Minerva Studio - Fotolia
A former auto mechanic turned IT pro, Jack Daniel ventured into InfoSec with roles in network and systems administration, network security and security consulting. He is a CISSP and Microsoft MVP for Enterprise Security. For six years, he served as the director of the National Information Security Group (NAISG). He also worked as a community director for Internet security company, Astaro AG.
A long-time member of several technology and security communities, he is perhaps best known as one of the co-founders of Security BSides, alongside Mike Dahn and Chris Nickerson, who introduced a new framework for community events in 2009. Named for the B-sides of records (78s and 45s -- remember them?), the free events were designed to promote participation and collaboration among passionate security people, both experienced practitioners and those new to the field. The Security BSides events, which have sponsors but no exhibits, continue to attract security professionals worldwide.
Daniel is also a co-host of the Security Weekly podcast and the author of the Uncommon Sense Security blog. He has worked as a security strategist at Tenable Network Security Inc. since 2011, contributing to the company's SecurityCenter and monitoring consumer IT trends. He is in good company at Tenable. He works with Marcus Ranum, who caught up with the technology community organizer to vent about the "industry" and contemplate new ways to help it move forward.
Marcus Ranum: I see your BSides conference as sort of an anti-conference, a vote against the big marketing extravaganzas, and an opportunity for actual practitioners to get face-to-face and exchange ideas.
First off, I'm glad to see that spirit hasn't completely died out in security. But what can we do to continue keeping things real? Is the strain on credibility just getting too great, or is it possible to maintain an active grassroots community?
Jack Daniel: It is hard to watch the state of security while trying to make things better and not get, at least, a bit jaded. I think that, just as with the attackers, money has dramatically changed the security industry. Attackers used to be old-school hackers having fun and earning notoriety. Now attacks are no longer the realm of hobbyists. Organized crime and nation-states are more likely to be our adversaries, with a few 'hacktivists' thrown in (but some of those are distractions made by the professionals designed to cover or delay discovery of the main attacks). Computer security has evolved from being primarily a government and military concern, which was integrated with computer operations, to being everywhere; and it supports a large and diverse commercial marketplace.
At this year's RSA Conference, RSA President Amit Yoran said, 'The security industry has failed.' But he's wrong.
He said that to make a point, but 'industry' is an economic construct and, economically, the security industry is doing great. Unfortunately, much of the industry has failed to actually advance security.
These factors lead to a lot of fatigue with the commercialization, the constant attacks, and the inevitable bickering and infighting within the community. I think communities and events, which focus on people doing interesting things and minimize the commercialization, have exploded in recent years as a reaction to the fatigue we all have. As an example, Security BSides strive to avoid sales pitches, even from sponsors. Instead, we focus on the content, the local community and conversations. There have been [more than] 200 BSides events in [less than] six years; that tells me there was a void to fill. That said, it is great to see most of the big 'business of security' conferences trying new ways to engage their communities.
Ranum: One of the other problems I see with maintaining a good grassroots [community] is that we endure a constant stream of wake-up calls: Have you heard that so-and-so got hacked? Oh my God, what a surprise!
How do you keep from getting cynical when the security industry starts to act like a bunch of ambulance-chasers?
Daniel: I think a healthy dose of skepticism is needed to be good at InfoSec, and that skepticism often grows into cynicism after some time in the trenches. Things like the 'breach du jour' hype only fuel this descent into cynicism. We need safe venues to vent and commiserate so that we can go back to fighting the battles, knowing we're not alone in our frustration. We also need to out the worst offenders in the ambulance-chasing industry. It may not stop them, but we need to try. … Obviously, I don't object to people who have the nerve to expect to make a decent living while trying to help secure organizations, but I feel that too many forget that making money is only part of what we're supposed to do.
Jack DanielTenable Network Security Inc.
I think one of the keys to managing cynicism is to encourage people to have some fun and dig into things that interest them. A lot of the smaller conferences have workshops and presentations that are outside of the normal scope of security talks, but they are things people are passionate about, and it shows. For example, I've done a well-received series of talks and workshops on bitters, classic cocktails and home bartending. Of course, that leads to a discussion of substance abuse in our communities, but that's another conversation. I also think we have a habit of using computers in our hobbies as well as for work. That means we never get away from them. That is not healthy -- mentally or physically. Cynicism, combined with exhaustion and inefficacy, is one of the key indicators of burnout. We don't have enough hard data yet to know if our communities suffer more or less than other professions, but some of our friends and peers are suffering and that isn't good for any of us.
Ranum: I remember when we first started having big announcements about break-ins and everyone got excited. Now I wonder if anyone really cares; we all understand it can happen to us if we're not on top of our game. But it seems as if the security media is addicted to (still) reporting the breach du jour. I think that the practitioners get it, and [they] are pretty much rolling their eyes in disgust every time someone starts to hype a new breach or vulnerability. Is it too late to do anything to keep the situation real?
Daniel: There certainly is a level of breach fatigue. But you're right, the reporting continues unabated. It isn't surprising; we have had a decade of handwaving Patch Tuesday reporting and very little of that was useful. The breach reporting has moved into mainstream media, and the hype has grown as the accuracy of the reporting has frequently fallen. Sadly, we do need to pay some attention to the bad reporting so that we know what nonsense we'll have to correct when people ask us about the latest world-ending breach. One immediate danger I see is that now the general public finally has awareness of the state of security, but with the current nonsensical reporting I expect people to return to ignoring security issues as background noise.
It is often difficult but you can frequently sift facts from the hype. I believe that is what we need to do -- find the nuggets of insight in the stories and pay attention to the people who offer real value in their commentary.
