Monday, July 17, 2006

How Do You Fit Into the Security Community?

I've spent some time beefing up my Bloglines feeds. As I look for people with ideas that could be useful, I'm reminded of the vast differences among those who would all presumably claim to be "security professionals." I am acutely aware of these differences when I visit security conferences, and I wrote about this phenomenon after attending USENIX 2003, Black Hat 2003, and SANS NIAL 2003 within a span of 30 days.

At the risk of being attacked for promoting stereotypes or hurting feelings, I decided to share a few thoughts on this subject. What group describes you?


  • Academics: This group consists of undergraduates, graduates, PhD candidates, and faculty. They tend to frequent USENIX conferences where they will be talking about the latest security protocol. They have ties to government organizations because that is the source of grant money. They write papers, mostly speak in front of other academics, and take deep looks at improving security technologies in formal and peer-reviewed ways. Academics obviously have formal training and they tend to have tinkered with security before joining this group.

  • Policemen: (Police women also fit here!) Policemen enforce the law. They like to talk about who they have "busted." They seem to often assume duties for which they are not prepared. They are overwhelmed by the amount of work they face, even though they are one of the few groups who can eliminate threats. Their organizations usually consider their work to be secondary to "real law enforcement." Sometimes their bosses don't even read email. Policemen tend to struggle to understand technology because they usually come from traditional police backgrounds, and their workload ensures no free time to tinker. Policemen often concentrate on host-based forensics, and they attend HTCIA and InfraGard conferences.

  • Government civilians and contractors: Government civilians and contractors obsess over certifications. They are most likely to be talking about CISSP, PMP, ISSAP, ISSEP, GIAC, and so on at ISSA meetings. They often perform certification and accreditation and don't understand why those processes are broken. Some of them are trying very hard to fix their agencies, but they struggle with political infighting and bureaucratic inertia. This group likes SANS and CSI conferences.

  • Warfighters: This is the uniform-wearing military. This group is youngish and skilled. Many of them would fit into the "hacker" category (see below) but they are definitely on the white hat side. They are sharp because their infrastructures are under constant assault. Unfortunately the military personnel system generally offers no career path to develop their skills and interests. This group tends to leave the military for the commercial or government worlds just when they are becoming real experts. Warfighters attend their own closed conferences but they also try to learn from their opponents at offensive-minded conferences like Black Hat or CanSec.

  • Hackers: To some degree all of the groups here would want to consider themselves "hackers," with the exception of policemen and some government civilians. (Being a hacker is supposed to be cool, but some consider it to be bad.) In reality, you know a hacker when you talk to him or her. Hackers tend to have extremely deep technical knowledge in very specific areas. A hacker might write his own compiler or debugger, but not practice sound system administration practices. (For example, a hacker might think it's ok to put all system files in a single partition on a production server.) Hackers are the source of real public innovation in attack methodologies and they are extremely creative and unpredictable. Hackers are more likely to speak at conferences like Black Hat or CanSec, but they seem to be migrating to smaller or private gatherings. Hackers are some of the youngest members of the security community, but as they build families and get older they migrate to another group. When young they are either in high school or college. Upon graduation (from either place), hackers usually work as consultants. Sometimes they work directly for governments or the military.

  • Consultants/Corporates: This group includes those who work for security companies, and those who provide security services within non-security companies. Consultants and corporates are a very diverse group, drawing upon most of the earlier categories. Many corporates have general IT backgrounds and "end up" in security because they staff a one- or two-person IT shop. If they are serious about providing good services, and their employers agree, they tend to specialize in one or two areas. (Companies who expect consultants and corporates to be experts in everything should expect disaster.) This group is second to the government civilians and contractors in pursuing certifications, because they think clients will value them or their employers will reward them.

  • Developers: The last group creates security products, but I prefer to concentrate on those who participate in the design process. (Code monkeys who implement without consideration for underlying security principles aren't really security people.) Security developers are usually former members of the other groups, since serving two roles is too tough. Developers have decided they want to solve a problem encountered in their previous lives. They are very skilled in their work area, with depth of knowledge rivalling the hackers. Some developers are older hackers.


Did I miss anyone?

Keep in mind that some people may fit in one category while working in another category. For example, I know many "hackers" who are government contractors during their day jobs. Many consultants are like government civilians or contractors. Also note I do not consider any of these people to be the adversary. I will not be discussing threats.

I wanted to record these thoughts, because you can probably imagine the diversity of opinion suggested by this list. I have some ties to each of these groups, and they approach problems from very different angles. I have no way of knowing the sorts of people who read my blog, but in some ways I'm guessing few hackers, developers, or policemen read it. I could be wrong though.

I would be interested in hearing your thoughts, especially if you can help refine/define these categories. This is not some sort of formal taxonomy, just some ideas.

17 comments:

Tim B said...

Interesting categorizations. I suppose it is human nature to try to put diverse things into boxes. I would point out there is a huge population of IA folks who don't attend conferences at all, or blog for that matter.

I also notice that you have a rather negative slant on certs. I would point out that for consultants, especially in the Federal sector, these certs (for better or worse) do translate into real ROI. You can't bid on certain work, or be considered for RFP proposals without them. Not to mention that 'certophilia'
by employers, keeps qualified candidates from getting in the front door for job interviews.

Which box do you put yourself?

Richard Bejtlich said...

Hi Tim,

I am currently a consultant. I was previously a warfighter. I would like to become more of a developer and I have plans to become an academic, if they accept me. :)

Richard Bejtlich said...

