The future of Infosec

[-0-]

I have a feeling the Infosec bubble is going to burst soon. Right now it consists of individuals who know how to run automated tools for penetration testing. Unsurprisingly, a lot of these individuals don't actually know how to code too well, and have more than likely rarely written exploitation code. For these people, when the bubble bursts I don't believe it will be too pretty.

The skilled individuals in the infosec community are the ones who are writing the automated tools and libraries for exploitation.

Regardless, I believe that the future of Infosec is code auditing after Dev and before QA - code will not be merged until it is audited, then it will be moved over to QA and allowed to proceed through the life cycle. I believe this is already starting to happen in some firms in Silicon Valley, as it has benefits over trying to find holes in existing applications/products after-the-go-live.

What do you think the future of Infosec is?

Gavin

Security is never going to go away. There will always be criminals. Computer security is only going to increase as computers become more and more integrated into our lives. A perfect example of this is how Android malware is increasing, both in numbers and sophistication.

'Cyberwar' as it's called is escalating. Targeted attacks are increasing. Run of the mill online frauds are increasing. Banking trojan activity is increasing. Security is not all about exploits and code auditing as your post seems to imply.

[-0-]

Gavin wrote: »

Security is never going to go away. There will always be criminals. Computer security is only going to increase as computers become more and more integrated into our lives. A perfect example of this is how Android malware is increasing, both in numbers and sophistication.

'Cyberwar' as it's called is escalating. Targeted attacks are increasing. Run of the mill online frauds are increasing. Banking trojan activity is increasing. Security is not all about exploits and code auditing as your post seems to imply.

Everything you detail above exploits vulnerabilities in code. Granted, phising attempts often require the user to click on something. Malware operates often in a similar fashion and often spreads by exploiting "zero day" exploits in Operating Systems.

LoLth

I dont know if infosec is going to be obsolete but certainly as the percentage of techies educated in infosec practises grows so to will the number of nefarious types with access to the same information and we will see increasingly ingenious ways of bypassing the automated systems.

I agree that code review/input is required at or at least close to the dev stage. Secure code is good code but not all exploits can be found at the coding stage, some only become apparant later on as some other interacting proces on a system gets updated or altered.

Infosec will always be needed but I think there will come a tiering of infosec. Pentester A with his automated scanner will not be equal to pentester B with his custom exploit code written for that particular client, similarly, security admin A with the "how to harden MS Server 2012 for dummies" book will not be equal to security admin B with end to end network, hardware and software security practical experience.

The sooner we have a national standard (like CREST in the UK) with practical testing and a practical experience requirement along with a solid professional code of conduct, the better imho.

Gavin

[-0-] wrote: »

Everything you detail above exploits vulnerabilities in code. Granted, phising attempts often require the user to click on something. Malware operates often in a similar fashion and often spreads by exploiting "zero day" exploits in Operating Systems.

You over-estimate the users! Android malware very very rarely uses exploits. Banking trojans are spammed out, often just attached either as executables or in zip files. People still click on exes willy nilly. There's no need for an attacker to use exploits to install malware. Yeah the attackers do use exploited pdfs/docs in spam too, but not very often. Having said that, web based exploits are a serious delivery mechanism for malware, no doubt about it.

My point is that pen testing and auditing are just one element of security. They do seem to be areas which are more abused by amateurs/jokers perhaps than other areas.

syklops

Pick up any programming book. Turn to Appendix A and it will say "Use sprintf instead of printf as this is the more secure version of the function". Security is tacked on at the end in most cases.

I worked in Infosec, defending the network and basically gave it up because I felt like the little boy with his hand in the dyke. Now I am a pen tester, and its actually become so easy it isnt even fun any more. I dont spend hours manipulating flags on TCP packets to trick the firewall. Instead I hire a couple of pretty ladies to hand out promotional USB drives with my embedded malware in front of the target company's headquarters. Despite being told not to, someone always plugs in the disk and executes the program on a work computer. Always.

Theres an arms race, the evil hackers are always exploiting new flaws in software but until companies stop hiring humans there will always be a flaw in the system.

I used to work in a company that was the victim of a spear phishing(basically a targetted spam campaign), and a director(not some guy in packing, but a director!), clicked on a link telling him he had won an iPad. He already had an iPad, but he thought his wife would like one so he clicked the link. A director in a multi-million dollar company. Needless to say he got infected. Until people stop doing stupid things like that, Infosec will be needed.

JimmyCrackCorn

Instead I hire a couple of pretty ladies to hand out promotional USB drives

ttiwwop


With it being such a deserve field can you expect everyone to have a background in multiple operating systems at the kernel level?

Also networks, social skills, reporting, business development, risk analysis, multiple software languages, web applications, social engineering, fraud.......

Like any career strengths will be in some areas and not the others and like software how good they are will vary wildly.


Do I think its ok to run tools and call it a pen test. Yes and no. Its ok if that's what you paid for and expected fair enough. Would I pay for that, not a chance.

AnCatDubh

syklops wrote: »

Instead I hire a couple of pretty ladies to hand out promotional USB drives with my embedded malware in front of the target company's headquarters.

Ah, no fair. How can the firewall compete ffs

syklops

Director of IT: "Whats your read on the situation Director of Information Security? "
Director of InfoSec:"My read on the situation is you made me and my team redundant 6 months ago because you spent the security budget on an all signing all dancing firewall. I only come to these meetings because I don't like the way my wifes cat looks at me

[-0-]

LoLth wrote: »

I dont know if infosec is going to be obsolete but certainly as the percentage of techies educated in infosec practises grows so to will the number of nefarious types with access to the same information and we will see increasingly ingenious ways of bypassing the automated systems.

I agree that code review/input is required at or at least close to the dev stage. Secure code is good code but not all exploits can be found at the coding stage, some only become apparant later on as some other interacting proces on a system gets updated or altered.

Infosec will always be needed but I think there will come a tiering of infosec. Pentester A with his automated scanner will not be equal to pentester B with his custom exploit code written for that particular client, similarly, security admin A with the "how to harden MS Server 2012 for dummies" book will not be equal to security admin B with end to end network, hardware and software security practical experience.

The sooner we have a national standard (like CREST in the UK) with practical testing and a practical experience requirement along with a solid professional code of conduct, the better imho.

Very good points.