Modern Day Witch Hunting by CISSP Members Minus The Ergot
Back in 1692 a bad growing season (wet and cold) likely gave rise to the Salem Witch Trials due to a small fungi called ‘Ergot‘ In the 20/20 hindsight of some detective work on the history of the incident, one can then at least forgive some of the things that happened then due to poisoning and hallucinations from Ergotism. Today though, I wake up to see that Jaded Security has been accused of something akin to witchcraft in the CISSP world by someone who apparently is using the kings English to do it.
(see affidavit above.. Ironic huh)
Now, I am not personally familiar with Mr. Hugh Murray CISSP but I am told he is a relatively good guy, perhaps a bit on the aged side and leaning toward a “Hey you damn kids get off my lawn” stage in life, but generally ok. However, this little accusation and flinging of screen names linking Boris to Abhaxas (the alleged FL voting hacker) without ANY real proof is a bit much Mr. Murray.
Got some proof Mr. Murray? Because if you don’t you are just making yourself culpable in a legal action against you for slander.
Anyway, back to the CISSP ethics violation. I honestly don’t think you can call anyone out on this presentation at Bsides and I would like to outline some reasons why.
The failure of ISC and the CISSP with regard to ethics and the security business:
So, the whole point of ethics in the security business is to act ethically with the data we are charged to protect, its protection by proxy of what we are supposed to be teaching our corporate sponsors, and generally doing ethical business. However, what the CISSP, like the SOX regulations fail to do is really deal with the issues where the rubber meets the road. In SOX reg’s you have a simple paragraph on actual network/computer security, and in CISSP, you have;
Code of Ethics Preamble:
- Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
Yeah, it’s about as good as the SOX section 404’s controls checks on technical security. Really, the CISSP code of ethics equates more to the Bushido code than it does to anything relevant in todays digital security space.
- Martial arts mastery,
- and… Honor unto Death
At least in the 17th century, the Samurai took their code seriously enough as to commit seppuku when they had lost face. Today, just how many of the CISSP’s out there, including those who are running the program are willing to be so honour bound to their code?
In a sea of ethics violations by major companies *cough* Wall Street *cough* you sir are going to get bent over a presentation that covers the potential for gaming a system and how to, by proxy, spot it?
Platitudes Mr. Murray… Might I remind you that you have broken your own trust with them using the accusation that Boris is in fact Abhaxas without any real proof?
Consider yourself reminded.
Information Security, Hacking and Pen-testing: The Triumvirate of FAIL:
My second point here is that the code of conduct put forth by ISC2 says that CISSP should not consort with hackers, perform hacking, or generally go against the ideal that they have set forth from their ivory tower. I say to you (ISC2) that your thinking in this matter is clouded considering the very nature of what we, ‘the security industry’ is trying to do… Well, at least the subset of people who are doing the real work of penetration testing, reverse engineering, and other areas that ISC2 feels a little twitchy about as it may be portrayed as ‘unethical’
Let me remind you that attending conferences with hackers does not an unethical person make. As Boris pointed out, the conferences, though shunned by you, are also used as CPE credits that you allow.
Just how is that ethical? It is in fact rather dodgy in my book.
How about you re-think your position and clear your collective souls and allow for these salient facts:
- If I attend a hacker conference, it does not mean I am taking part in any unethical behaviour. I am in fact learning from others who likely also, are not performing unethical acts.
- To properly perform the duties of a CISSP and protect the information and systems we are tasked with, one must be able to think and sometimes act (with the legal permission of the client) as an aggressor. This means *GASP* sometimes hacking or breaking systems.
- Ethically then, the reporting of vulnerabilities and findings jibes with the aegis of the code, so why get all bent on how you got it in the first place? Especially when there are legal agreements, documents, and processes out there to do so?
Certainly Mr. Murray needs to get with the times as well as perhaps get personal feelings out of the way before making accusations against someone (WITCH! BURN HER!) because that, would be the ‘ethical’ thing to do.