Hacker News new | ask | show | jobs
by tptacek 1072 days ago
The other bad thing they do is encourage technologists who aren't security subject matter experts to invest in programs and tools that aren't valuable, either at their current state or, in some cases, ever. They create the impression that there is an important checklist of things that most companies need to have, and if such a checklist exists, not one of these frameworks captures it.
1 comments
dumpsterdiver 1072 days ago
Yeah, unfortunately a lot of checkboxes only serve to expand the attack surface in many cases.
link
killjoywashere 1072 days ago
> a lot of checkboxes

Yeah, I'm self taught on this stuff, but I've started to think that's not all bad. I literally downloaded every one of the NIST 800 series, the FIPS series, the CNSSIs, all of it, and went through everything to figure out what connected with what. Most of it is pretty damn obvious. You should secure your internet-facing servers, sanitize inputs, never hold actual passwords in a database, use some form of 2FA, etc.

But there are a lot of dudes with degrees in "cyber-something" or "IT something" who lord over me with their government-bestowed positional authority (I'm just the clinical informatics physician with an undergrad in physics from a top school and teach machines to diagnose disease, trying to deploy things to actually save lives, so what the fuck could I possibly know about the dark arts of cybersecurity? "Oh, god, here he is talking to us about numbers again, borrrringgggg. I bet he's going to ask us when the GPUs are going to be on contract. Again. Like, bro, we'll get to it. Later.")

Come to find out a lot of these fuckwads speed-click through their ATO checklists. Shockingly, the timestamps on the checkboxes are all on the Thursday afternoon before the Tuesday "surprise" inspection that happens the same week of the year every time, run by the guy who they used to work for at the last gig.

And then the guys actually trying to get shit done get drowned by the 50 fucking drones who all show up to the weekly meetings and pipe up with their 30 seconds worth of input. And the guy trying to actually deploy product spends the rest of the week establishing that the drone didn't actually know what the fuck was going on in the meeting and just blurted something out at the appropriate moment, relying on the last 30 seconds of banter to guide his statements.

Not that I'm bitter or anything...

link