Ranum: What's depressing to me is that so little of security reportage is about root cause analysis and teaching. Frankly, I don't care if some organization lost 10 credit cards to some scammer or 10 million to a government intelligence service. I am hugely skeptical about such claims, anyway.
What I wish the news covered is how the problem happened: Was it a flaw in this or that or the other thing? Was it a result of bad configuration management or sloppy Web/SQL coding? It's as if we're worrying about how much blood is being spilled on the floor, when we really should be asking why so many of us are standing in the line of fire or where the bullets are coming from!
Daniel: The 'If it bleeds, it leads' mentality applies to security reporting, too. I fear that many in the media simply don't have the expertise to do a decent job reporting on the details, and many professionals who comment on reports do so without enough details to make credible statements. Sadly, we aren't alone in this, the 24-hour news outlets will fill time with anything or anyone, so reporting is frequently horrible or, at least, horribly diluted. Sharing of meaningful information is one place where our adversaries are way ahead of us.
Another factor is that so much of what we do is under NDA [non-disclosure agreements] that the people who know what happened are often unable to speak about it. For all of the talk about information sharing, I think the 'FrieNDA' has done more for sharing relevant data than any program or project from industry or government. I know some of the CERTs and ISACs do good work and expect that to continue and grow, but personal contacts bring context and trust to information sharing that can't be automated.
One aspect of the reporting that frustrates both of us is the emphasis on attribution; we've both written and spoken about it. The bottom line is that attribution is often hard, and a lot of the time spent debating attribution for attacks would be better spent doing root cause analysis and taking steps to prevent recurrence.
Tools like Verizon's VERIS [Vocabulary for Event Recording and Incident Sharing] Framework are great for post-event analysis and data sharing, but I think a much simpler framework would be good for sharing basic information that would be useful to others. It would be great to get basic information from as many incidents as possible: How did they get in? How did they move around, and what did they take or break? Once there, organizations might be more likely to do a full VERIS or other framework analysis and share that later. As much as I would like to see a lot more useful analysis, there is also a problem with detailed reporting: How many times do we need to hear 'initial infection vector was SQL injection/phishing/unpatched browser?' I fear fatigue has set in there, too.
Ranum: I remember when I wrote 'My Comments on the breach at [$Company_Name$]' and it got tweeted and retweeted by pretty much everyone in security. That tells me that I'm not the only person who is getting jaded and cynical. What about the new generation? I look at things like BSides, SchmooCon [and so on] as [the events] where the life and energy in the next wave of security is going to come from.
Daniel: A lot of us are pretty jaded, and we have plenty of reasons for that. The challenge is to keep trying to make a difference in spite of being jaded. Events which bring people together to share ideas and information, especially in smaller gatherings, help recharge and educate us. The events themselves don't need to be small, but they need to encourage smaller gatherings and foster conversations. A big part of the success of events like ShmooCon, DerbyCon, BSides and others is that they foster great 'LobbyCons,' where people get together outside of the formal tracks and events, and have real conversations.
These more conversational events are great places for new people in the field to meet experienced professionals and enthusiasts to connect, learn, and start or advance their careers. I am especially happy to see the proliferation of new speaker development programs at events like BSides. First-time speakers are paired with experienced speakers to develop and deliver their first conference presentations in a supportive environment. The goal isn't to build more 'InfoSec rockstars' but to help people communicate better and display their expertise. The enthusiasm of many of the new members of the community and first-time speakers can be contagious for those who aren't too far over the cliff of cynicism. It reminds us of when this was all new and exciting.
Ranum: I almost sprain my eyeballs whenever someone says 'InfoSec rockstar'!
One last topic and this is a tough one: Do you have any idea how we can make security more inclusive? I worry a lot that it's always been a bit of a boys' club mentality, and that runs the risk of maintaining security's reputation as being a denizen of cliquish weirdos. Or didn't you know we have a reputation for that?
Daniel: Ah, an aging white dude with a mustache asking an even older bearded white dude about diversity issues; it's cool, we're aging white guys so we must have the answers. OK, we may not be the best people to discuss diversity, but it is a topic which needs to be addressed, and I know we both are genuinely concerned about it. It is uncomfortable to realize that in security we are quite tolerant of eccentricities (to put it kindly), but only an approved set of 'differences' are welcome. Men want to have big crazy beards, brightly colored Mohawks, ponytails, full sleeve tattoos or wear kilts at conferences? That's cool. Women want to go to events and not be made to feel awkward, embarrassed or even threatened? Sorry, that's asking a bit much.
We have many societal issues which set up the problem, and the security crowd exacerbates them. I remember my daughter being told that math was too hard for her in kindergarten; decades later I'm still mad when I think about it. Compound the challenges of gender stereotypes in STEM [Science, Technology, Engineering and Math] with the computing 'head start' many males get via gaming, and add in 'booth babes' and worse at conferences, and I can't blame women who choose to avoid or leave security and technology.
The challenge certainly extends beyond gender to race, ethnicity, sexual identity and orientation, religion and more. The tiny surviving bit of idealism I still harbor wants to enhance diversity because it is 'the right thing to do.' The big, pragmatic part of me sees that we simply do not have enough good folks to meet demand and it is stupid to exclude any candidates regardless of similarities or differences to our little cliques. In the end I think the challenge is to be just jaded and cynical enough to not fall for the hype and nonsense, but not so far gone that you stop trying to make things better.
About the author
Marcus J. Ranum, the chief of security at Tenable Network Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.