In offensive security, there are a range of organization specific vulnerabilities that create risk, from software/hardware vulnerabilities, to processes and people.
While Red Teams can expose and root out organization specific weaknesses, there is another growing class of vulnerability at an industry level.
It's a culture of disinformation, misinformation and misrepresentation that erodes trust, confuses employees, and overloads security teams chasing ghosts.
Let's examine the traditional pillars of security community culture and how they are being weakened and compromised, and even peek at where this all could go in a world of deepfakes and AI-fueled bias and hallucination.
The security industry at its core is built around open information sharing and collaboration to make things better and people safer.
As the problem has grown, so has external scrutiny, liability, and of course profits within the industry.
Industry organizations with imbalanced power structures favor larger companies.
While government has become more collaborative and communicative with the technology industry regarding security risks, there is also an aggressive push in multiple policy initiatives that seek to require mechanisms like encryption backdoors.
While the first two are challenges of their own creation, the third challenge is one of capitalism that has developed so quickly that it has largely surpassed the ability to implement controls, or in some cases even comprehend the scope of the problem.
For security teams, this is the most chaotic and hard to control fronts in their battle to keep people safe.
Government secrecy creates an environment where security professionals are blindsided by attacks on addressable - and in some cases, long standing - vulnerabilities.
The public policy debate around weakening technology controls creates contentious relationships with law enforcement and policymakers and even turns public perception against the security industry.
The first case is in industry standards for technology usage and implementation.
Even the National Institute of Standards and Technology within the last few years changed its guidance as they recognized the onerous requirements were proving counterproductive.
This is where security professionals and teams really get hit in their day job.
It creates an overload of contentious questions to security teams regarding the reasons and efficacy of policy changes, directives and safe behavior.
This final category, hits security professionals where they live - the community itself.
On the malicious side, there have been multiple attempts by attackers to dupe security professionals and even poison vulnerability research.
More recently, on the ethical side, some within the community have been accused of, and exposed for, their use of fake profiles to deceive and control industry voices, while attempting to project - and profit from - community support.
While the other two categories result in the distraction of and wasted resources on security teams, the impact of this can be more damaging.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 28 May 2024 15:43:05 +0000