Archive

Archive for the ‘Information Security’ Category

Big Trouble in Little Infosec

October 29th, 2013 3 comments

big-trouble-little-china-thunder-explodesThe security “community” has been so incredibly drama-laden this year (largely due to media sensationalism and that wily A-P-T, yeah you know me!) that it’s been tough to stomach. That’s really not me being curmudgeonly, honest. I’ve had a fascinating year, done some amazing work with clients, and seen at least a good number of incredibly smart friends and colleagues at industry events and elsewhere. So, what’s got me wound up? Well, it’s that time of year, first of all. As a consultant who travels internationally a LOT, and stays busier than a rational human should be, I am reaching a point of exhaustion where I start reflecting on what I’ve seen and thinking a bit more philosophically about the state of the “industry”. Second, I’ve really had some big insights personally, just seeing things a bit more clearly for what they are.

You may have noticed that I surrounded the terms “community” and “industry” in quotes. That’s intentional. And directly related to concern #1:

If we’re a “community”, what are our values? And why do we qualify as an “industry”?

I’ll explain. From what I’ve seen, it might be time for us to work a little harder at helping the “normals” get secure. I know we THINK we all do. But ya know what? We’re NOT approachable. We are very quick to judge people not fit to compute. And that, my friends, is 99% of the world, in our eyes. We have to lower our bar, try to be a bit more understanding of Facebook people, and start solving the real problems of awareness and usage scenarios. And, uh, misogyny in IT. Or at least infosec. Really, being a bigot to women is pathetic these days. Especially if you are a fat, white and pasty nerdbot that doesn’t see much daylight.

As to the “industry” thing…please. Everything about infosec is a “feature”. We are not IT. We are not “risk”. We are a part of both. Yes, there’s money here. But we are NOT a strategic element. We’re a small piece of the business equation, no matter how important we think we are. Maybe, in some industries and situations. But not as “the norm”.

And so…problem #2: We think we’re more important than we are.

True, sadly. Especially the pompous CSO types who puff their chests out and talk about “metrics” and “governance” and “GRC” and “advanced threats”. We have a lot of the “let’s preen and act important” game going on, where people act very serious and try hard to dress nice and seem like they know what’s happening. Pffft. These folks are reacting just like everyone else, and the last fucking thing we need is more corporate politicians. Take your “GRC” and “dashboards” and go do something better suited, like create a colorful chart. UNLESS…you cover for the real team that actually does shit. And maybe once in a while, you enact some changes through your amazing PowerPoint skills of persuasion. Which leads me to #3:

We need a LOT less talkers. And a lot MORE “do-ers”.

Seriously. I’ve said this before. More than a few times, really. But what I see out there is concerning, folks. I see a lot of infosec professionals who, candidly, suck. Basic Windows skills and ability to fill out Word docs does NOT an infosec professional make. You need admin skills, network skills, DB skills, some code, and maybe more to be a well-rounded infosec person. Most are not. Some can learn, and want to. But many are in it for the perceived paycheck. If you are 20 years in and can’t use Linux, don’t expect me to give two fucks about you and your career. Because you don’t care. And neither do I. This isn’t a cushy 9-5, maybe we’ll get a pension someday, kind of gig. Keep learning, evolve or die. And if you DO care, and are trying to switch careers? I’m your biggest fan. I’ll help anyway possible.

And finally? Another topic I’ve harped on, at #4:

Bo don’t know code. And neither does infosec.

We need more people to code. Less click, more code. App issues are the now AND the future. If you can’t handle that…you’re on the way to dinosaur, sorry.

These are some harsh realizations. But really, we look at infosec and data breaches and wonder why things aren’t better. What if we’re a big part of the problem?

Categories: Information Security, Musings Tags:

Incentivizing “Makers”

August 14th, 2013 Comments off

buildThis post was directly inspired by @secmoose and I having a conversation over the last week, and was originally driven by my disappointment this year at DEF CON that, once again, we’re idolizing people that break things. To be clear, I break things. I have nothing against pen testers (I am one) or security researchers. But we show up in Vegas, listen to people talk about breaking stuff, try to break stuff, and then go home. Who builds anything? I know the DEF CON Kids program is doing a bit of this (awesome) and there’s certainly a handful of IR/intrusion analysis/monitoring/etc talks…but we are definitely skewed towards the “I broke this, look at me!” scene.

