Be an InfoSec Berean
In the Bible (no, this is not a sermon – yes, this is InfoSec relevant), there was this group that Paul ran into called the Berean Jews. (Acts 17:10-15 if you want to look it up). These Bereans were shown in the scriptures to be diligent people who checked the facts. Verse 11 says:
Now the Berean Jews were of more noble character than those in Thessalonica, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. (emphasis added)
So basically, the Bereans were not going to accept anything at face value. They immediately went back to scripture and checked out to see if what Paul was saying was true, and then they made up their minds.
Now what got me thinking about this particular group and how it applied to InfoSec was the article at Infosec Island by Scot Terban entitled “Infosec: The World’s Largest Rube Goldberg Device”. Scot has some pointed things to say about the different vendors and “experts” selling they toys and wares in the industry, and his points are good. But this theme has been in InfoSec (and other industry) blogs since I started reading them (I have written a few myself): do not fall for the sales pitch and the marketing.
This is just good common sense, right?Then why in the name of Mordor do we have to keep saying this? Is this for the benefit of the new folks in the industry? Is this because people just like a good rant session? Is it because someone STILL has not learned this lesson? Is it because there are a lot of lazy folks out there?
Now I am not hitting Scot here. I have zero problem with writing the post (and in fact, his overall theme was not about this really at all). It just struck me that if you have to be reminded to be an “InfoSec Berean” when the sales person calls or when you read an article comparing different technologies, then you are wrong. No, we don’t have a convenient set of scriptures to go to (except for NIST or something like that, which Scot points out). This is more about doing your due diligence to prove or disprove claims made by sales or marketing. Get some documentation. Get some references. Do a proof of concept (not always practical, I know). Make sure there is proof of the claims. Don’t accept it at face value, just like the Berean Jews.
And, in my finest adult-preachin-at-you voice, don’t make me tell you again!