SecureState Blog

Read SecureState's award winning blog.

After having attended yet another Defcon, I find myself a little frustrated. While I am a geek at heart, I am not a Linux chugging, code puking, trench coat wearing, hair dying, multi-pierced hardcore guy like many. But then again, I am not alone. Though many like to think it’s still ‘underground’, it really hasn’t been for quite a while. Security isn’t just an IT thing any more and its gaining ground in the business world. Hence there are many security professionals and vendor in attendance. So this year, I specifically set out to find that business side of security. As to being undercover, no I would not be a winner in the ‘spot the fed’ contest. I am just a security auditor that was hoping to hang out with my coworkers, learn a few things, and do a little networking.

Now I have to preface my story with some important information. Every night typically ended with the sun rising, my buzz fading, and my alarm looming just a few hours away. So perhaps I was a little tired, hung over and grumpy going into each morning – though I’m generally grumpy according to most anyway :) Still, I made my way to the conference, grabbed my new-fangled badge, and hit my first presentation. The abstract was very promising as the presenter alluded to the fact that compliance != (does not equal) security. Certainly he had a strong starting point. But, he tripped coming out of the blocks. The rest of the presentation turned into an angry IT guy condemning every standard, every certification, and pointing out how stupid and useless auditors are.

Now I’ll be the first to say there are many auditors working in areas they should not be. I think we’ve all had to deal with the Big X auditor/kid straight out of college that can’t seem to discuss anything outside the verbiage in his checklist. But it’s just as annoying to have someone unqualified lecturing about compliance. It does not make any sense to compare strength of compliance based on the length of the standard. Nor should you compare an IT standard against a security standard. And you shouldn’t even bring up standards that you don’t even know what the letters stand for. Again, I’ll be glad to raise my hands and tell you all the flaws with all the standards like my recent post on PCI. But I have at least had to actually work with those frameworks. I suppose it’s just a different view when you are subject to them.

During the rest of my Defcon experience, it was also peppered with more compliance bigotry, even from the likes of professors. But that’s not to say there weren’t some great ones too. One was on a new tool to find and perhaps exploit ModBusTCP devices on SCADA systems. That certainly piqued my interest with all the NERC CIP compliance work we are doing. There were a couple different presentations that covered different problems with RFID including devices that go beyond just cloning prox cards but also doing site codes brute force attacks on common card codes. I think the best presentation was ours – only because I got to see our head geek get pummeled with lemons for his sins against humanity. Don’t ask :) After all, what happens in Vegas…