Jun 08 2011

Fundamental flaw in thinking: We’re responsible

Published by at 3:45 pm under General,Simple Security

Over the last few months I’ve come to the conclusion that we’re doing security wrong.  Not the day to day details, though we’ve gotten a lot of that wrong as well.  I mean we’ve gotten the big picture issues wrong, we’ve made a number of false assumptions about how we should be protecting our enterprises.  We’re building the very concepts we rely upon to develop products, services and systems from on shaky ground.  If you don’t agree, just look around at the ease which hackers are tearing through the defenses of even the largest merchants (Sony) and you have to admit that something isn’t working like it should be.  You can blame businesses for not giving us the resources we need, you can blame a shortage in decent security professionals or you can do some self examination and realize that maybe security best practices and compliance efforts just aren’t working.

When I say we’re doing it wrong, I’m thinking at a more basic level than some of the common fallacies we run into every day.  We all know that ‘firewalls are a security device’ is wrong; they’re just a complex traffic management device and don’t do much more than filter traffic on the grossest level in most cases.  And that’s assuming they’ve been set up correctly, which too many aren’t.  When was the last time you saw good egress rules?  Or the fact that a number of studies have shown that antivirus commonly doesn’t catch more than 70% of all viruses and the number is falling.  These are both assumptions that executives and non-security professionals make, but most of us in the community know that firewalls and AV are just things we put in because the business has come to think of them as the expected minimums. 

But the flaws I’m looking for go deeper than the fallacies of firewall and antivirus effectiveness.  I’m not looking for the nuts and bolts assumptions that we make to work on a day in and day out basis.  I’m trying to examine the deeper assumptions, the ones that we’ve built our entire philosophy of security upon.  In a different context we my call this our morality or religion, which might not be a horrible comparison.  I’m looking to see what are some of the most basic truths we’ve decided for ourselves and what are the errors we’ve made because we’ve built these up from lessons taught to us by others.  Were these assumptions once valid, did they once have a grain of truth or were they merely the most basic and easy rules to put in place because they hadn’t been tested before.  And just as with religious or moral beliefs, to few of us ever take them out of the back of our mind to re-examine the assumptions and see if they still hold up as well to our adulthood as they did to our childhood.  The security assumptions that might have served you well when you were an IDS or firewall administrator may not translate well to a later point in your career, and in fact may cause damage to your reputation.

It’s never easy to change the core of your belief system.  I only know a few people who consciously make a habit of doing it on an annual basis and even fewer who live their lives in a constant state of re-examination.  It’s a powerful tool to be able to look at your worldview, understand that you’ve made some mistakes and adjust to the new realities of how that affects the way you interact with the world.  But it’s painful sometimes, and the change can be difficult.

So enough of the philosophical BS, what are the fundamental flaws in security reasoning that I’ve identified?  I’ll be honest, there’s only one I’ve identified and mulled over to the point that I’m ready to share.  We, security professionals have taken it upon ourselves to be responsible for all risk in the corporate environment.  We started by placing the firewalls around the outside of the network and as more and more complexity was added into the IT infrastructure, we took on more and more of the risk into our philosophy, without really stopping to consider if we are the ones who are responsible for the vulnerabilities and misconfigurations that spawn much of the risk in our environments.  We’ve only rarely been given, or fought for, the authority to make changes in the products and systems that introduce risk, we are all to often nothing more than a speed bump in the corporate culture and a scapegoat for compromises when they happen.  “Why didn’t you protect us?  It’s your fault this happened!”  But if we had little or no ability to change the underlying systems that led to the compromise, why are we considered responsible?  Responsibility without the authority to affect change is the surest route to being a scapegoat in the best of situations.

