We need a new mantra in information security. We've heard various forms of "think like an attacker" for ever. And it is absolutely true. But seriously, enough. Make the point to the new, the uninitiated, those outside our craft- but otherwise, stop it. The choir knows the tune, and the chorus, and lyrics, and can do it in rounds while drunk.
Here's my proposal:
Run a [Optional: expletive of your choice] enterprise.Or maybe just
Run a [Optional: expletive of your choice] network.It doesn't need to be a big one environment, but your MacBook, roommate's XP laptop, and a NAS server does not count. You need to run a network, remediate problems, scramble and patch, screw up, get yelled at when things go down, and occasionally score victories. You need to see things work, and see things fail. If you are both good and lucky, you may get to see The Next Big Exploit in the wild, and watch it pass you by unscathed.
I am not saying to stop thinking like an attacker, but I am suggesting that if we accept that defenders should understand the attacker, those who do attack research should experience the world from the other side. A classic case of this is the "technology X is fundamentally broken" statements we hear year after year, con after con. Many people don't understand why they are ignored by management and admins when they make these absolutely true statements. I'll tell you why, because no matter what we're told about the failures of anti-virus, web filtering, IPS, or whatever, we've seen these technologies work. Perfect, no. Fewer helpdesk calls, yes. That is success. Limited success, sure.
I just want people to tell the truth, and offer solutions, even imperfect ones. "Technology X does not work as well as you need it to, but you can minimize the pain by doing Y" will have people at your feet begging for more.
I am not even asking for researchers to "pity the poor admin", but should a little empathy develop, I'm good with that.
By the way, some of the criminals do get this. When the new MSRT ships and your botnet starts evaporating, you learn a lesson. Bonus points for retiring "Criminals don't play by the rules", that is the epitome of an NSR statement. (NSR == No [stuff], Really?)
A little perspective goes a long way- which is a very good thing, because many in our business seem to have very little perspective.
Jack
6 comments:
Great Post Jack. Refreshing!
I can't argue with the utility of getting pure-vulnerability-finders some enterprise experience; it changed the way I look at the technology to see how it's used and which bits are trusted. You're right.
I'm not sure you're absolutely and unconditionally right, though. Some tech is so broken it's not worth having in the enterprise at all.
Homeopathy reduces doctor visits. Is it making people get less sick? Meeting public health policy goals about controlling epidemics?
Anti-virus software reduces helpdesk calls, because it alerts on part of some malware and cleans part of that malware. Is it helping preserve secrecy and integrity goals?
Kerberos/AD isn't that level of broken; Windows+Anti-virus software may be.
Bull's eye...
On the lighter side: Empathy has always been the mantra of IT help-desk, i cannot remember an induction w/o emphasizing the importance of this to the new IT team members... maybe now we should do the same with all the employees.
Good points Brian. Could we frame the issue as "is X worth what we spend on it?" instead of "is dead"? That accepts that there may be some value, but questions if the product or technology returns *enough* value to justify it.
Thanks Ramki- I agree on empathy, it was one of the most valuable traits I tried to bring to supporting others.
(Empathy is a *great* term for this!)
Really, this is why I put a lot of emphasis on "security geeks" who have done their time in the trenches of IT.
A couple great examples: Windows and PGP. It's great when a researcher suggests a company ditch Windows as being insecure. Or proffers the solution of PGP key-encrypted email for enterprise-level email encryption. You really think those ideas will gain traction in most orgs?
...end result being less people ask "security" questions because of the painful answers.
I think that should be an early discussion between an organization and their security consultant/advisor/employee(s): Draw the lines between idealistic and probably painful suggestions versus those suggestions that are far more palatable and, god forbid, possibly achievable!
Really, it's about seeing as many options as possible and instead of reciting a litany of "do this, do that, do this" checklist items, to actually add some value based on the business capabilties.
Lots of people talk about "align to business" which I think is just a ham-fisted kneejerk reaction to this very problem! You don't need to "align to business" so much as just have empathy to the business and technical sides of these problems.
--LonerVamp
Think like an attacker AND act like a defender.
Too many people only do half of what is necesary on one side or the other. We need to do both.
--Orac
Post a Comment