How radically different approaches play out across the security industry.
Three things happened to me before BlackHat 2014 to bring the entire NSA / Edward Snowden drama back to the forefront. The media reminded us of the one-year anniversary of the original Snowden leaks. At the same time, I saw newly retired General Keith Alexander deliver a keynote at the Gartner Security and Privacy Summit where he provided an in-depth post-NSA speech, benefiting from several months of civilian life under his belt.
In June, I also hiked to the summit of Mount Snowdon in North Wales after speaking at AppSec EU in Cambridge, UK. The spelling is different, but I could not help but loop “Snowden/Snowdon” in my mind a thousand times on the way up and down the mountain. I could only shake my head…
Much has been written about the Snowden affair, including some of my own thoughts about the impact on the security community. I also had some tongue-in-cheek fun at Black Hat 2013, when General Alexander delivered his memorable speech. Black Hat 2013 showed me how differently members of the security community reacted to General Alexander: A third of the way through the General’s speech, the ex-hacker sitting next to me, dressed in jeans and a black t-shirt with a clever security quote, stood up and shouted “Bulls$*#!” He effectively scared the aforementioned expletive out of me and sent all eyes our way.
I’m an ex-Air Force intel officer who was fortunate enough to serve in the original Air Force Computer Emergency Center in the mid-90s. I have known that there is a difference between ex-military and ex-hackers. Yet for my entire security career, I’ve worked very closely with friends who have come up via the other side of the house. I learned there was a difference when I attended my first DEF CON in the late 90s with an ex-hacker consultant friend. He knew everybody there; I knew no one. In 2000, the DEF CON crowd loved it when I was “spotted” and dragged on stage to be interrogated by Priest.
How are ex-military and ex-hackers different? For starters, security guys with a military background are more likely to have a “traditional career.” This typically includes a degree from a four-year university, a series of jobs with certifications, and formal recognition that one would expect from a military person.
Hackers might have an opaque history, particularly for some, before they turned 18 (I learned a long time ago not to probe). They have handles, the military guys don’t. They learned in informal and unstructured ways, but are likely to be more technical than their ex-military counterparts. They largely disdain security certifications, and rarely do you see them making special efforts to test for the CISSP exam. If they do become a CISSP, they likely won’t put it on their business cards, if they have them (ex-military guys always do).
Vive la différence!
Never bound by constraints, a hacker’s approach to security testing is more likely to be spontaneous and free flowing. The classic penetration test is a prime example reflecting this hacker ethos. There are many ways to get to root access, and penetration testing is unconcerned with how you get there, as long as you get there.
Military guys, on the other hand, are likely more comfortable with traditional risk assessments that attempt to methodically capture all obvious risks. This follows more of a checklist-mentality with objectives, formalized testing methodology, and up-front training of consultants for consistent results. These two approaches play out across the industry; the sophisticated security person knows they both have their place and knows the difference between the two.
Military security guys have held the highest clearances and believe the world is a dangerous place full of bad people who do not like us. Hence, the benefit of the doubt for NSA is given, for example. They might view the world through a good-guy/bad-guy lens, and feel less comfortable with talking to gray- or black-hatters who actually might have great threat information about zero days or the security of their own organizations.
Ex-hackers, however, have no problem engaging members of the underground community. They were once part of that community, in certain instances. So hackers are likely to have access to information that ex-military security folks don’t have.
There are countless examples of the differences between security guys from the hacker and military worlds. And, yes, generalization are still generalizations. At conferences like Black Hat, DEF CON, and B-Sides we see these characteristics in stark contrast. However, a savvy security practitioner understands that while there may be differences, we can put them to work on behalf of our organizations and, most importantly, the greater good.