Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

4/10/2020
10:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

10 Ways to Spot a Security Fraud

There is no shortage of people presenting themselves as security experts. Some of them truly are. The others...

The Latin phrase "caveat emptor" has become an English proverb, and for good reason. "Let the buyer beware" is an axiom that nearly all of us are familiar with. Most of us know the phrase in the context of retail purchases. We were taught, or have learned over time, to never take sellers at their word. We must always perform the appropriate research before making a purchase.

In security, unfortunately, we must practice a different type of caveat emptor. In recent years, security has become a hot field. And sadly, where there is budget and focus, there are also frauds and deceivers. There is no shortage of people presenting themselves as security experts. Some of them truly are. The rest of them, however, are keen to take advantage of security professionals who haven't yet learned to filter the real security experts from the fakes.

To help organizations avoid spending time, money, and resources on security frauds, I offer 10 ways to spot one:

  1. Big words: We all like to sound educated and well-read. There is rarely a point in obfuscating our speech with large, overly complex words that make it harder for others to follow what we're saying. But that is exactly what security fraudsters are after. Most of us are afraid of looking stupid, particularly around our peers. If we don't understand something, we may hesitate to ask for clarification. Frauds prey on this and purposely large words to appear knowledgeable and to confuse us. A general rule of thumb is: If you think you're hearing a large number of complex words in a row, and that when assembled together, they have no meaning, you're probably right. You're likely listening to someone actively looking to deceive you.

  2. Nothing in writing: Honest, hard-working security professionals have no problem emailing or otherwise putting agreements into writing. It's very common for a meeting to result in a follow-on email with minutes and action items. Security frauds can't risk having anything in writing because they can't actually deliver on their promises. If you find that someone repeatedly speaks or makes promises but never puts them in writing, it's a red flag.

  3. No actions: Most of us attend meetings now and again, but we likely spend most of our workdays doing our jobs. If you are working with someone who can never seem to get anything done or perform any tangible action, you might have fraud on your hands.

  4. Numerous lectures: If your job keeps you busy, you're like most security professionals I know. While we all need to take time to step back and see the bigger picture, we also need to balance that with meeting our deadlines and obligations. If you come across someone who always seems to be lecturing others on what they should be doing, how what they're doing is wrong, and/or how things would work in an ideal world, beware.

  5. Grand plans: Many security organizations have a vision. In addition to that, many members of the security team likely have quarterly, annual, and/or multiyear goals and priorities that they're working toward. It's good to dream, but if all you hear from a certain person are grand plans that are not grounded in reality or connected to the current work environment, they may be a fraud.

  6. Excessive name dropping: Many of us in security are fairly well connected. Over the years, we've worked with people, networked at conferences, and made a name for ourselves. But real professionals let their work speak for them, not the names of others in the field that they know. Someone who can't seem to describe the work they've done but is quite adept at name dropping is probably unlikely to actually know most of the people whose names they're dropping!

  7. Overly verbose LinkedIn profile or resume: A LinkedIn profile or resume is a great place to showcase your work experiences and your professional skill set. That being said, if someone's profile or resume reads like a short story or novel, it's time to move on.

  8. Amazing coincidences: There are coincidences in life and some of us have had the good fortune to be in the right place at the right time or the bad fortune to be in the wrong place at the wrong time. That being said, the number of times that most of us are involved in a historically notable event is fairly small. If you've come across someone who claims to have been involved in numerous notable events over time, they may be fibbing. Watch out.

  9. Too many stories: We've all met people who seem to have a story or anecdote for every topic of conversation. Some of these people, it seems, spend their days collecting stories and anecdotes, rather than working and building their skills and experience. These types of people aren't who you need for your security team.

  10. Loose lips: There is one particular Taoist quote that aptly describes the security profession: "Those who know do not speak. Those who speak do not know." If someone goes on and on about events that should be kept close, they're either a huge security risk or they weren't really there. Neither are good for the security organization. Stay away.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.