Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:00 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

10 Ways to Spot a Security Fraud

There is no shortage of people presenting themselves as security experts. Some of them truly are. The others...

The Latin phrase "caveat emptor" has become an English proverb, and for good reason. "Let the buyer beware" is an axiom that nearly all of us are familiar with. Most of us know the phrase in the context of retail purchases. We were taught, or have learned over time, to never take sellers at their word. We must always perform the appropriate research before making a purchase.

In security, unfortunately, we must practice a different type of caveat emptor. In recent years, security has become a hot field. And sadly, where there is budget and focus, there are also frauds and deceivers. There is no shortage of people presenting themselves as security experts. Some of them truly are. The rest of them, however, are keen to take advantage of security professionals who haven't yet learned to filter the real security experts from the fakes.

To help organizations avoid spending time, money, and resources on security frauds, I offer 10 ways to spot one:

  1. Big words: We all like to sound educated and well-read. There is rarely a point in obfuscating our speech with large, overly complex words that make it harder for others to follow what we're saying. But that is exactly what security fraudsters are after. Most of us are afraid of looking stupid, particularly around our peers. If we don't understand something, we may hesitate to ask for clarification. Frauds prey on this and purposely large words to appear knowledgeable and to confuse us. A general rule of thumb is: If you think you're hearing a large number of complex words in a row, and that when assembled together, they have no meaning, you're probably right. You're likely listening to someone actively looking to deceive you.

  2. Nothing in writing: Honest, hard-working security professionals have no problem emailing or otherwise putting agreements into writing. It's very common for a meeting to result in a follow-on email with minutes and action items. Security frauds can't risk having anything in writing because they can't actually deliver on their promises. If you find that someone repeatedly speaks or makes promises but never puts them in writing, it's a red flag.

  3. No actions: Most of us attend meetings now and again, but we likely spend most of our workdays doing our jobs. If you are working with someone who can never seem to get anything done or perform any tangible action, you might have fraud on your hands.

  4. Numerous lectures: If your job keeps you busy, you're like most security professionals I know. While we all need to take time to step back and see the bigger picture, we also need to balance that with meeting our deadlines and obligations. If you come across someone who always seems to be lecturing others on what they should be doing, how what they're doing is wrong, and/or how things would work in an ideal world, beware.

  5. Grand plans: Many security organizations have a vision. In addition to that, many members of the security team likely have quarterly, annual, and/or multiyear goals and priorities that they're working toward. It's good to dream, but if all you hear from a certain person are grand plans that are not grounded in reality or connected to the current work environment, they may be a fraud.

  6. Excessive name dropping: Many of us in security are fairly well connected. Over the years, we've worked with people, networked at conferences, and made a name for ourselves. But real professionals let their work speak for them, not the names of others in the field that they know. Someone who can't seem to describe the work they've done but is quite adept at name dropping is probably unlikely to actually know most of the people whose names they're dropping!

  7. Overly verbose LinkedIn profile or resume: A LinkedIn profile or resume is a great place to showcase your work experiences and your professional skill set. That being said, if someone's profile or resume reads like a short story or novel, it's time to move on.

  8. Amazing coincidences: There are coincidences in life and some of us have had the good fortune to be in the right place at the right time or the bad fortune to be in the wrong place at the wrong time. That being said, the number of times that most of us are involved in a historically notable event is fairly small. If you've come across someone who claims to have been involved in numerous notable events over time, they may be fibbing. Watch out.

  9. Too many stories: We've all met people who seem to have a story or anecdote for every topic of conversation. Some of these people, it seems, spend their days collecting stories and anecdotes, rather than working and building their skills and experience. These types of people aren't who you need for your security team.

  10. Loose lips: There is one particular Taoist quote that aptly describes the security profession: "Those who know do not speak. Those who speak do not know." If someone goes on and on about events that should be kept close, they're either a huge security risk or they weren't really there. Neither are good for the security organization. Stay away.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.