Monday, December 19, 2011
The twelve days of Hackmas
On the twelfth day of Hackmas, the Twitters gave to me:
12 bad predictions
11 vendors hyping
10 drunken podcasts
9 scammers scamming
8 raids on banking
7 bots a calling
6 geeks a playing
5 SCADA flaws
4 carding sites
3 backdoors
2 SQLi
and an 0-day from Adobe.
Wednesday, December 7, 2011
What is wrong with Infosec as an Industry?
I contend what is wrong is because so many people try to answer that question with only one thing.
I couldn't count on all my fingers and all my toes (even if my good Southern US upbringing leaves me with an extra) the number of things that are actually wrong with something as broad and complex as the Information Security Industry. But I tried. I really did. I even thought about submitting to a conference as a talk.
But, CFP for Shmoocon is passed, and krypt3ia's Zero Sum Game got me thinking, maybe I ought to say it just in case anyone wants to read it. So, here it is.
The problem is the norm. We need to normalize security. Institutionalize it. It has to be ingrained in our thinking, in our tools, in our processes, and in our society. Law enforcement, legislators, business leaders, end-users, technology leaders, innovators, lawyers, hackers, security wonks, systems engineers, and support staff have all got to work together to break the ennui.
It's not about breaking things in new and creative ways to scare people into doing what you know is best.
It's not about finding The One True Risk (although watching Donn and Alex fight is pure entertainment, ain't it?)
It's not about establishing the right touchie feelies with end-users because they clearly just don't understand why they need to act differently (this hasn't worked on making fat people go to the gym, why do we think it's going to work for people's passwords).
It's not about pushing people down the stairs and laughing at them in a pentest (Thank you, Nickerson for that analogy).
It's not about finding the right magic bullet software/hardware that runs itself.
It's not about spending more on test (because, realistically, your code has nothing on the combined power of a million under-employed Aspies who hate your company).
It's not about hiring people with the right certification.
It sure as hell isn't about creating a Governance, Risk, and Compliance organization and setting it as far as possible from the people who actually have to secure your systems and implement your technology solutions.
And let's face it, the plethora of gerrymandered "research" and buzz being relentlessly peddled to decision makers is fostering a generation of junk decisions.
You simply can not focus on any one area and say "bam. Infosec is fixed!" And tearing it all out and starting over is expensive (at least if you do it all at once). Security is everyone's problem, and everyone needs to be involved and to have buy-in in order for it to succeed.
The infosec community needs to establish better inroads in development communities and professional organizations for systems administrators. Build relationships with schools to have security concepts integrated into the curriculum (yes. We're getting there). Build secure alternatives or secure libraries for easy use. Contribute to the solution instead of bitching about the problem.
Share information to feed the risk models and grow the research. It doesn't matter if you think it's snake oil. Information sharing is key to getting us better.
User awareness initiatives are good, but don't rely on an annual CBT to keep you safe. Focus on fostering a culture of security, not just an awareness. Build better relationships with Business Schools who are training entrepreneurs and business leaders. Show them how building in a culture of security saves money in the long term. Teach them how to navigate security for themselves instead of managing via airplane magazine.
Mature our frameworks. Make them easier to use and understand. Foster adoption of these frameworks with relationships within the government, within professional organizations, among corporations, and with educational authorities. Continue to feed and grow infosec mentor and internship programs! These are vital. The infosec attitude of "I learned it by doing it, I am not going to enable other people's laziness by spoonfeeding them" is self defeating. Spoon feed people. Even a rudimentary grasp of the right concepts is better than letting ignorance reign absolute.
The infosec community needs to stop thinking of security as "you can't do that!" and start thinking of it as "what technology will let you do that safely?" Work with vendors or spend more time on producing and sharing more software that enables use, not just breaks things.
And Vendors? Find the need and work with your customers to solve it. Don't sell solutions to problems people don't have. Stop trying to convince people they have problems they don't. Trust me, there is plenty of room for earnings in this very real space without selling people a bucket of gak and calling it a wrench. "But it's more flexible!" doesn't confound overworked people any less, and your professional services tend to suck.
This is an uphill battle. It shouldn't be. But, the reason it is, is because all of the involved parties aren't starting with the same common understanding. I don't think "stupidity, laziness, fear, and greed" are the best categories to describe the human part of the problem. First and foremost, doing something because someone else tells you that you must do them is a terrible reason. Do things because you want to do them, or because you believe in them and it's the right thing to do.
Corporations and individuals (let's skip that debate about corporate personhood) who choose not to use secure practices do so because they don't believe in them. Either, they believe "that will never happen to me," or they believe they're simply bullshit.
There's more monetary incentive to work solo and break something once than to work with a bunch of people to fix something and support it forever. Well, in general. I bet you HD Moore could give a strong argument to the contrary. But, since what we've got is generalities, let's go with that.
Breaking shit is "cool" and cracking is magical. It's all about your own rules, and sticking it to the man! Revolution is the final form of accountability in broken systems where all else has failed. And it's too easy not to get punished with law enforcement agencies being forced to choose which cases to investigate based on where the most money was lost. Fixing stuff, documenting it, and sharing it is the province of nerds. We have a cultural problem.
