The year was 1995 and I was relatively new to information security, in fact back then it was only part of my job along with setting up network gear, web design, and general system administration. I worked in a small ISP and web design company and wore many hats. I remember this incident clearly because even though at that time I was a Usenet veteran and a member of many mailing lists, I don’t think I’ve ever been flamed so badly previously or maybe even since. However I had joined an infosec mailing list and had the audacity to say something along the lines of: I don’t understand, if you want to, for example, secure DNS wouldn’t you have to have a good technical knowledge of how the DNS system, named, bind and everything that goes into DNS works?
For the next week I had all manner of angry e-mails and back and forth telling me what little understanding I had, how naïve my views were, how if one just knew basic principals of security they could be applied to everything and how the details didn’t matter. Wow, I figured, I have a lot to learn about security. Its now 18 years later, I’ve been doing this stuff for over 20 years now, and the one thing I’ve learned since then was just how right I was in the first place.
In the past 20 years I’ve cringed at thousands of bad decisions made by those that don’t know quite enough to do their job effectively. I’ve fought wars with those that think they have understanding of certain concepts, but do not. I’ve seen how this lack of technical understanding leads to terrible risk assessments. Likewise I’ve seen people with somewhat decent technical skills that have no ability to communicate risk to their peers or to their superiors.
This talk will illustrate examples of bad risk assessment, the problems it creates, the money it wastes, and hopefully provide some workable solutions to replacing horrid common practices with good ones.
Rob Havelt is a 20 year information security industry veteran. He is a founding member of Trustwave’s SpiderLabs. Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life...