What to do? Well, here’s what I am NOT suggesting – let’s NOT stop what we’re doing. We are exposing some awesome issues, having better conversations than ever before (and with the NSA listening in to all of them, what could be wrong?), and slowly and steadily marching onward in this bizarre field. No, what I’d like to see, at least an initial dialogue on, is how we incentivize people who defend and build security versus find flaws in it. We all know that both are critical. So what can we do to get more “build” and “innovative defense” talks at cons, as well as activities that have a more dominant “build and defend” element?

@secmoose had some great thoughts on a more defense-oriented aspect of CTFs. CTFs are great for building and testing skills, but primarily for the offensive side. While there are definitely defense aspects included today (malware reversing, PCAP manipulations, “waterholing”, etc.), there could probably be a lot more. What about an entire campaign focused on “active defense” aggravating attackers using techniques and tools like those in the ADHD distro from @jstrand, @secureideas, and @pauldotcom? More “innovation” ideas on tools for defeating attacks, identifying malicious behavior and thwarting it? Just thinking out loud, really. Would love other ideas and thoughts you guys may have.

In fact, and this was one of my talk ideas for DEF CON this year (rejected) that we look at what the original spirit of a “hacking conference” was, and try to get back to those roots. Let’s invite more people that have nothing to do with breaking, building, *anything* in security, but have great ideas and do other work in science, robotics, engineering, etc. Let’s get some new blood and people outside our industry thinking about some of this and try to get back out of the box we’re in, creatively. Who knows? Could be fun.

Categories: Information Security, Musings Tags:

It is NOT time to “professionalize” information security.

May 24th, 2013 13 comments

AlDonaldsI recently read an article that was posted by my friend Brian Honan titled “Is it time to professionalize information security?” I know this debate’s been going on for a bit. I have a lot of respect for Brian (who supports licensing or “professionalizing” infosec), for a lot of reasons. If you’ve ever met the guy, and/or know of his accomplishments and track record, you likely do too. So to be clear, my opinions in this matter have nothing to do with Brian, and everything to do with what I see as a bad direction to take in our industry right now.

People – this is a “knee jerk” to the insanity that is information security. Things are chaotic, sure. Breaches, crime, national defense…all contributors to this mess. Top that off with a general distrust for vendors (with a perception of them selling “snake oil”), a disturbing number of “charlatans”, raging debates about certifications like the CISSP, drama at every turn, and constant cries of “we have to get better”. Sigh. I know, it sounds bad, right? But it really isn’t nearly as bad as it seems.

We are an “industry” in a very early stage, folks. I’ve said this before, I’ll say it again – we have a major, fundamental difference in infosec that makes it seem much worse – we have adversaries. They are working against us. When the Windows MCSE came out, it was a joke. Anybody could go learn a little about Windows, and become a “certified” Windows…, uh, person. But there was no diabolical Blofeld waiting in the wings to set Microsoft back, planning a global overthrow with Linux-wielding henchmen in an underground lair while he stroked his cat. Same for networking, whether Cisco or otherwise. Same for databases, CRM, enterprise middleware, and so on. Nope, only infosec has these shadowy lurkers who continually thwart our best efforts, stealing data and making the news.

We’re making progress. Really. Yeah, we have some idiots jumping on the bandwagon churning out Nessus reports as “pen tests”. So do we run to “certify” everyone so such an atrocity can never happen again? Really? You’d put us in a little box so that we can all feel safer? No. Here’s a better plan – those of us who are NOT clueless and DO provide quality work for clients or our businesses should work harder to educate people on this. That’s the problem. People are freaked out, they may not know any better, and they’re looking for solutions. Be it vendor or consultant or both, there’s ALWAYS a solution. Some are good, some are not. We’re falling prey to FUD, plain and simple. And if you get caught up in the daily whining on Twitter and elsewhere proclaiming that infosec is “so messed up” and that it “needs fixing”…well, you’re falling right into the drama-laden trap that plagues our industry.

The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie, and who cannot help themselves from telling dick jokes, no matter when or where. Those people may not fit the “professionalization” scheme, but we would be SCREWED if we lose them. They think outside the box, they don’t look “corporate”, and they insist on wearing black T-shirts. I’m being purposefully stereotypical, of course. We’re a widely diverse crew these days, and we’re better for it. But thinking we’re failing so badly that we need to “professionalize” is silly. If that is the case, then why don’t we REALLY get to the heart of things, and professionalize programmers? It’s their shitty code that is causing a lot of the mess, there’s no denying this. While we’re at it, we should probably “professionalize” systems admins, network engineers, everyone. They screw up too, right? We should definitely “professionalize” project managers. Those people are a pain in the ass. Let’s make them certify!

