Heckling the dumb in the land of Lost Wages
This blog is inspired by Paranoia by Black Sabbath.
Las Vegas was full of a whole different kind of sin last week. (Is SYN too on-the-nose for you IT security vets? SYN…ACK! ACK! ACK!)
SANS Network Security 2010 was the first of hopefully many conferences/classes for me to learn about the best and worst in the world of IT security. Great presentations. Eye-opening exercises. Plenty of career-enhancing connections. And more than a little chest puffing.
I do have to say that while I moved from blind victim (on the casino floor and off) to keenly aware malware target after my week in Vegas, I hopped on the plane home thinking that some of the most talented security practitioners, penetration testers, and provocative presenters the IT world has to offer didn’t do much to change my perception held since the days of Y2K that those who make and break the rules on the Interweb are separated at birth or at least genetically aligned with Nick Burns, Your Company’s Computer Guy. Brash. Caffeinated. Eager to prove worth. Equally fired up for the putdown of the uneducated.
The event brought IT security neophytes like me together with a cadre of command-and- control smarties to seemingly perpetuate inferiority complexes, self-proclaimed guru statuses, cyber terror bed wetting and group basking in schadenfreude for middle school years gone wrong.
That’s not to say that instructors and classmates in total weren’t welcoming, helpful or accommodating. In fact, it was a lot like speaking broken Spanish in an English accent while on a week-long sabbatical in Cancun. “Oh..look, he’s trying. Isn’t that cute? Bien Bien, Pobrecito.”
Layer 8 is People! It’s People!
But what stuck with me more than a corn syrup-soaked “Ctrl” key was the rampant use of the word “Stupid” when referring to people who use computers…business or personal keytappers. “End Users” – Layer 8 in a Seven-Layer Security Model—are perpetually on the outside looking in through a technically opaque window of safe and sane computer usage.
OK, admittedly, “End Users” like me, mom, dad, my Facebook and LinkedIn buddies and eager-to-assist Tweeps, aren’t doing ourselves any favors in the IQ elevation process when we send money to Nigeria or naively become money mules despite an email rife with typos and the hard-to-fathom promise of a few hundred bucks for a few minutes’ time.
That being said, it would be cool if The Lords of LAN and WAN would drop a few non-malware laden breadcrumbs of Internet security wisdom to make our computers, companies and governments a little smarter at spotting the worm on the hook.
Ya feel me:
- Person who plugged in the USB Flash Drive into your Energy Grid SCADA system to unleash Stuxnet?
- The poor sap at the DoD responsible for the worst U.S. military data breach with another shiny, yet polluted USB stick?
- My LinkedIn faithful who just got to meet ZEUS up close and personal?
- My Twitter comrades who saw a virus take down their character-challenged world, not by clicking on something they shouldn’t, but by simply mousing over linked text?
Let’s just agree now. Nobody benefits from stupidity.
Stupid may seem like job security at first for the SysAdmin or his bosses who know all the answers. That is until he or she gets chewed out when a Distributed Denial of Service attack — unleashed when the uniformed click on “Funny Video.exe”attachements in their work Outlook account—keeps the boss from sending an important e-mail. Let’s all take a page out of the stupidity-killing handbook of Chris Hadnagy, operations manager at Offensive Security, and his Social Engineering 101 Q&A with CNet Senior Writer Elinor Mills earlier this summer.
Another guy to lean on is former Washington Post reporter and IT security demystifier Brian Krebs who always manages to do his job without the slightest bit of condescension.
I’m pretty sure all of us in IT security are only as smart as our least informed coworker, which may just be the person signing your checks. Or your recently socially engineered Halo 3 cohort and IT security pal. See you in the shadows.
