The infosec industry is a fraud
Wed, 03/18/2009 - 13:13
Topic Source:
The infosec industry is a trinity; the boxpushers (vendors), the chumps (the users), and the doomsayers (pentesters).
Boxpushers sell kit to the chumps, who've been led to think they need it. The doomsayers occasionally pity the chumps, but are generally stuck in io-wait, writing off the boxes being pushed as useless, impractically complex, and that highest criticism of all; boring.
Us doomsayers take the chump's money, then tell them in excruciating and savage detail how much they and the boxes they got pushed suck.
And they invariably do.
Wed, 03/18/2009 - 18:45
#2
The infosec industry is not a fraud
The infosec industry isn't a fraud.
The old adage that you can always hack a box, or the converse that you can never completely secure one has always been just simple scare mongering. The truth is far more layered.
Personally speaking, I probably could hack in to any given system you give me; given enough time, hookers, and blow. That's because I am prodigiously talented. But due to the fact that I am prodigiously talented I am hired by an information security company, and probably will be for the rest of my life.
That alone has made the world a safer place, because to be honest I could perform some quite badass skullduggery and generally I would be inclined to do so. Except now the fat pay check that rolls in each month gives me every incentive to perform these acts of depravity within the confines of a legal contract, in a model whereby the victims of my antics get a detailed report of everything that I did. Surely that's preferable to them, and also to the people that I otherwise would be hacking during that time.
Let me lay down a cold hard fact, which I culpably dub Anonymous' Privateer rule. Every privateer hired by England equaled at least one less pirate on the stormy seas, plus any residual effect of the Privateer actually doing its job. Everyone knew Privateers were dodgy, but ah well.. at least they weren't robbing anyone. Get it?
Theoretically speaking there can always be some innovation that renders what would otherwise be a secure machine into a laughable antiquity, but that doesn't mean I can't secure a system to the point where it can't be hacked by any of the finitely many known and published attacks today. And then when it gets hacked by zeroday, I'll make sure the second and third layers are similarly current. At that point the attacker begins to require an exponential amount of zeroday to cover all the unknowns they could encounter.
The truth is that zeroday doesn't scale, it's very rare for an attacker to have more than one or two weaponized zeroday exploits at any given time. Attackers who use zeroday rely on getting on to the internal network and then abusing the soft squishy inside bits. I'm all for abusing soft squishy inside bits... but thats not to say that I couldn't harden an internal network to my hearts content to the point where you, as an attacker with a perimeter busting zeroday, will get effectively nowhere.
Cancel 1994.
The truth is that despite the infosec industry many flaws, it isn't a fraud. Sure, there are a bunch of charlatans out there peddling their useless wares, but really they're just piggy backing on those who have built this industry on what is at its core perfectly viable and legitimate advice.
The point is that I can build some ridiculously secure infrastructure, it's just that nobody will pay me to do this (as a result of my desire for hookers and blow my ideas are expensive to buy). Does it then make us a fraud to sell what people actually will buy, even if it's only a subset of what they really need? It's not my fault then that the "chumps" might not actually do anything I tell them to. I'm doing my job as advertised. No dramas. Pay me some money thanks.
See that? No fraud involved. I think the author's point was that there really is no reason for most corporations to spend any money on infosec at all. I think my deeply insightful and piercingly accurate Privateer rule directly contradicts this. They are significantly less likely to get owned as a result of keeping a large chunk of talented hackers occupied. And if they listen now and then, they might even get some benefit from what we tell them too.
Thu, 03/19/2009 - 07:10
#3
Lookin closer at the chumps
How can this be? Mebbe the infosec industry is suffering the same predicament that lead to it's forming? Companies don't inherently understand information security to a level that protects them from the masses so they react as any simple beast would - erratically. It appears that a lot of infosec guys and gals don't (or don't want to) get it either.
If we look at the category Metl identified as users/chumps we see that there are identifiable sheep that make up the flock. There are the employees that consider security to mean multiple post it notes with passwords on them. There are those that control the money that pays for everything - their post it notes are on their PA's monitors. Finally there is someone who carries a title something like Security Manager.
Security Manager might be competent or he/she might not, it really doesn't matter. In most organizations there are plenty of politicians between that role and the role ultimately accountable for the organizations security - the CEO. Security Manager could try and highlight the risk in an organization for mitigation or acceptance blah blah blah.... Security Manager's Manager isn't going to like all this talk of buffer overflows and blackhats logging onto redhats?!?!?! It doesn't make anyone look good. We need to demonstrate value and be solution oriented and at some stage someone is going to say defense in depth because it was on the Vendor pamphlet. Lets do some pentesting.
Pentesting is great. Normally done by an outside firm, pentesting can be used to scare the crap out of the money holders and if it isn't taken well the third party can be blamed. Given enough scope, pentesting will always turn up a vuln. After all a companies security is relative - not absolute. To address what leads to these holes so often requires horrible things like user education and building security into (often slowing down) the release cycle. The political Security Manager should now roll in the Vendors with their smoke and mirrors to solve the problem. This new securiton costs a squillion dollars and is Gartner quadrant blah so it must add value. Is this how the pentester intended his/her report to be used?
Infosec isn't that marketable in most organizations. Vendor boxes and third party reports without context are a far easier sell. Security Manager's primarily want to retain their role and so most will go for the easy sell rather than the brutal honesty. Those that are politically competent will do well, those that aren't will end up growing parsley for a living.
Your typical security risk in an organization has high impact, low likelihood and is consequently realized after years when half the staff have changed. Until Managers are accountable for what they do and not what they inherit, it is more attractive to play the political game and avoid the honest truth. Companies will continue to remain in the dark and surprise, surprise act erratically.
Thu, 03/19/2009 - 12:31
#4
A theory in which everything is explained
Given the business argument you put forward why aren't all businesses now in the hands of hackers who are pocketing all that money?
At zero cost the investment for hackers isn't standing in the way. There are plenty of ways to monetize a given hack. InfoSec is a fraud, so it's not like they are getting caught or being given any real problem in exploiting the companies at will. If your theory is correct we should be knee deep in hacker criminals sucking down blow, prostitutes and champagne like cocaine kingpins.
But if your theory is in some way flawed then we would have ... pretty much what we have right now.
Thu, 03/19/2009 - 12:51
#5
Fuckin' A.
Fuckin' A.
Mon, 03/23/2009 - 07:46
#6
A Gilbert and Sullivan-esque rant..
..a lot of emoting signifying not much at all...
It would be easy and appropriate to replace "infosec" with "physical security" as well.
I mean, does any company spend more than a fraction of a percent on locks, guards, and alarms? Couldn't almost any serious attendee of a half-decent security conference - given time, tools, and motivation - break into almost any business facility? Does this make the local alarm company doomsayers?
Please.
But, in the spirit that I hope the essay was written, let's run this out to it's logical conclusion.
If infosec people do such a crappy job then it obviously follows that our advice, work, and guidance is crappy. No sane business person should spend money on crappy advice, work, and guidance. It then follows that businesses should throw us out on our bums and rip out all the crappy boxes we've sold them over the years.
Yeah, that'd work just dandy for them.
So, really, what do we do?
We stop the hysterical hand-wringing. Now.
Can infosec people win 100% of the time? Hell, no.
If you the bad guys own you some small percentage of the time, are you a total failure? Depends on how quick you figure it out and fix your pwned stuff - but probably not.
Are there infosec "professionals" out there who need to be run out of town on a rail for their work. Hell, yeah.
Just don't paint *me* with their colors.
Thanks again so much for writing this metl... It's a dim view of the industry but in many regards it's spot on. I can't wait for your next piece!