree this sounds "spooky", "scary" or even a little "FUDish" - lets keep things in context and perspective -- the purpose of information security is to protect information, specifically yours and that of your customers. If you throw up the FUD flag, its probably because your concerned that things are not as "secure" as you would like, but here is the flip side of that coin. If you don't address it, it will not go away. Ignoring a problem didn't work when you a child and it sure as hell doesn't work when you're responsible for a business.
I hate to be the bearer of bad news, but the Internet is not made up rainbows, unicorns and fluffy bunny's. The Internet is full of criminals that operate like a business, they have their own forms of currency, everything from cold hard cash, to bitcoin to your enterprises systems that they can whore out and make a buck on.
If you disagree, then by all means, voice it. I don't know everything, but I have a lot of experience and exposure within the Information Security industry. I thrive on debate and discussion (along with large amounts of un-sweet iced tea and nicotine), as long as it remains professional.
So let's define these so we can level set the stage, to further clarify the definitions:
"negative" -- harmful or bad.
"dubious" -- not to be relied upon; suspect.
"false" -- not according with truth or fact; incorrect
Now, for those of you who aren't familiar or who have never attended any of my trainings, presentations or ramblings, I don't sell or endorse any specific technology; I actually tend to remain vendor agnostic. I do however leverage real world experiences and events from the various projects, consultations and engagements I have been directly involved in. These are the topics to which I tend to speak on and they are pulled right out of those engagements (names changed to protect those of course).
So I had this sales rep who we'll call Jack Weasel who accused me of promoting FUD. Jack Weasel actually works for a well known, global Information Technology security - that has its own share of security issues in the past few years. He hadn't seen my presentation and was speculating and guessing. At this particular venue I was presenting on the issues regarding the improper, and often over bearing emphasis on Compliance versus that of Security, specifically in regards to penetration testing -- not the "we'll run a vulnerability assessment tool against the network" type of penetration testing but the Red Cell/Team mentality -- basically, what the bad guys are doing. So this included everything from physical intrusion, insertion of specialized equipment, multi tiered social engineering campaigns, wireless, web application; basically everything short of actually kidnapping an employee and threatening them with bodily harm.
Its what I like to call the business driven pen test, because we're not going after the toxic data that is regulated right off the bat. We're going to get a way in, pivot around your environment, start siphoning off intellectual property, sales information like customer databases, statements of work, contracts; board minutes, basically everything that makes your business unique and valuable long before going after the commodity information like credit cards. By the time we're siphoning off the credit card or personally identifiable information, we've already established command and control of the network.
Now, while I agree this sounds "spooky", "scary" or even a little "FUDish" - lets keep things in context and perspective -- the purpose of information security is to protect information, specifically yours and that of your customers. If you throw up the FUD flag, its probably because your concerned that things are not as "secure" as you would like, but here is the flip side of that coin. If you don't address it, it will not go away. Ignoring a problem didn't work when you a child and it sure as hell doesn't work when you're responsible for a business.
This is not Internet reality
I hate to be the bearer of bad news, but the Internet is not made up rainbows, unicorns and fluffy bunny's. The Internet is full of criminals that operate like a business, they have their own forms of currency, everything from cold hard cash, to bitcoin to your enterprises systems that they can whore out and make a buck on.
If you disagree, then by all means, voice it. I don't know everything, but I have a lot of experience and exposure within the Information Security industry. I thrive on debate and discussion (along with large amounts of un-sweet iced tea and nicotine), as long as it remains professional.