C’mon. This isn’t the answer. Infosec is crazy, sure. But we’re not headed into doom and gloom as some would have you believe. We’re improving education programs all the time. I have met some of the college kids who are taking part in Red Team-Blue Team competitions, and some of them are crazy sharp. We’re trying to fix things like the CISSP, with guys like Wim Remes and Dave Lewis as our men on the inside. We’re having proper debates about “attacking back” and cyberwarfare (ugh), and so on. We’ll get there. But don’t react and put us in a little defined “program”. I don’t want to be a part of the Borg, not now and not ever. I have hundreds of happy clients who can attest to my work, and so do many of you. Let’s let folks like the Attrition crew smoke out the worst charlatans. And let’s try to keep our sense of humor AND reality along the way.

Categories: Information Security, Musings Tags:

Watching the Watchers, 2013 Style

January 31st, 2013 Comments off

We’ve never really been adept at dealing with insider threats. Some organizations have internal detection and monitoring programs, usually aligned with anti-fraud efforts, and some also include more robust forensics programs to look for evidence after-the-fact, but we still have a problem with insiders. With the proliferation of virtualization and cloud computing, we have more trouble than ever. There are two trends I see that explain this.

First, let’s talk virtual environments. A number of things tend to happen in virtual infrastructure that can lead to poor privileged user management and monitoring practices. First, many shops hand virtualization over to an existing admin group, like say…the Windows team. Not a great move, for a lot of reasons. This team still has to manage their existing systems and infrastructure, like Active Directory, DNS, and other platforms and applications. This means they’re part-time virtualization admins, at least for a while. A lot of folks think virtualization is easy, and it is…to a point. But virt technologies can suffer from neglect just like any other systems and apps can, and missing patches and failing to implement configuration controls can have a devastating effect. But relative to the point of insider control and monitoring, this arrangement usually leads to shortcuts in the way that admins log in and manage the environment  Many use generic administrator logins, including the local Admin account on Windows systems running vCenter. AD integration is easy, and highly recommended, and this can help with audit trails, but the practices are still poor – often the full Admin role is assigned within management platforms, with little to no role assignment or separation of duties. Coupled with the minimal logging often done in these environments and potentially generic admin account IDs…a recipe for disaster. One disgruntled admin could take out the entire environment, at least for a while.

What to do about this? Well, the most effective way to approach this issue is to follow a simple regimen, none of which is really new at all:

  1. Before deploying virtualization, or even once you have it up and running, set time aside to carefully plan and assign roles for VM admins, cloud admins, network teams, dev and DBA teams, etc. The major vendors, certainly Microsoft and VMware (XenServer role granularity is a bit meh), offer plenty of features to properly create and manage roles.
  2. Ensure your management interfaces to all components, including integrated and 3rd-party pieces in vBlock (Cisco UCS, EMC Ionix and Symmetrix, etc) and private cloud (vCloud, System Center varieties, etc.) are on a separate segment that you control very tightly. Ensure you have monitoring in place for this segment (behavioral and traditional signature-based) and also logging on each management platform.
  3. Have all administrators manage systems via a bastion host or “jump box”, which can be anything ranging from a Windows server you RDP into to vSphere Management Appliance or commercial options like the HyTrust appliance. Better management control, better audit trails, more of a pain in the ass for admins, but…something you should do.

I see a lot of organizations where security teams aren’t really monitoring the virtualization and cloud admins. This should change, quickly. Speaking of monitoring virtualization and cloud admins, let’s talk about the second trend, which is moving resource to public/hybrid/community clouds. There’s really two ways to look at the insider scenario here. The first way, while pretty defeatist in nature, could certainly resonate with some folks – you’re f**ked. You are pretty much going to have to rely on the cloud provider to do internal monitoring and privileged user management. Well, THAT’s depressing. The other way to look at this is via the standard argument for auditing and assessing providers – via SSAE 16, ISO 27001, and CSA STAR or other questionnaires and responses like those in the CSA CCM and CAIQ. At the moment, there’s really no way to monitor cloud admins actively yourself, so you’re at their mercy technically. You’ll have to rely on what the provider tells you, and continually check to make sure they’re doing what they say they’re doing. A great guide to insider threats in cloud environments has recently been published by the folks at CERT, titled “Insider Threats to Cloud Computing“. It breaks down the different types of cloud admins, what data and systems/apps they have access to (typically), and what you should be looking for when talking to providers about this. I highly recommend reading it.

