Home > Information Security, Rants > Infosec Mysteries, vol. 1

Infosec Mysteries, vol. 1

August 10th, 2010

For those of us who have been in the infosec field for a while, we see a never-ending stream of weird behaviors and situations over the years that just don’t make any sense. Despite our best efforts to be optimistic, understanding, and “business-oriented”, there are a number of “infosec mysteries” that boggle the mind and assault the senses. Forthwith, I give you…Infosec Mysteries Volume 1.

1. Why are users still clicking on random attachments? Especially if the email is from someone they do not know, have never heard of, or purports to be one of their long-lost friends on Facebook?! This is undoubtedly one of the world’s greatest mysteries – how do we cure stupid? Many cars of convicted drunk drivers are equipped with alcohol sensors that detect blood alcohol level before they will properly start. Can we implement something similar for chronic offenders that hack, slash, and click their way to digital Armageddon? Is there a class of people out there that just cannot be trusted to use computers responsibly? This is similar to smoking in public for me – your exhaled smoke can have a negative effect on my health. Well, when these kinds of folks’ systems join the ranks of a bot army, it affects us, as well.

2. For all the intrusion detection systems I encounter in organizations, I estimate that 65% are used very little, even going so far as to call them “shelfware”. In addition, most staff using IDS today, that I encounter, are not properly customizing rule sets or even venturing to create their own rules, trusting the default rule sets and updates later provided by the vendor. So here’s the mystery – why the $%&! would you spend 5-6 figures (or more) on equipment that can act as cornerstones of your network monitoring capabilities and a) not get trained properly on how to use the stuff to its potential, and b) just ignore it after a period of time? I’ve seen this same phenomenon occur with other gear, but never so often as IDS.

3. So you’ve made an “investment” in antivirus. Who gives a shit? The stuff is CRAP, and it is BROKEN. The mystery – why are you not clamoring for, nay, DEMANDING, a whitelist solution? NOW!!?? With the proliferation of malware today, you are dealing with a new variant added to a “blacklist” every few seconds. Sounds really sustainable. Yep.

4. Here’s another doozie – the gradual desensitization of the public. In fact, this could be the greatest mystery on this list – how can TJ Maxx lose millions of credit card numbers, go through a scandalous public debacle, and actually see its share price go UP? The media has helped desensitize the public, unfortunately – “ho hum, another big data breach”. And we as security professionals have now come to realize that outrage is ephemeral. Ouch.

Categories: Information Security, Rants Tags:
  1. August 10th, 2010 at 22:50 | #1

    I couldn’t agree with your list more, but you might also want to add that until we as information security practitioners come up with a security stack to replace the OSI & TCP/IP stack we’re supposed to be securing, we are selling our customers a false promise of security. Right now all we are doing is triple locking the front door ,which may or may not have the kind of door you would find at the entrance to a bank vault, while the slat at the back of the attic can easily be breached. We are paying lip service to the concept of defence-in-depth and yet the answers to our security problems can be found by doing some research on medieval history.

  2. August 11th, 2010 at 08:53 | #2

    Excellent “rant.” Some funny, or sad, historical observations I have witnessed in order of your questions:
    1. People click because it’s there. We are trying to ascribe rational thought to an irrational action, it can’t be done. The other answer is because nothing impacts the person that clicked, only the IT people feel the pain in most places. I once heard of an organization that used a trouble ticketing system that automatically scheduled you for remedial training based on the type of tickets you created in the system. This is a great way to stop the “clickers.”
    2. IDS is purchased without a SIEM implementation so people just give up trying to read the alerts and hand pick one or two to respond to if they happen. They purchase the thing for the illusion of security and so the CIO can say it’s there. Unfortunately that’s enough to satisfy any current audit or certification procedure because no one audits effectiveness of an implementation only its existence.
    3. Whitelisting should be used in so many areas. I think people are just afraid to tell their employees no for email, web surfing, etc.. Yay for antivirus though.
    4. What I have heard people start saying when they see these public data breaches is as follows:” Well, there are so many people out there maybe they won’t get my data.” I have also heard companies taking this same approach which I have dubbed the “anchovy” response. When anchovies are attacked they swarm into a ball and just hope they aren’t the ones that get picked off, awesome tactic for InfoSec right?

Comments are closed.