Description: Shmoocon 2012: Part 1 Doing Infosec Right
The offensive security geeks have had the spotlight for long enough. Yes, it.s awesome that you found another .sploit and written some python shit. However, there are a whole lot of people working in the trenches and still following a manual that was poorly written a decade ago using equipment that doesn.t do what the vendor said it would. It.s time to change that.
It is possible to make Defensive Security into something more than the drudgery of a work-.a-.day job. Despite what you may think, it can be pretty damn sexy. Spend some time with this fully interactive threesome discussing how we can all do a better job with the tools and people you already have and make a difference in the security of organizations. Your participation is requested, expected and frankly required. We're going to be Doing Infosec Right.
James Arlen, aka Myrcurial, is a security consultant usually found in tall buildings wearing a suit, hackerspace founder, Securosis contributing analyst, Liquidmatrix columnist, Infosec geek, hacker, social activist, author, speaker, and parent. He.s been at the security game for more than 15 years and loves blinky lights and shiny things.
Dave Marcus currently serves as Director of Advanced Research and Threat Intelligence for McAfee Labs. His current focus at McAfee Labs includes advanced research, threat intelligence projects, media and thought leadership responsibilities including social media technology engagement and research. In his spare time he collects guitars, is an avid powerlifter and is also a founding keyholder of Unallocated Space, a Maryland Hackerspace. He also enjoys practicing the art of lockpicking and is a hacker of things.
Tags: securitytube , shmoocon , shmoo con , hacking , hackers , information security , convention , computer security , shmoo 12 , shmoocon 12 , shmoocon-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
The big problem is integration and lack of it. An attacker can integrate his knowledge vertically. A defender has to integrate his knowledge horizontally (forex. they will be network engineers or software engineers). There are lots of reasons for this (defensive security people tend to have been network engineers in a previous life, there's too much to learn for a defensive security guy to know everything, our career options tend to make someone specialize in one side of the OSI or the other, etc.), but the consequences remain the same. Attacks can avoid defenses by weaving up and down the OSI. Further, it's not just the OSI that is the problem - usability (and, hence, social engineering vulnerabilities) are another. Also, network engineers may know configuration data, but they aren't all that good with managing meta-configuration data (i.e. keeping network configurations synchronized with changes in project management). Software guys are better with that but that's because they are more exposed to spiral development and agile programming. On the flip side, there are aspect of security which require a more waterfall approach (expensive equipment purchases, for example). In a nut shell, the core problem with defensive security is the type of problem which faces integration of hardware and software development (i.e. management of configuration and meta-configuration data, integration of spiral and waterfall development models, etc.)