So why have we accepted this risk responsibility without having any authority?  Because that’s how most of us have been taught to do security.  It’s not only our duty to identify risks and explain them to the business, it’s our duty as security professionals to shoulder that risk and do what needs to be done.  Despite the fact that we can’t change the underlying problems that introduce the risk.  Despite the fact that all too often we don’t have the manpower to deal with the problems we already have.  Despite the fact that we’re not given the budget we need to reduce the risks that existed in the enterprise before some new project introduced even more risk into our overstressed environment.

So if we’re not responsible for the risk in the enterprise, who is?  In a perfect world, the people who introduce the risks should also be the ones responsible for it.  Is the marketing department requiring a new feature on the company web site that also opens up the corporation to a partner?  Then they should be the ones who’s finances bear the burden of paying for the additional monitoring costs.  The development department is doing the programing for the corporate web site, so why is the security department being held responsible when a SQL injection attack not only takes down the site but also discloses a million customer records?  If a proper SDLC had been implemented, if tools for testing the software, if internal training had taken place, the SQL injection should never have happened.  Yes, we can be responsible for adding a layer of protection beyond that, but it’s the development team that should be taking the responsibility, since they’re the team that actually had the authority to make changes and prevent the risk from being placed in the environment in the first place.  We need to stop being the sin eaters of the corporate world, absolving all other departments of their responsibility for the risk to the corporation they introduce on a daily basis.  We need to push back and put the onus of dealing with risks and vulnerability on the shoulders of the people who are closest to the problem.

The fundamental flaw in security thinking is that we can effectively combat the risk for the entire company.  We can’t.  We have to advise and point out where new or existing risks are, but it’s impossible for the security team within an organization to deal with every single potential vulnerability and we shouldn’t even be trying.  We need to make a change to the way we think about security and start pushing that responsibility back on the people who can actually affect change.  It’s amazing how many requirements turn into ‘nice to have’ or ‘we don’t really need that’ when the department asking has to shoulder the responsibility.

There’s no quick fix, I think this is something that needs to be a ‘generational’ change in security.  One of the first things that was brought up when I floated this idea amongst my peers is that we can’t just barge into the corporation and force a new way of thinking on corporations.  And that’s true, we will never be able to make an overnight change to the way other business units perceive us and we can’t be militant in pushing other parts of the organization to take responsibility for their actions.  It will be an unpopular path to take, since no one wants to take back responsibility once it’s been offloaded.  But it’s imperative we start down this path, because this isn’t a problem that’s going to go away, and as more and more compromises happen, we’re only going to be blamed more for issues we had no authority to change.  We have to change the way we approach risk in the enterprise and slowly educate our businesses about where the responsibility for risk really sits.

There are a number of people who I think are already aware of this fundamental flaw in security thinking.  Andy Ellis over at Akamai, Rafal Los at HP and a number of senior security professionals understand that we can’t take the responsibility for all risk and are pushing it back to the proper departments.  This isn’t to say they’re blocking progress, but that they’re telling the departments, “If this is what you need, we will show you the risks involved.  But you will sign off on those risks and accept that if something goes wrong, it’s not the security department who will take the blame.”  Rafal gave a great talk on this recently at BSides Detroit, and my conversations with him subsequently were a large part of the impetus for this post.

Start by changing your own way of thinking about acceptance of risk.  Push back gently at first, but push back.  Even if you’re unable to get a written statement saying that others take responsibility for the risk they’re creating, bring it up in meetings and stop just accepting it for them. Talk to your legal department, make sure the corporate council knows when there’s a risk you think will put the company in danger.  Start cultivating relationships higher in the organization and changing the way other people think about security.  Because as long as we continue to take responsibility for all risk in the corporation, we will be the scapegoats for any compromise and will be unable to be effective.  Not only will we continue to suffer, but the business will continue to be compromised with frightening regularity.

—————-
This marks blog post 2000.  It’s taken 7.5 years.  But it’s been worth it.


[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

18 responses so far

18 Responses to “Fundamental flaw in thinking: We’re responsible”

  1. Ben Tomhaveon 09 Jun 2011 at 3:03 am

    Welcome to the club!

