In this post, I talk about my experiences in the information security community, particularly focusing on characters and behaviours. It might be interesting, so read on.
In the beginning
As I've written and spoken about many times, my journey into information security was more of a meander, followed by an accident and ultimately a story of pure determination. You can read all about that elsewhere on my blog, so I won't repeat it here.
An important thing to point out though, is that early in my career, I was the security bloke in an organisation, isolated from the wider world and purely focused on my own firm's security posture. Not a great place to be, but that's how it was. It wasn't until I attended BSides Manchester (UK) in August 2017 that I realised there were people like me out there. OK, I knew there were, but had zero exposure to them until that event. My mind was A. blown and B. expanded from that day forth.
Then came along Ian Thornton-Trump and Charl Van Der Valt - very experienced movers in the infosec community and people I could watch, listen and learn from. That's what happened. I also became introduced for the first time to Colette Weston, who brought a human dimension to what I had hitherto consider a largely technical community, full of nerds and people looking to make gains through h4x0r prowess.
Well, I went off and blogged, wrote presentations, delivered presentations and ultimately set up the thing that people now know as The Beer Farmers. More on that in a minute.
I got promoted at work, but this was in some large part down to being lively in the community, learning new things and then bringing those learnings back into the office, where we could improve ourselves. Be that through heeding Victor Gevers's advice around responsible disclosure, or just keeping an eye on fresh CVEs.
It all counts and in here lies a tip; being busy in the community is vital to your development as a security pro, even if all you're doing is listening and making notes. You don't have to be a serial poster, commenter or anything like that. Your personal development isn't about that. It's about learning and applying your knowledge to the greater good of whatever cause you care about, be it personal, professional, or a blend of the two.
The Beer Farmers
Back in August 2018, I proposed an idea to a group of peers and friends, that we create something that might take some of the dark edge off information security and maybe inject (pardon the pun) some fun back into it. Those friends were Ian Thornton-Trump, John Opdenakker and Sean Wright.
At that time, there was a hell of a lot of anger, oneupmanship and a general bad vibe kicking around our so-called community. Let's be clear - there still is.
The plan wasn't to cure all the ills, but to make an effort to bring infosec to people in a friendly way, offer guidance and support in a no-strings or hidden agenda kinda way and to just help rudder the ship a little, through good sense and good fun.
We started by making fun of ourselves as an industry. Not a hard thing to do, in truth. This seemed to attract a positive reaction, like "yeah, we are a bunch of miserable dicks aren't we?"
Yes, we can be at times.
But "we're all in it for the same reasons, right?"
Yes, we are, but it doesn't always feel like that.
So, we all do different things in our industry (I'll interchange community and industry as I feel it's right) and our anxieties and aspirations differ, often considerably.
I'd like to think though, that the vast majority of people I know in our industry are in it to either or both protect the data privacy of companies or individuals. If you're reading this and neither apply, then fair enough.
All that said, we do appear to find it difficult to get in the trenches together at times. Be it due to a distrust of knowledge, skill or experience, or even simple PR, there seems to be a real problem with people getting on.
We need to tackle this. All too often, someone will pipe up, only to be battered down by people with more of a voice than a valuable contribution. All too often, a bunch of research, taking months, if not years will be smacked into the ether by a a glib gut punch from a total bellend.
This sets individuals back in terms of their confidence and willingness to engage and share their wisdom. If we're no better than this then we need to leave the mission and go do something else.
Conflicting interests? No, we're either in it together or we're not in it at all. If your interest is securing people's lives then stick around. If your interest is based around personal gain, then please disappear into your own null.
Now, here's an interesting thing; a firm suffers a data breach, infosec community loses its shit and flames the Twitter account of the firm involved in data breach.
It's one thing to get all angry that company X has lost your personal data. It's another thing entirely to go at the firm on social media.
Far too many times have we seen (and we're all guilty of this) firms putting out flaky information around their recent data breach, only for the community to go mental at their social media accounts (chiefly Twitter). All fine, but what we often and quite tragically forget is that there's a person at the other end of the ire, trying to field quite frankly weapons-grade abuse from overly excited so-called professionals, when they aren't equipped to respond properly. This is a fact.
Twitter accounts (and the like) are more often than not operated by PR or marketing people. We all know this. Don't ever assume that there's a thick line between those people and the technology teams in the background that have fucked up. Also, when considering bending their minds with SQLi, XSS or whatever, maybe think about their state of mind, trying to handle a shit storm publicly with next to zero tools to do that.
Then after we've rendered their flesh, imagine them going home to a loved one and trying explain what kind of day they had at work.
If they were even able to articulate how horrible the day was.
Again. Don't. Ever.
Be good people
It's not that hard. I think that if you're a pathological dick, then there's little hope. Most people aren't, in my experience. On that basis, it's just about adjusting behaviours and thinking "If someone was like that with me, I'd be kinda pissed off"
Don't assume people know the things you know, but respect that they know things you don't.
Understand that everyone has a set of anxieties and aspirations that may or may not hang together with your own. Unless they're downright odd, illegal or similar, go with them and where possible, support them.
InfoSec - we're all in it together.