One of my absolute peeves with information security is buzzwords. You hear them in meetings. You hear them in the media and read about them in news articles.
They drive me crazy! Not because of the word itself…but because of what they represent.
Buzzword: “an important-sounding usually technical word or phrase often of little meaning used chiefly to impress laymen” – Merriam Webster
What brought this subject up is an article I read by Joshua Goldfarb. Joshua is the Chief Technical Officer (CTO) of emerging technologies at FireEye.
Joshua’s article is titled “Hacking is Sexy, But Defending is the Grown-up Thing To Do”.
“I’ve lost count of the number of conferences that exhibit, discuss, and celebrate hacking.” – Joshua Goldfarb
Hacking is a buzzword. Much like pen testing, APT, phishing, and even cyber security. It’s a “sexy” way of saying something so people can relate certain information or topics.
Now, don’t get me wrong. As much as buzzwords irk me, they do have their place. They’re not as bad as I’m making them out to be.
I use buzzwords like anyone else. I use them when I’m briefing customers or clients. I even use them some of my co-workers. I use them often when I know folks won’t understand what I’m talking about.
The Problem With Buzzwords
Here is where I think the problem lies. I think security professionals use buzzwords as a bandage for a lack of understanding. Because it makes us sound smart and competent. Especially when we aren’t real sure about what to say. But it doesn’t fix anything!
My view is buzzwords are used for 2 reasons by security professionals:
1. A lack of knowledge and understanding about security.
2. To communicate with the “layperson” about security.
I’ll explain why I think that. And I’ll start with a good example.
Let’s say you’re testing the security of a system. You find that you are able to access something you are not supposed to. What do you call that?
Many people call it hacking. But really, it’s just unauthorized access. Nothing more.
Why? Because you didn’t “hack” anything. You didn’t use any particular skill to access that object. But, some “buzzword professionals” will argue that it is hacking. Because it sounds cool, sexy, and hip. But it’s simply not correct. And a “layperson” wouldn’t know the difference.
Here is another example, from the other point of view. A buzzword can be useful in this case.
If you trying to explain to a client or customer how someone:
1. Picks a target and tries to break into a server, and fails
2. …then tries to steal data from another server, and fails
3. …or tries to deny service by bringing communications down, and fails
4. …then tries…
You get the picture. Rather than explain every little step in that scenario, you just say Advanced Persistent Threat (APT). It sounds sexy, can apply in this scenario, and they can be easily researched.
Buzzwords Vs. Implementation
If you say “hacking” or “APT” to a security professional, they’ll respond differently. Professionals already know the focus of hacking or APT. How you are defending against those things now becomes the conversation.
See the difference? Professionals fix problems, not talk about them.
In the first example, the buzzword falsely represents a “hacker”. The second example shows when a buzzwords might be useful.
Ok, so where am I going with all of this? 🙂
Knowing the “what” of security is good for a conversation. But knowing the “how” is where security really happens.
Don’t get me wrong, you need to have knowledge. But applying that knowledge is where I am going with this.
Most security professionals I work with seem to get lost in the terminology, rather than learn how to implement actual security.
What I think Joshua is trying to say in his article is buzzwords are for show, but defense is the responsible part of security.
In other words, buzzwords are a “bandage”. And applying security implementations that protect and defend your system is what matters. Don’t get lost in terminology. Focus on security implementation.
I believe Joshua is 100% correct when he says “defending is an important piece of the security puzzle that is all too often missing from the broader dialogue.”
Fixing the Problem
Good security takes a lot more than just sexy words. It takes a specific mindset, that most struggle to understand.
So how do you adopt that mindset? Or any other security mindset? And how to you learn to apply that knowledge on an actual system?
It takes practice and experience. I know that answer sucks, but it’s the truth. But there are things you can do to develop that security mindset. You can switch from the impressive conversation, to an impressive system security posture.
1st and foremost, understand the attack vectors (buzzword alert!)
An attack vector can be anything.
“An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome.” – TechTarget.com
In can be a web page, an email, a database connection, or a compromised server. It can also be an untrained system user, a known password, and so on.
But many of us get caught up in protecting every system component on the planet. And then use buzzwords to describe it. Thumbs down to that approach.
Instead, we should identify the most valuable targets. Then figure out how they can be attacked.
Start Thinking Defense
If you have Personally Identifiable Information (PII) in a database, ask how can an attacker get that data? What would they have to do? How can they get it? What would happen if a user gave an attacker a password?
Start asking those questions and put security controls in place to prevent it.
Learn the technologies. Learn about all of the ways that data (or any other target) can be compromised.
Learn about the OS, the database, the network. Where are the holes in security? Is it the configuration, the network path, or a badly configured database?
Figure out how to implement security to best protect your system. This is the defensive security mindset.
And the more you work on this, the better you get at it.