An open letter to Marc at SANS and other places, and those similar to him based on his presentation at a local ISSA chapter, though he gives this same presentation with its same flaws all over the world:
I wanted to give you some feedback on your presentation this evening at the ISSA because, frankly, I was a disappointed with some of your conclusions.
First, the whole “the internet is an organism” concept of virus and malware propagation.
Lots of people have said this which, I suppose, makes it a kind of conventional wisdom speaking point. I don’t agree with it at all, and I’ll tell you why. It centers around the recurring commentary that many in our industry have spoken about regarding shoddy software devdelopment. For instance, Bruce Schneier’s testimony to the House Committee on Homeland Security mentions the following:
“The major reason companies don’t worry about the externalities of their
security decisions—the effects of their insecure products and networks
on others—is that there is no real liability for their actions.
Liability will immediately change the cost/benefit equation for
companies, because they will have to bear financial responsibility for
ancillary risks borne by others as a result of their actions.”
Malcode is not an organism that mutates and just randomly occurs. It is written with a specific purpose by willful humans.
Second, since you only speak of general mass-market attack strategies, I also believe that you are missing the point of how value-targets are targeted. I even heard you miss-state the purpose of tools such as metasploit, give intel on blackhat activities that are several years out of date, and still speaking to the talking points that you learned while you were in Homeland Security for a year in 2003. Frankly I’m not sure if I would have agreed with your conclusions completely at that time either.
Since you are in a position to really make a difference in director positions at several large and popular authorities, I’m wondering why you are perpetuating these questionable conclusions that portray technology and users of it as suspect and uncontrollable influences. I view it as irresponsible to present on risk management and assessment if you are giving an incomplete, or inaccurate picture of the landscape. It just makes my job that much harder as I then have to deconstruct the impressions that you and yours have left in my clients perceptions.