Hopefully, the insider threat in both virtual and cloud environments is on your radar. If it’s not, it definitely should be.

Infosec’s Most Dangerous Game: Groupthink

October 12th, 2012 3 comments

These days, I am very, very afraid for the future of CISOs. Over the past few years, and specifically the past 12 months, I have become increasingly alarmed at the level of “groupthink” and “synchronized nodding” going on with security executives. Here are some of the things I am seeing:

  1. Lots of talking about the same shit, with absolutely no innovation at all. Good examples include metrics (we need them! they’re IMPORTANT!) and talk about policy and governance that usually means absolutely nothing.
  2. A desperate need to find “the metrics” to report to “senior management” – there is no such thing. Your management, in all likelihood, does not want any tactical numbers on antivirus events, IDS alerts, or such blather. They want real risk advice on business goals and functions. Period.
  3. Managing by managing what everyone else is managing. You would not BELIEVE how many security products get purchased because other security executives are buying them.

Most CISOs are smart folks. You got to that spot because you’re competent, or maybe more politically astute, or ideally both. We need to break out of this. I remember a while back when everyone in infosec lamented that we “never communicated”. Now, I almost think we OVER-communicate. It’s easy to play it safe by following what others are doing – I hear this in SANS classes, IANS forums, and sporadically with consulting clients. Not overtly, but sort of “between the lines”. We need innovation, and that means getting outside the echo chamber of security. I give a talk at a few IANS forums that adapts the concepts from the book “The Lean Startup” into the world of enterprise security programs to try and kickstart this. I don’t know that I do a great job, but I’m going to keep trying. Here’s a few key pointers from that talk.

First, think of your security program like a startup, and the overall program and its performance as your product. Ask yourself a few questions, and answer them honestly every day:

  1. Do Consumers Recognize the Problem We Solve?
  2. If there’s a solution, will consumers buy it?
  3. Will consumers buy the solution from us?
  4. Can we build a solution for the problem?

Your “consumers”, of course, are your constituents, ranging from employees to senior leadership, to customers and partners. Think about how THEY look at security, why they care or don’t care about it, and you’ll be on the right track.

The next thing to do is leverage the “Entrepreneur Pyramid”, shown below:

Create a security program mission/vision statement, and make it realistic. Define a short and long-term strategy, and be willing to “pivot”, or change, that strategy often – maybe every 6 months or even more regularly. Look at your product today as the MVP – Minimum Viable Product. Then optimize and build. To do that, leverage the Feedback Loop:

Focus on the major phases:

  • Build from ideas: Get creative. Think about different ways to accomplish your goals, and get feedback and input from people, and NOT just security people.
  • Measure your product, often: How effective are you? Are you missing attacks? Are you educating the business? Are you facilitating business, and becoming more trusted by business unit leaders? This is metrics, perhaps, but ask yourself what success looks like…?
  • Learn from the data: Data should drive insights. If it isn’t, you’re wasting time collecting it in the first place.

My final concept to try is “The Five Whys”. For every brainstorming session or security meeting, when trying to solve problems, come up with new ideas, or determine a root cause, drill into each idea five times. Not to be annoying, like a 3-year old that won’t quit, but to see how deep you can get, and force that “out of the box” thinking. In many cases, by the 3rd or 4th “why”, you’ll be really digging for answers or more ideas. That’s OK! Just keep digging.

This isn’t a perfect science, but if we want to be real business leaders advising on risk, we need to start thinking of new ways to do it. I recommend reading Eric Ries’ book, too – it’s really good.

Categories: Information Security, Musings Tags:

Your CISSP is Worthless. Now what?

August 22nd, 2012 30 comments

OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion. Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec. As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge. But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately. You may argue that theory and research and risk and <blah blah blah> has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

  • Studying for a test
  • Taking and passing a long, obnoxious test
  • Doing WORK for 3-4 years (wow, welcome to a CAREER)
  • Having a college degree (in some cases)
  • Acquiring <puke> CPE credits for random bullshit-able things
  • Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…OK. But don’t strut around and act as though this really means you have something unique or special…you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on. That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out. We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill. We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

Pic courtesy of Boris’ site at http://www.jadedsecurity.com.

Categories: Information Security, Musings, Rants Tags:

No Infosec Sacred Cows

July 20th, 2012 13 comments

We have sacred cows in infosec, apparently. I read a blog post by Dave Aitel about security awareness yesterday that I really enjoyed – he took a very bold stance on a topic that everyone seems to have an opinion about. His argument? Security awareness is useless. Ditch it, and spend your time and money on technologies and techniques that actually control what users can do and what can happen to them.