The problems are deeper and run to the core of how we think about things and how we do things from the base up. So, next time you want to get on a jag about what's wrong with the Information Security Industry, pause for a minute to consider the complexities and choose where you want to help fix it instead of taking the easy way out and assigning the blame on someone else.
I couldn't count on all my fingers and all my toes (even if my good Southern US upbringing leaves me with an extra) the number of things that are actually wrong with something as broad and complex as the Information Security Industry. But I tried. I really did. I even thought about submitting to a conference as a talk.
But, CFP for Shmoocon is passed, and krypt3ia's Zero Sum Game got me thinking, maybe I ought to say it just in case anyone wants to read it. So, here it is.
The problem is the norm. We need to normalize security. Institutionalize it. It has to be ingrained in our thinking, in our tools, in our processes, and in our society. Law enforcement, legislators, business leaders, end-users, technology leaders, innovators, lawyers, hackers, security wonks, systems engineers, and support staff have all got to work together to break the ennui.
It's not about breaking things in new and creative ways to scare people into doing what you know is best.
It's not about finding The One True Risk (although watching Donn and Alex fight is pure entertainment, ain't it?)
It's not about establishing the right touchie feelies with end-users because they clearly just don't understand why they need to act differently (this hasn't worked on making fat people go to the gym, why do we think it's going to work for people's passwords).
It's not about pushing people down the stairs and laughing at them in a pentest (Thank you, Nickerson for that analogy).
It's not about finding the right magic bullet software/hardware that runs itself.
It's not about spending more on test (because, realistically, your code has nothing on the combined power of a million under-employed Aspies who hate your company).
It's not about hiring people with the right certification.
It sure as hell isn't about creating a Governance, Risk, and Compliance organization and setting it as far as possible from the people who actually have to secure your systems and implement your technology solutions.
And let's face it, the plethora of gerrymandered "research" and buzz being relentlessly peddled to decision makers is fostering a generation of junk decisions.
You simply can not focus on any one area and say "bam. Infosec is fixed!" And tearing it all out and starting over is expensive (at least if you do it all at once). Security is everyone's problem, and everyone needs to be involved and to have buy-in in order for it to succeed.
The infosec community needs to establish better inroads in development communities and professional organizations for systems administrators. Build relationships with schools to have security concepts integrated into the curriculum (yes. We're getting there). Build secure alternatives or secure libraries for easy use. Contribute to the solution instead of bitching about the problem.
Share information to feed the risk models and grow the research. It doesn't matter if you think it's snake oil. Information sharing is key to getting us better.
User awareness initiatives are good, but don't rely on an annual CBT to keep you safe. Focus on fostering a culture of security, not just an awareness. Build better relationships with Business Schools who are training entrepreneurs and business leaders. Show them how building in a culture of security saves money in the long term. Teach them how to navigate security for themselves instead of managing via airplane magazine.
Mature our frameworks. Make them easier to use and understand. Foster adoption of these frameworks with relationships within the government, within professional organizations, among corporations, and with educational authorities. Continue to feed and grow infosec mentor and internship programs! These are vital. The infosec attitude of "I learned it by doing it, I am not going to enable other people's laziness by spoonfeeding them" is self defeating. Spoon feed people. Even a rudimentary grasp of the right concepts is better than letting ignorance reign absolute.
The infosec community needs to stop thinking of security as "you can't do that!" and start thinking of it as "what technology will let you do that safely?" Work with vendors or spend more time on producing and sharing more software that enables use, not just breaks things.
And Vendors? Find the need and work with your customers to solve it. Don't sell solutions to problems people don't have. Stop trying to convince people they have problems they don't. Trust me, there is plenty of room for earnings in this very real space without selling people a bucket of gak and calling it a wrench. "But it's more flexible!" doesn't confound overworked people any less, and your professional services tend to suck.
This is an uphill battle. It shouldn't be. But, the reason it is, is because all of the involved parties aren't starting with the same common understanding. I don't think "stupidity, laziness, fear, and greed" are the best categories to describe the human part of the problem. First and foremost, doing something because someone else tells you that you must do them is a terrible reason. Do things because you want to do them, or because you believe in them and it's the right thing to do.
Corporations and individuals (let's skip that debate about corporate personhood) who choose not to use secure practices do so because they don't believe in them. Either, they believe "that will never happen to me," or they believe they're simply bullshit.
There's more monetary incentive to work solo and break something once than to work with a bunch of people to fix something and support it forever. Well, in general. I bet you HD Moore could give a strong argument to the contrary. But, since what we've got is generalities, let's go with that.
Breaking shit is "cool" and cracking is magical. It's all about your own rules, and sticking it to the man! Revolution is the final form of accountability in broken systems where all else has failed. And it's too easy not to get punished with law enforcement agencies being forced to choose which cases to investigate based on where the most money was lost. Fixing stuff, documenting it, and sharing it is the province of nerds. We have a cultural problem.
The problems are deeper and run to the core of how we think about things and how we do things from the base up. So, next time you want to get on a jag about what's wrong with the Information Security Industry, pause for a minute to consider the complexities and choose where you want to help fix it instead of taking the easy way out and assigning the blame on someone else.
Subscribe to:
Posts (Atom)