BTW Tim, I just added your blog to my Bloglines.

Ron said...

I wonder...

I came at security from the systems administration administration angle (UNIX, of course). This was critical as I found myself supporting servers/clients rolling out web services in the early/mid-90s. Publicly exposed servers inspired much research into system hardening and the tools used to attack the servers. In addition was the monitoring/approval of CGI code deployed on these public servers.

This gave me more of a scripting instead of hard-coding background (odd how school chops fade if not regularly exercised...), as well as tool evaluation and use. I've followed the consulting/contracting path, which lead to the acquiring of certs for the same reasons as TimB posted. But I'm not sure how many wandered here by the same path.

Thomas H. Ptacek said...

You forgot the Charlatans.

Richard Bejtlich said...

Tom -- good point, but I am trying to not be so overtly controversial. :)

Anonymous said...

I am a government contractor, and while I'm well aware of the problem with certs, I agree with Tim that a lot of contracts require a minimum number of employees with specific certification to even bid on the contract. This translates into employees being rewarded monetarily for certifications, which goes a long way to explaining why so many of us obsess over them.
I wouldn't say that I obsess over certs, but every cert I've gotten has translated into a large pay increase at the end of the year.

-- Kris

Richard Bejtlich said...

I understand the certification issue. I am not indicting the "group" (although I think the relationship between most certs and skills ins tenuous as best). I am just stating what appears to be the case, based on my observations.

Jim said...

Unfortunately, I don't know the original source, but there's a theory that security people come from one of three backgrounds: Bits, Beans, and Badges. Bits are from math, science, or IT; Beans are from accounting, finance, or audit; and Badges are from law enforcement.

This categorization is fairly effective at predicting opinions on security issues. For example: should an ex-con give a keynote at a security conference? Badges will say no, because a criminal shouldn't profit from his crimes. Bits will say yes, since he has unique insights to share. Beans will want to know if he'll increase paid attendance at the conference (I kid).

There are exceptions, of course, but as generalizations go it's a pretty good one.

I think you've added another dimension: where the security person is working. If I were to categorize security people along your method, I'd make a matrix (Hi, I'm from consulting. We like matrices) with background (Bits, Beans, Badges) down one axis and environment (government, military, private sector, consulting, academia) down the other. The DoD, for example, surely has people with both Bits and Badges backgrounds. Academia has lots of Bits, a few Beans, and probably not many Badges. Consultants come from all three backgrounds, and have slightly different approaches depending on those backgrounds.

Looking at your list, I'd say they break down like this:

Academics: Academic Bits
Policemen: Government Badges
Government civilians and contractors: Government Beans and Bits?
Warfighters: Military Bits
Hackers: *wildcard* Bits
Consultants: Consulting Bits
Developers: Private Sector Bits

What interesting categories does that leave us? Probably Academic Beans (there are a few; economic approaches to security are becoming more popular), Consulting Beans, and Consulting Badges. Maybe Military badges (who would probably resemble Government Badges).

Oh, add to the Consulting Bits category a tendency to overanalyze.

Richard Bejtlich said...

Jim,

That is very interesting! Thanks for your insights. I think I agree with you.

Dr Anton Chuvakin said...

That's pretty cool! How about studying the relationships between the teams? (or is that an Academic in me talking? :-))

Like, Hackers generaly dislike Academics and Policement. The latter dislike Hackers. And Hackers dislike them in return. Etc, etc?

Richard Bejtlich said...

Hi Anton,

I leave the real analysis work to an academic pursuing a thesis topic. :)

Dr Anton Chuvakin said...

On second thought - I'd separate the vendor security folks from the inside the corp security folks; the jobs are world away :-)

wpn said...

Boy, I'm just not sure where I fit into this at all, nor do I see a lot of the people I've worked with in these categories.

I see a lot more former sysadmins who end up as operations managers and then slide over into managing security. Mostly the path that Ron mentioned. More on the bits side, but not necessarily developers.

Me, I like just about every conference and try to get to a mix of them, as long as they have a high enough "bit" quotient. I'm less keen on industry-specific conferences such as government ones, since I think they tend to be more insular.

The general groups I mentally use are DoD and their contractors, academics, corporate (former bits or former beans), law enforcement, non-DoD government, vendor, and hacker (unaffiliated with any of the other groups).

DarthDemo said...

Thanks to online universities, the academics are being diluted by Government civilians and contractors who need a Masters degree to move upwards into management. This is evident by many online InfoSec programs pushing the (ISC)2 CISSP and a few other security certs. In my security career, I have evolved from Hacker to Developer to Academic. I too am in an online InfoSec program, but for the purpose of making myself more marketable to a security software company and not because of any managerial aspirations. Many Hackers and Developers have spent at least some time in academia, and the online environment for learning is especially appealing to those people of this mindset.

JD said...

Gee, I get to be in a box? Oh boy! I pick "corporate"! Seriously, though, I will admit to having mostly shifted toward this line of work at this stage in my life because of my current corporate environment.

xmaskiwi said...

I've discovered this late - from a reference you made recently. I see you thought charlatan was controversial. how about "wannabees & dreamers" which I unfortunately think is me.

I want to be more involved, read docs, listen to podcasts ... but unless I buckle down and start DOING stuff I'm not going to leave the dreamer camp.

New resolution for 2007 - get off my butt and play with more tools!!!