Is he exactly right? No, probably not. But he took a stance, and got some thought-provoking dialogue going. What was incredibly disconcerting to me, however, was the vitriol people started spewing in the comments – how DARE he propose such a thing?! I tried commenting on the post but I think CSO flagged it and didn’t let me, and I was probably being a bit acidic in my comment, as well, but for different reasons. So a few things shook out, in essence here’s what I was trying to say:

  1. People, don’t be LEMMINGS. I saw a lot of people who were puffing out their chests as “leaders” in the infosec space spewing garbage about “people, process, technology” like they were attached to Shon Harris’ rear-end after having a love fest with her CISSP study guide. C’mon, just because it’s one of the “10 domains” doesn’t mean you have to evangelize.
  2. Most security awareness programs SUCK. I would be willing to bet the majority of the awareness proselytizers on the thread are doing the same old crap with some stupid Web-based Flash thingie that people click through as fast as they can, and a little printout goes in their HR folder of whatever. UGH. That doesn’t work, never has, and never will.
  3. Given that most programs suck, what is wrong with a contrarian view? Start a conversation on new methods of security awareness and protection, but don’t demonize Dave (who has likely seen more overall than most posters) for having the balls to suggest that something BLATANTLY NOT WORKING for most should be canned.

I generally think security awareness is ridiculous. Sure, sure, you need that compliance checkbox that asks for it. And OK, you have to TRY, I get that, too. But sometimes, we seem to cling desperately to ancient ideals and practices in this field that just might have run their course. I’m not ready to say security awareness is one of them….yet. But we can and should try to improve it, across the board, or find something else to do instead.

Categories: Information Security, Rants Tags:

Infosec Thought Followers

June 15th, 2012 Comments off

If you have been in this field for any length of time, you’ve undoubtedly come across the term “Thought Leader”. Ugh.

What, exactly, is a “thought leader” in this space? Someone who discovers amazing new technologies? Someone who predicts the direction of security? Both? Neither?

This is one of those terms that just makes my skin crawl, and here’s why. I have not seen anything wholly NEW in this field in a long time. In fact, just about everything I see is some variation on an existing theme, in just about every way. Most of the people blogging, ranting, speaking at cons, etc. are all doing something that builds on work that came before…and that doesn’t necessarily make it bad, of course. Far from it – there’s some amazing stuff happening right now all over the place in infosec. But we’re really all building and feeding off one another. Some call it the “echo chamber”, since we tend to bounce things back and forth and love to hear ourselves think. In some cases, this is definitely true.

A while back, many were lamenting that we never talk in the security community. I think the opposite is true – I think we talk a LOT. My only lament is that we seem to talk about nothing but infosec! There is, of course, more to life than infosec…but I digress.

So next time you see someone labeling themselves as a “thought leader”, you should first laugh at their likely douchy nature, and then ask them exactly how they’re “leading”. Real leadership in this space tends to happen at a level unobserved by most. The CISO who backs her team politically and fights for key projects, the analyst who writes a sweet Python script to automate some rote pen testing task, the incident handler or forensicator who digs for hours to find the root cause of an event, and so on. That’s leadership, and it happens all the time.

As for thinking? Really, we’re all thought “followers” who absorb from one another. That’s what the community is good for. And we need all of it we can get.

Categories: Information Security, Musings Tags:

Lies, Damn Lies, and Infosec.

May 25th, 2012 1 comment

The little lies we tell ourselves are usually the most insidious. Lies about our weight, our success in life, our relationships. We believe these lies. Or we *want* to, at least. They make us feel better, most times. But they creep up on you over time, and when you really, truly discover that they’re lies, after all, they hurt. And they can hurt a lot.

We just might be lying to ourselves in the information security industry.

After a great and spirited debate on Twitter (naturally), a realization dawned on me. Well, two realizations, but I’ll start with the lie.

We may never be seen as business “partners”, or something that really adds value in an organization.

We’ve been struggling with this for years. “Get a seat at the business table” blah blah blah. What if we’re not meant to have one? What if the notion of a “Chief Security Officer” is most businesses’ (and the universe’s, perhaps) grand joke upon us and our industry? Any of you reading this that hold a CSO or CISO title…do you feel like you’re treated as a true executive? My guess is no. I’ve been one, I know. People are pretty nice to us, maybe. But we’ll never have the clout of a VP of Sales, or a CFO.