  2. Ray Zon 09 Jun 2011 at 7:58 am

    I think my monitor glowed and I heard “AHHHHHHHHHs” as I was reading this. Very well stated and A big AMEN to this posting.

    Glad it was your 2000, but it would have been just as awesome at 1337 or any other number, this is right on the mark and I couldn’t disagree.

    I count how many times I have heard the “It’s your fault” and in the back of ever security persons mind, they are recalling every meeting, every email, every phone call where they stated XYZ was a bad idea and eventually it would lead to ABC, and guess what….It usually does!

    /applause

  3. Osama Salahon 09 Jun 2011 at 10:01 am

    What am I missing here? Sounds to me like risk management with the involving the business in the risk treatment phase and have them sign off on the residual risk.
    I must be missing something.

  4. Martinon 09 Jun 2011 at 10:13 am

    Osama Salah,

    You may not be. You may be one of the lucky organizations that hasn’t made this set of assumptions. You may work in a business where the folks who are responsible for the risk are also the people who take responsibility. But those companies are few and far between. If your business isn’t placing the bulk of that responsibility on security, you’re one of the lucky few.

    Martin

  5. […] Coincidentally, Martin covered this very idea in a recent post: Fundamental flaw in thinking: We’re responsible. […]

  6. Augusto Barroson 09 Jun 2011 at 11:39 am

    Martin,

    I was about to say you are totally right, but I think we need to be a little more careful on this assessment.

    Yes, Security is often a sin eater, but I don’t think we don’t try to push the responsibility to those who really _own_ the risk. This is part of every manual, book or standard on Information Security and Risk Management. Most security officers I know are singing in the same key as you. But (and there’s always a “but”)…

    …we also need to accept the fact that the Business is there to take risks and they’ll always do that. Organizations in general work as a sports team, where everyone has a role and the intention is to get the whole behaving better as it benefits from the best characteristics of its parts.

    Team sports usually have players with roles as offense and defense, and I think our world is exactly like that. We are the defense and we need to accept that. We’ll be the ones ultimately responsible to avoid getting scored. We need to excel at that. Trying to put too much defense responsibility on the offense players is as bad as having defense players trying to score all the time.

    The best teams in history are often those that were also balanced in terms of offense and defense. You need to be good at both in order to succeed, and each part needs to be aware that it has to help the other when necessary. The “surprise element” from defense players who also know how to score, the offense players who help on closing empty spaces when they don’t have the ball (puck?), those are usually aspects that will move a team from Good to Winning (TM Charlie Sheen).

    We certainly cannot perform miracles and avoid breaches while everybody is just doing whatever they want without any concern about security. But being able to “perform security” while letting the others do what they do best is what will differentiate between good security and mediocre security. It’s not just pushing back. It doesn’t work that way and it never will. We have to get better on making security transparent, and we can achieve that working strategically.

  7. Martinon 09 Jun 2011 at 12:15 pm

    Augustos,

    Thanks for pushing back. I don’t mean the post to apply to every single security professional out there, a certain amount of the senior security officers know that we shouldn’t be held responsible. But most business units outside security believe it’s security’s role to accept all responsibility (and blame). It’s not the senior security professionals who need to change their way of thinking, it’s the rank and file and the people who’ve made the assumptions about how security operates!

    To continue your sports analogy, if a receiver misses a pass in a game, we look at the footage with a very critical eye to make sure we knew who’s fault it was. But if we have a corporate breach, fault is often assigned to the security team and we need to fight to get anyone else to accept fault. Because we let others assign it to us, because we accept that assignment of responsibility.

    There are whole books written on this subject, I’m not claiming that I’m the only one thinking on it. But we have to realize it’s a core problem with how we do security and start changing our preconceptions. Otherwise we’ll continue to do the same thing over and over again.

