I only skimmed this article (mostly because of where it came from), but I really caught this line:

No one has a business interest in catching identity thieves or malware
writers. There’s no money in it, so no-one’s bothered.

I would also add, while some of us would help and/or deal with threats, we just can’t or don’t have that authority. Bejtlich is one of the notables who talks about dealing with the threats instead of vulnerabilities. He makes a ton of sense and I agree with him, in theory, I just don’t think most of us have any opportunity to deal with the threats beyond identifying them with guesses.

Alice over at the Vulnerable Minds blog reminds that the DefCon CTF quals are going on this weekend. Here are sample solutions for last year’s pre-quals. I may just check to see if that Mud is open to all…

Cutaway (possibly the only other guy on the Catalyst forums who gets away with using his screename!) had a really cool post that I wanted to save here. The part that caught me eye:

I think that the work Ed Skoudis, HD Moore, David Maynor, and other security researchers are doing help us identify products whose solutions have inherent, accidental, or misguided problems so that we can protect ourselves. But, unfortunately, their work does not instill the uninformed upper management with confidence in the security field. Actually, it probably has them all cussing under their breath. Of course this is where the security professional should be earning their keep by providing a buffer between the constant barrage of seemingly negative information and the actual state of the organization’s environment.

I am seeing there are numerous roles forming in IT and security. First, you have your IT geeks who actually do stuff (researchers or implementers). You have your business managers who keep an open mind about business and security (CSO/CIO). You have your trainers who deal with people. And you have your liaisons between those groups. I think those liaisons are the newest group and the subject of recent focus on “being more business knowledgable” topics.

C-levels don’t like this news, but let’s all face it. Security is never going to be perfect. The best illustration is to look at the security of those C-levels’ homes. Are they foolproof? No. Do they make mistakes like leave windows or doors open even if they’re not home? Yes. Just like everyone else. And if they do have an alarm system, does that preclude their relatives or the security installers from being able to circumvent it should they be determined to do so? Or thieves to just barge in regardless of the alarm claxons? Security is not something you can achieve and forget about. It is ongoing and risk management.

Business hates hearing that because too often they take the very human approach and think, “Gosh, why bother spending money on this junk?”

That’s where I think the liaisons come in. Just like Cutaway says, they buffer most of that negativity, but I believe they also try their best, along with the trainers, to make sure everyone knows security is not like a light switch; either on or off.