I've spent some time beefing up my Bloglines feeds. As I look for people with ideas that could be useful, I'm reminded of the vast differences among those who would all presumably claim to be "security professionals." I am acutely aware of these differences when I visit security conferences, and I wrote about this phenomenon after attending USENIX 2003, Black Hat 2003, and SANS NIAL 2003 within a span of 30 days.
At the risk of being attacked for promoting stereotypes or hurting feelings, I decided to share a few thoughts on this subject. What group describes you?
- Academics: This group consists of undergraduates, graduates, PhD candidates, and faculty. They tend to frequent USENIX conferences where they will be talking about the latest security protocol. They have ties to government organizations because that is the source of grant money. They write papers, mostly speak in front of other academics, and take deep looks at improving security technologies in formal and peer-reviewed ways. Academics obviously have formal training and they tend to have tinkered with security before joining this group.
- Policemen: (Police women also fit here!) Policemen enforce the law. They like to talk about who they have "busted." They seem to often assume duties for which they are not prepared. They are overwhelmed by the amount of work they face, even though they are one of the few groups who can eliminate threats. Their organizations usually consider their work to be secondary to "real law enforcement." Sometimes their bosses don't even read email. Policemen tend to struggle to understand technology because they usually come from traditional police backgrounds, and their workload ensures no free time to tinker. Policemen often concentrate on host-based forensics, and they attend HTCIA and InfraGard conferences.
- Government civilians and contractors: Government civilians and contractors obsess over certifications. They are most likely to be talking about CISSP, PMP, ISSAP, ISSEP, GIAC, and so on at ISSA meetings. They often perform certification and accreditation and don't understand why those processes are broken. Some of them are trying very hard to fix their agencies, but they struggle with political infighting and bureaucratic inertia. This group likes SANS and CSI conferences.
- Warfighters: This is the uniform-wearing military. This group is youngish and skilled. Many of them would fit into the "hacker" category (see below) but they are definitely on the white hat side. They are sharp because their infrastructures are under constant assault. Unfortunately the military personnel system generally offers no career path to develop their skills and interests. This group tends to leave the military for the commercial or government worlds just when they are becoming real experts. Warfighters attend their own closed conferences but they also try to learn from their opponents at offensive-minded conferences like Black Hat or CanSec.
- Hackers: To some degree all of the groups here would want to consider themselves "hackers," with the exception of policemen and some government civilians. (Being a hacker is supposed to be cool, but some consider it to be bad.) In reality, you know a hacker when you talk to him or her. Hackers tend to have extremely deep technical knowledge in very specific areas. A hacker might write his own compiler or debugger, but not practice sound system administration practices. (For example, a hacker might think it's ok to put all system files in a single partition on a production server.) Hackers are the source of real public innovation in attack methodologies and they are extremely creative and unpredictable. Hackers are more likely to speak at conferences like Black Hat or CanSec, but they seem to be migrating to smaller or private gatherings. Hackers are some of the youngest members of the security community, but as they build families and get older they migrate to another group. When young they are either in high school or college. Upon graduation (from either place), hackers usually work as consultants. Sometimes they work directly for governments or the military.
- Consultants/Corporates: This group includes those who work for security companies, and those who provide security services within non-security companies. Consultants and corporates are a very diverse group, drawing upon most of the earlier categories. Many corporates have general IT backgrounds and "end up" in security because they staff a one- or two-person IT shop. If they are serious about providing good services, and their employers agree, they tend to specialize in one or two areas. (Companies who expect consultants and corporates to be experts in everything should expect disaster.) This group is second to the government civilians and contractors in pursuing certifications, because they think clients will value them or their employers will reward them.
- Developers: The last group creates security products, but I prefer to concentrate on those who participate in the design process. (Code monkeys who implement without consideration for underlying security principles aren't really security people.) Security developers are usually former members of the other groups, since serving two roles is too tough. Developers have decided they want to solve a problem encountered in their previous lives. They are very skilled in their work area, with depth of knowledge rivalling the hackers. Some developers are older hackers.
Did I miss anyone?
Keep in mind that some people may fit in one category while working in another category. For example, I know many "hackers" who are government contractors during their day jobs. Many consultants are like government civilians or contractors. Also note I do not consider any of these people to be the adversary. I will not be discussing threats.
I wanted to record these thoughts, because you can probably imagine the diversity of opinion suggested by this list. I have some ties to each of these groups, and they approach problems from very different angles. I have no way of knowing the sorts of people who read my blog, but in some ways I'm guessing few hackers, developers, or policemen read it. I could be wrong though.
I would be interested in hearing your thoughts, especially if you can help refine/define these categories. This is not some sort of formal taxonomy, just some ideas.
0 komentar:
Posting Komentar