The InfoSec Blog

Why Info Sec Positions Go Unfilled

Posted by Anton Aylward

There are many holes in this, but I think they miss some important points.

First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: "Should Infosec report to IT?" The overall decision was no;. Infosec might need to 'pull the plug' on IT to protect the organization.Risk management sub processes

Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to "Governance". You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?

Technology won't solve your problems when technology *is* your problem.

InfoSec is about protecting the organization's information assets: those assets can be people, processes or information.  Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information.  Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper.  The technology may have changed but most of the fundamental principles have not.  In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.



In praise of OSSTMM

Posted by Anton Aylward

In case you're not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 - The Open Source Security Testing Methodology Manual -

There's an interesting segue to this at

Skip over his ranting about the definition of "hackers"

This is the meat:

Wewrote the OSSTMM 3 to address these things. We knew that penetration



testing the way it continued to be marginalized would eventually hurt
security. Yes, the OSSTMM isn't practical for some because it doesn't
match the commercial industry security of today. But that's because the
security model today is crazy! And you don't test crazy with tests
designed to prove crazy. So any penetration testing standard, baseline,
framework, or methodology that focuses on finding and exploiting
vulnerabilities is only perpetuating the one-trick pony problem.
Furthermore it's also perpetuating security through patchity, a process
that's so labor intensive to assure homeostasis that nobody could
maintain it indefinitely which is the exact definition of a loser in the
cat and mouse game. So you can be sure it also doesn't scale at all with
complexity or size.

I've been outspoken against Pen Testing for many years, to my clients, at conferences and in my Blog. I'm sure I've upset many people but I do believe that the model plays up to the Hollywood idea of a Uberhacker,
produces a whack-a-mole attitude and is a an example of avoidance behaviour, avoiding proper testing and risk management such as incident response good facilities management.

I've seen to many "pen testers' and demos of pen testing that are just plain ... STUPID.  Unprofessional, unreasonable and pandering to the ignorance of managers.

In the long run the "drama-response" of the classical pen-test approach is unproductive. It teaches management the wrong thing - to respond to drama rather than to set up a good system of governance based on policy, professional staffing, adequate funding and operations based on accepted good principles such as change management.

And worse, it

  • shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
  • has no guarantees about what collateral damage the outsider had to do to gain root
  • says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
  • indicates that your management doesn't understand or make use of a proper development-test-deployment life-cycle

Yes, classical hacker-driven pen testing is more dramatic, in the same way that Hollywood movies are more dramatic. And about as realistic!

"Crazy" is a good description of that approach.