9/2/06

Top Six Reasons Why I Hate Network- and Computer-Security

In Stating the Obvious, I said that "Information Security … experts are constantly stating the obvious," and that "This will be one of 'Top Ten Reasons Why I Hate Computer and Network Security,' which I will blog next week."

Well, I actually only have six, after e-mail from friend and colleague, Marcus Ranum—and I didn't blog them "next week." I present them in no special order.
  • We state the obvious.
  • We talk about and rehash the same old stuff.
  • The field is full of pseudo experts who are not really experts or who talk like they are not.
  • We focus on the presenting problem.
  • We are enamored with statistics—any statistics.
  • We look or hope for government to save us.
I've already talked briefly about the first. I will expound the others in future blog entries.

Experts

This is the third of the Top Six Reasons Why I Hate Network- and Computer-Security

Those and the following, I believe, are examples of my thesis: the field is full of pseudo experts who are not really experts or who talk like they are not. A recent (yesterday, as I type this) example is a quote from a former colleague, now with Gartner, about Application Proxies. In article App Proxies: No Reviving the Dream, John Pescatore is quoted as saying, "When a new vulnerability comes out, you may have to rewrite the proxy. You can't put in proxy rules that can anticipate unknown" Which shows a horrible misquotation or a colossal misunderstanding of the basics of application gateway security.

That is to say, an application gateway proxy implements a controlled subset of a protocol. They aren't interesting in anticipating behavior. They only allow certain, specific behavior. That's fundamental to their security and why they should be attractive. Don't we know that? Surely, John does. I fussed about lack of firewall knowledge in experts back in November 2003 in blog entry, What do we think firewalls do?. I wrote in part about this problem across the board in network security in this Institute for Applied Network Security column.

So, we have security experts who are less than expert out there. Some are in that boat because they are or were expert in other fields and then "security" became more lucrative and/or interesting. Some, because they studied and took a test and got "certified." I mention this under the "certification" bullet in Security Redux, in which I say,
Certifications. They are great, especially if you do not have the opportunity to expose your knowledge at conferences and in print. But, they are no substitutes for experience. I know someone who has a CISSP but zero practical experience. It doesn't make this individual a bad or useless person. But it certainly does show.
See, it is easy to be a network security expert nowadays. Anyone can do it.

And, would you say that the state of security on the network is improving, degrading, or staying the same?