    Martin

  8. Michelle Dyon 10 Jun 2011 at 12:00 am

    actually sometimes the security personells are too guilty that even when people doesnt notice their mistakes and still they bring it out thus making the problem bigger

  9. Spying Securityon 10 Jun 2011 at 9:30 am

    Responsibility without the authority to affect change is the surest route to being a scapegoat in the best of situations.

    Very well said and I agree. True security lies within us in our ability to change our thinking for freedom, balance and harmony.

  10. Khürt L. Williamson 13 Jun 2011 at 8:09 am

    @Martin, I believe and understand what you are saying. And I think you are correct we have only ourselves to blame for accepting the status quo.

    @Augusto, how would you feel about playing defence on a a team where the coach has literally tied your hands and feet and still expects you to block every attack. All of them! All the time!

    Recent article about Accountability& Responsibility:http://www.elg.net/accountability-authority-drive-employees-crazy/

  11. Michaelon 14 Jun 2011 at 5:37 pm

    This is a problem of general perception of an industry that has perhaps been a little bit blasé about managing that perception.
    Calling it Security is probably the first cause of this issue, because you can not promise that the result of your efforts is a secure environment. This idea of being secure due to some boffin in a back room leads to a careless attitude. Websites that have multiple logos proclaiming security create a sense of a secure environment.

    The users approach to using these secure services is that of a person walking the streets with a team of body guards, when in actual fact what they have is a promise to send an ambulance if something happens.

    If users demanded to know what level of protection they were offered, and questioned the need for sites to obtain full sets of information. This is to say took some responsibility for their own risk, the people charged with looking after them would be able to focus on the criminals.

    I guess what I am trying to say is that it is time to be honest about things. Security is measured in time, it is not an absolute. If businesses employed IT Protection Officers the role might be clearer to all.

  12. jeff guindonon 17 Jun 2011 at 10:42 am

    Most outside of the security world never think twice about having their network compromised. Even comprehensive security training doesn’t inhibit the average person from clicking freely on anything and everything that comes their way. I know first hand – I am a reformed free clicking twit.

  13. Alexon 20 Jun 2011 at 6:08 pm

    Dear Martin,

    What’s this “we” crap?

    Best Regards,

    Alex

  14. Martinon 21 Jun 2011 at 2:50 am

    Dear Alex,

    You might be an exception to the rule. I know you are to many others.

    Regards,

    Martin

  15. kundanon 24 Jun 2011 at 8:03 am

    often we dont see the basics thing in security so if any one want to see basic switch security then please refer to the site

  16. Pete Dumason 07 Jul 2011 at 11:44 am

    I agree with your “examine the foundation” viewpoint, but I think it could be taken a bit further. As long as we continue using this commonly accepted architecture in OS design, security will continue to be an issue.

    Is it really that difficult to design a machine that humans can use to work collaboratively that doesnt use this plugin type of architecture? We have been using telecommunications since the turn of the 20th century. We were never worried that someone would break into our house through our tv’s or telephones because that was absurd. Now, there is a great risk of just that very thing happening through the use of computers.

    Is it really such a hard concept to take in to imagine a dedicated and static device that would also still give us the functionality we currently enjoy with the modern small computer system? With the exception of a coordinated New World Order initiative (no this is not a conspiracy theory), why do engineers include so much added and useless services that only they would have the need or technical expertise to ever use. I am the engineer of an Autonomous System and I have a very competent background in technology, but I have no need for half the assembly libraries currently sitting in a Microsoft OS. How often has an enterprise or even an SMB admin or engineer said “thank god remote registry was available, if it werent for that I would have totally been screwed.”

    The New World Order initiative IS a conspiracy theory, but its the people who “actually” believe in it that frighten me…think about who might believe in that and then ask yourself the same question about why we just can’t KISS.

  17. Pete Dumason 07 Jul 2011 at 11:47 am

    KISS = Keep It Simple Stupid

  18. Alex Scobleon 11 Jul 2011 at 10:00 am

    Excellent post, Martin. Thanks for writing it.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: