Tuesday, June 1, 2010

Time for a new mantra.

[NOTE: On re-reading this post before publishing, I realize it sounds pretty bitter in places.  It should.  But, I do want to make clear that I respect the vast majority people who do the hard work, even when I disagree with some of what they say, or the way they say it.]
We need a new mantra in information security.  We've heard various forms of "think like an attacker" for ever.  And it is absolutely true.  But seriously, enough.  Make the point to the new, the uninitiated, those outside our craft- but otherwise, stop it.  The choir knows the tune, and the chorus, and lyrics, and can do it in rounds while drunk.
Here's my proposal:
Run a [Optional: expletive of your choice] enterprise.
Or maybe just
Run a [Optional: expletive of your choice] network.
It doesn't need to be a big one environment, but your MacBook, roommate's XP laptop, and a NAS server does not count.  You need to run a network, remediate problems, scramble and patch, screw up, get yelled at when things go down, and occasionally score victories.  You need to see things work, and see things fail.  If you are both good and lucky, you may get to see The Next Big Exploit in the wild, and watch it pass you by unscathed.
I am not saying to stop thinking like an attacker, but I am suggesting that if we accept that defenders should understand the attacker, those who do attack research should experience the world from the other side.  A classic case of this is the "technology X is fundamentally broken" statements we hear year after year, con after con.  Many people don't understand why they are ignored by management and admins when they make these absolutely true statements.  I'll tell you why, because no matter what we're told about the failures of anti-virus, web filtering, IPS, or whatever, we've seen these technologies work.  Perfect, no.  Fewer helpdesk calls, yes.  That is success.  Limited success, sure.
I just want people to tell the truth, and offer solutions, even imperfect ones.  "Technology X does not work as well as you need it to, but you can minimize the pain by doing Y" will have people at your feet begging for more.
I am not even asking for researchers to "pity the poor admin", but should a little empathy develop, I'm good with that.
By the way, some of the criminals do get this.  When the new MSRT ships and your botnet starts evaporating, you learn a lesson.  Bonus points for retiring "Criminals don't play by the rules", that is the epitome of an NSR statement.  (NSR == No [stuff], Really?)
A little perspective goes a long way- which is a very good thing, because many in our business seem to have very little perspective.