Very good point Israel. I think we agree on the fundamentals. I think we need a professional code of conduct. Like physicians or engineers. I certainly agree that being a security professional is no excuse for unethical behavior.
Sometimes I despair of the security industry. It seems to strongly reinforce attack and mindless response. I think we frequently become so obsessed with the dance of attack, that we fail to plan for a better future.
I used to think it was testosterone enhanced blindness. But now I just blame the NSA
For example, this spring, when we analysed the SANS 20 Critical Controls (originally written by the NSA,) we found some inexplicable oversights. See Appendix 4 at the end of this Google Doc. Of course, they had to prioritize. But some of the oversights appear to be pretty important. As currently composed, the Controls are hard to prioritize for local situations. And, they do little to create a better future. We wrote 3 additional Strategic Controls that we felt had greater value than some of the existing Controls. Our institution would value them at about #1, 3, and 6. They are:
Critical Control 1: Unity of Vision
Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?
A. How does your organization create a sense of community?
B. What are your Institution's Goals?
C. How are those goals propagated throughout the organization?
D. How do your security actions promote your institutional goals?
E. How do your security actions provide assurance to your institution?
F. How does your institution reward long term loyalty?
Critical Control 3: Enable a Better Future
This control assumes that our actions affect the future. Do your actions enable a more secure future?
A. How do you increase the cost of attack?
B. Do you report attack to the remote ISP/attacker?
C. How do you coordinate with law enforcement?
D. How do you decrease the cost of defense for yourself and others?
E. How do you reduce the motivation for local attack?
F. Do you disclose vulnerabilities to others?
If so, will your institution protect it’s people when others attempt to punish disclosure?
G. Do you facilitate others disclosing vulnerabilities to you?
H. Do you help your peers improve their security?
Critical Control 6: Informed Response
This control assumes that Security is an ever changing landscape. If you don’t correctly respond to the current challenges, you will not survive. How responsive is your security?
A. Do you detect and measure attack trends?
If so, do you communicate the results to management?
If so, do you communicate the results to your peers?
B. Do you track the major venues for attack disclosure? (DefCon, SmooCon, BlackHat, etc)
C. How many days does it take to communicate a security concern to the highest levels of management?
D. How many days does it take to implement an approved security initiative?