The IT security and vulnerability research communities speak their own language, with varying degrees of efficacy in terms of getting their point across.
There’s no question that the field of IT security and its many practitioners speak a unique language, a lexicon of three letter acronyms, complex methodologies and even vendor monikers that leave anyone un-indoctrinated wondering what the heck we’re talking about when they might overhear or eavesdrop on our conversations. And that’s not even including the immense volumes of actual hardcore technical verbiage that people like vulnerability researchers and product engineers can revert to, terminology which goes over the heads of the many among us like myself who have attempted to learn to speak the industry’s lingua franca but don’t actually engage in any coding or malware dissection. It’s clear that not only do we in the business speak a language of our own, but that it has many different levels of complexity to it.
In his latest blog post on CSO.com, our CTO Ivan Arce takes a deeper look at the use of frequently invoked wording and analogies among security professionals, specifically researchers and penetration testers in describing their capabilities and achievements to each other and the rest of the world for that matter. You can read the blog post in its entirety here, and I’d encourage you to do so, but here’s an excerpt that encapsulates some of his overall observations about how the terms that are used in this field are actually something of an indicator of its overall state of maturity. From Talk the Walk (excerpted from CSO.com) Some time ago while chatting with my peers over a circular table (ie. in a round-robin arrangement) I suggested that our constant use of analogies is an indication of the immaturity of our discipline or of our inability to create a system of symbols sufficiently expressive yet precise and accurate enough to encode and transmit information security knowledge in an unambiguous manner without the need for analogies. Luckily, none of them pointed me to Douglas Hofstadter’s eulogy of the analogy as a foundation of cognition. Today, having read his essay I must confess that I have a different appreciation of the contribution of the analogies to our perception and knowledge of such an obtuse field. Yet I still believe that an information security analogy is a dish best served cold, one that must be selected carefully to convey an intended meaning very precisely rather than to foster the uncontrolled propagation of Fear, Uncertainty and Doubt or to bias the audience towards an intended emotion. Our selection of terms from other disciplines is also worthy of contemplation. Information security vocabulary has drawn extensively from military doctrine and the warfare glossary. Firewall, bastion host, armor, citadel, fortress, cyber-warrior and enemy are just a few of the terms commonly used by many security professionals and inflated war rhetoric is often found in our industry’s marketing collateral and public speeches -Incidentally, a quick search for War on CyberTerrorism came back with over 23,900 hits but War on CyberWar yielded a single result. One of my favorite war-related terms is weaponized. I’ve always failed to understand the intended meaning of the term. It is used discretionally to inspire fear of artifacts that could be purposely use to cause harm, thus a reliable program designed, developed and tested to exercise a software bug is a weaponized exploit as opposed to innocuous tools such as fdisk, rm or echo. I can’t help it! I invariably smirk when I hear the word weaponized and reflect that I seem to like weaponized cereal grain and to be tremendously happy about the availability of a weaponized fungus which among other things can be used to produce a kind of weaponized cheese that fits very well with weaponzied grapes. Click here to read the rest of Ivan’s blog on CSO.com. You get the gist. And it’s true; some of our favorite security language works well in helping us get the point across, some of it, not so much. As Ivan asks at the end of his post, what is your favorite information security verbiage/analogy?