(In)Security in Practice: What the New School Is Likely to Look Like

In my last post I discussed what I called an “old school” security tool, WinArpAttacker. It’s a nifty MAC-layer tool for enumerating hosts, performing man-in-the-middle attacks, spoofing MAC or IP addresses – or detecting these exploits. But this is network security at the level of the oil-change mechanic. This kind of tool is still necessary, the way a ruler is still a useful tool.

What is “New School” security likely to look like? Consider what you know about security already: What single thing gives you the biggest boost in security? User education. What single element is the biggest barrier to effective security practices? Reluctant users. So what’s wrong with this model? Everyone’s motivations are pointing in different directions, leaving organizations vulnerable to simple manipulation of human nature.

Yes, you read that right. Human nature. Follow me out of the woods here.

You need to become (highly) aware of an organization called ISCOM (http://www.isecom.org/). It manages, among other things, the ongoing development of the Open Source Security Testing Methodology Manual. Essentially this is the brainchild of Pete Herzog, who is an internationally famous security researcher and teacher. What’s fascinating is that his education is in psychology. It seems like every psychology student, teacher or researcher I’ve met has been an exceptional infosec practicioner, and Pete’s the shiniest example.

There is a very nicely written Introduction to the OSSTMM Version 3 (recently released) at InfoSecIsland.com: https://www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html (with kudos to Michael Menefee). Sit down and spend some time studying this article. Consider some of these concepts: Trust Analysis. Defense in Width. Critical Security Thinking.

This is a whole different world, mates. This is a model that accounts for the charmer who suckers the front desk clerk out of a telephone list, for instance, as well as the botnet worm. Give it some thought, and if it strikes some sparks, drop me a line.