Skip to content

Code of Conduct Part 1

Codes of Conduct at conferences make me angry. They make me angry the same way I have to be given warning that this coffee is served hot, and not to use the chainsaw on my genitals. These exist because somewhere, a grown human being did something to warrant the need for warnings like this. Perhaps it is my work environment, or the people with whom I choose to spend my time. I have worked hard to make sure I am not spending time with people who need to be told that peanut butter contains peanuts. I do not like the way as an attendee I am impugned by default simply for attending.

The part I really hate? They're needed, and there should be one for the staff as well (Captain Crunch, and those who kept boys away from him instead of dealing with the issue, for example).

In life, individuals should have their own code of conduct. The idea is to regulate their own behavior based on the environment in which they exist. This harkens back to simple ideas like putting There Be Dragons on a map. Depending on who you are, your code of conduct may say to stay away from physical threats, or to train to be better able to face them. A baker's may contain a maxim about early to bed and early to rise, as the goods need to be fresh when people wake up. A politician may (but generally doesn't) treat every mic as hot, and that what they say around recording equipment will be broadcast and transmitted. It is no different in Information Security.

As my career as evolved, I have - so far - built up a list of eleven maxims that apply to a career in Infosec. These eleven maxims, in structure akin to Gibbs' Rules in NCIS, have guided me through my career, and kept a light on in dark places where all other lights go out (audit check box security). Everyone should have their own set of rules that applies to their life and their work. As one thinks about it, they should be written down. I've developed these over the course of a decade. If I thought about it, I'd probably have more, but they cover wide areas, and generally apply to life as well as Infosec.

Maxim 1: Give your adversary every opportunity to make a mistake.

I came up with this idea whilst spending leisure time years ago playing a certain collectible card game. In this game, each color of card lent itself to a specific strategy. One of the most popular, focused on control, and took a very different understanding of the game. The most common way to defeat someone is to reduct their life total from 20 to 0. Some tried to do this as fast as possible, some tried to do this by surviving to the mid game and playing a nigh unstoppable strategy. The control player took a very different tack. They would let an opponent exhaust their resources over the course of a long game. The opponent's strategy would become clear early on, and the control player just had to survive. They knew that an opponent could blast them for 19 in one shot, so long as their life total didn't go to zero. The difference between 20 and 1 was negligible in compared to the difference between 1 and 0. The opponent understood the nature of the control player's strategy, but the factor of the unknown always stood in the way, and in a long enough game ultimately led to mistakes. It was the job of the control player to capitalize on each and every one of these. If the control player ended the game at 1, and the opponent 0, the control player still won.

The same is true in Infosec. The difference between Reconnaissance and Command and Control is negligible compared to the difference between Command and Control and Acting on Objectives. Up until an adversary starts doing what they intended to do, they can still be caught and any damage is a learning experience. Much like that collectible card game, the adversary has a limited bag of tricks, based on the bias of their own experiences. If an adversary gets stopped trying to send in a spearphishing e-mail, there's strong odds that they will try again. If an adversary runs an nmap scan to see what's accessible from the system they now control, once they move to a neighboring system, they will likely do the same thing rather than check the system registry for RDP targets the usual user of that account engages regularly. Does an adversary pull credentials from active memory versus offline SAM cracking (turn on LAPS, please). Some have a wide skill set and tool set, but that variety can also be an indicator. Institutional defenders should have solid visibility in their networks to be able to see these anomalies. Whether you stop them at the Delivery phase by blocking the e-mail or have the user report it as a phish, or you prevent the compromised system from downloading the malware or attacker toolset from Command and Control, you still win the engagement. An adversary need only trip up once, so long as you are ready to capitalize on that mistake.

Maxim 2: We deal with the world as it is.

Corollary: We work to create the world we want.

One of the hardest parts of being poor, is explaining to your kids why someone else has something you can't have: vacations, a new car, designer clothes, or the latest iPhone while you have an old LG. Most people fall into the trap of whining about how it is unfair, and thus there is no point to trying to compete in a world where the scales are so far tipped against you. In doing so, there are a myriad of mistakes being made. First, a person is measuring themselves against an impossible standard. You can't compare outcomes when the starting positions are different. Fair or not, the mindset should be about making one's situation better, and living better than one did the previous day, not benchmarking oneself against others. Second, They automatically assume the one against whom they benchmark themselves didn't make sacrifices (wise or otherwise) to be in the situation they are in, i.e. how deep in debt do they have to be to maintain that lifestyle. Third, people take on a nihilistic approach. I can't get to where that person is unless I win the lottery or a miracle happens, so I won't work to make incremental changes that will improve my situation over time. Daddy I want an Oompa Loompa now!

In Infosec, the hardest things to do are to go to conferences or events and network with peers and hear that they have their own pen test squads internal, and they don't outsource code reviews, etc. What kind of resources do they have in play? Even better, listen to how leadership tries to benchmark themselves against industry peers from a purely spending standpoint without looking at a capability standpoint. I remember working for an ICS company where the budget for IT was baselined against their top competitor. They only spend 3% on IT, so we only spend 3%. That was the only metric. The maturity of IT, and what they defined as IT, wasn't even a factor. They may have been comparing apples to apples, more likely apples to rutabagas, or potentially apples to oil filters.

The right thing to do is to measure where you are now, where do you want to be, and how do you get there. Build a plan based on on where you need to be and the resources available, not to push management based on what Google has.


I had taken the SANS Threat Intel class last year. In that class, it was mentioned that a best practice was to take a senior, mid level, and junior team member from the SOC and IR to work as part of a team doing threat intel for a time. Then rotate with another senior, mid level, and junior, to give fresh perspectives and everyone a shot. All while having enough people left to run the SOC and IR functions. With the exception of the guy from Google in the class, everyone had this glazed look like they don't have that many people in Security, much less in varied disciplines with a rotational capability. People were measuring themselves against the resources the instructor had at his day job (a well known very large silicon valley firm), and measured themselves (incorrectly) as wanting. Apples to oil filters.

---End Aside---

When benchmarking against these other companies, we don't see the differences. Are we established and they are new with no controls and flush with VC money? Are they beholden to one or two investors who demand a certain image, or that they work in an area of expensive real estate like San Francisco? Are they blowing their budget on marketing without investing internally? (Google, their stadium naming rights, and their Super Bowl ad). Remember, just because they're trying to make us think they're holding four aces, doesn't mean we're not playing chess. A great hand in their game can be worthless to us.

Nihilism is a danger to an Infosec professional. Our education can easily take us past the capabilities of our controls, and much like a kid who understands calculus being forced to sit in an advanced algebra class, we can lose interest and become stunted. This is where personal responsibility comes in. The goal should be to maximize the capability of the current controls, while continually educating yourself to be able to justify the better controls and how they will be of value. Like the student stuck in class, we shouldn't fall into the trap that we can only learn and experiment on company time. Yes they should invest time and money into your education. So should you.

Nine more maxims to go. To be continued ...


Leave a Reply

Your email address will not be published. Required fields are marked *