And down deep, I think we know this. 

But we keep on lying. Now, lest you sink into a quagmire of depression from which you’ll never surface after reading this, we DO have some value. Of course we do! I don’t need to describe all the things we do, and the unemployment rate in infosec right now supports the notion that we are serving a definitive purpose. But time and time again, I hear my fellow infosec folks opine that things are futile, we’re not making a lot of progress, we’re not “winning” (whatever that means in this business).

I’ve struggled with this for a long time. I’m a natural optimist, and I want (badly) to believe that we CAN “win” or succeed at beating back what for all appearances seems to be an unending tide of malicious and horrible crap. But this Twitter-borne realization dawned on me that I may in fact be lying to myself, and everyone else may be, too.

I said I had two realizations. The other came later, after my friends Kevin Riggins and Josh Corman pointed me to something beautiful. Neil Gaiman, a well-known fantasy author, gave one of the most incredible 20-minute speeches I have ever heard at a university commencement ceremony, and you can find the video here. I cannot encourage you enough to watch this video, it may give you something you didn’t know you needed.

There’s one passage in Neil’s speech that hit home, perhaps more than others:

So be wise, because the world needs more wisdom, and if you cannot be wise, pretend to be someone who is wise, and then just behave like they would.

So, for that second realization. I may be lying to myself, and you may be, too. As for me, I may not be the one to change the business world’s idea of infosec and the value we bring. But I’m going to pretend to be someone who can. And maybe that’s just as good.

Categories: Information Security, Musings Tags:

What’s RIGHT with Infosec

April 2nd, 2012 Comments off

There’s a lot of general negativity in the information security community, often represented as a sense of futility and continual failure. This makes sense intrinsically, especially when you take “security” as a macro-level topic across the spectrum of news, etc. It seems like everyone is failing all over the place, and the media just eats it up. But is this really the case? In certain situations, sure. Some organizations just don’t care as much, and some security professionals are unable to get the job done due to lack of skill, politics, too much workload, or plain old apathy.

This is not a “black or white” issue though. I think there’s a lot of good happening in this space right now, and it all fundamentally comes down to the maturity of information security as a discipline. I’ve said this for years, and it bears repeating – this field is still really in its infancy, and has a long way to go. This post is just me observing the state of things, and I’ll list a few points that I think illustrate the good coming out of our field.

  1. We are coming to the realization that we WILL be breached. This is a huge, fundamental shift in mindset that’s actually healthy, not redolent of defeatism. We have too much surface area to cover, not enough people and technology, and dammit, defense is HARD.
  2. We are all risk managers and advisors. This does not mean  we WIN or LOSE. We assess and advise, and then we live with the damn decision whether we like it or not. That’s how business has worked, and traditionally those organizations that were more willing to take risks and stick their necks out were rewarded (or crushed). You can’t expect business people to change that mentality overnight. And we’re starting to figure this out.
  3. A healthy offense can inform defense, and more and more organizations are figuring this out. And we’re actually getting better at it. Sadly, all the kids want to be superhax0rz, seems like defense is BORING. Maybe, but the truth of the matter is that most people aren’t cut out to be good superhax0rz, and without defense there would BE no offense. Let me say that another way. The only reason we do pen tests is to find holes and fix them. In other words, defense. So we’ve got a Yin and Yang deal going on here, and this is also becoming a healthy realization in more organizations than ever.
  4. We’re becoming less tolerant of bullshit bureaucrats who spout “policy” and “governance” with no credible skills to back this up. Thank God. If you’re the boss (CSO/CISO, etc) and have no real technical skill, then block and tackle for your folks, then get the hell out of the way and let them make you look good. Still more “infosec politicians” than I’d like to see, but at least we’re learning to work around this issue.
  5. We’ve realized the government is not going to help/save us. This may seem obvious to longer-term practitioners, but we’re basically on our own, and we’re just getting on with it.
  6. We’ve got some hella smart new blood coming into this field. If we could stop being crusty, snarky ASSHOLES long enough to embrace them, we’d see the industry advance even faster. 🙂
This post somewhat parallels my previous post titled “Doom, Gloom, and Infosec“, where I also outline some solid benefits of working in infosec (good money, smart people, etc.). This post is more about the overall advancement and maturity of the industry as a whole, and I’m glad to see it. Despite the sensationalized failures, we’re headed in the right direction, I’m sure of it.

 

Categories: Information Security, Musings Tags: