Network Security Blog

It was a good week.  I took off Monday for Miami and the Hacker Halted conference where I caught up with a number of friends and enjoyed some good talks.  George Kurtz from McAffee was very educational, first because of his subject matter, “Have we lost the war on Security”, but also because he’s a very polished and experienced presenter.  I haven’t done a ton of presenting and I appreciate any chance I can get to see someone who’s at the top of his game at it.  It also helped create minor twitter storm, which I also enjoy.  On day 2, I got to present with my friend, Mike Dahn, which went off extremely well if I do say so myself.  Mike and I don’t practice our presentation, but we’ve got a good back and forth between us that keeps the energy high.  And to top everything off, I got to have dinner at my favorite Cuban restaurant in Miami.  Which is not saying as much as you might think, since I’ve only eaten at a couple Cuban places in Miami.

Open tabs 10/30/11

• Facebook is looking for a Security Outreach Program Manager – Not for me, but maybe someone who actually uses Facebook might be interested.
• U.S. firm acknowledges Syria uses its gear to block web – Now they’re admitting it at least.  I have it on good authority that their software licensing is so poorly implemented Blue Coat really doesn’t have any idea where their systems end up.  Good excuse.
• Dolphin HD browser snared in security breach – “We fixed it in the latest patch.  What?  That patch didn’t fix it?  The next one will, we promise!”
• DSD wins US Cybersecurity Innovation award – They had me up until they said “Whitelisting”.  That’s a great idea that almost never works when it comes to the real world implementation.  Seriously, in nearly 15 years in the industry, I’ve never run into a fully implemented whitelisting program, or even a well run partial implementation. 
• Online hackers threaten to expose cartel’s secrets – A member of Anonymous was kidnapped, so Anon replied by stating “Release him or we’ll release everything there is to know about you.”  Finally, a good use of the power of Anonymous.
• Top foreclosure firm threw homeless themed Halloween bash – Not security related, but this is the most tasteless, reprehensible and disgusting example of a firm that puts greed first and to hell with anyone not able to defend themselves.   If these guys weren’t already undergoing several investigations, this would hopefully open a few.
• Skype goes after reverse-engineering – I’m not certain this is an appropriate use of the DMCA, but I guess that’s part of why I’m not a lawyer.
• My own wikipedia article – Thanks to the guy who started this Wikipedia page on me, even though a number of the ‘facts’ about me aren’t quite right.  I did correct a couple things, but in the spirit of ‘don’t write your own bio’, I’m trying to stay away from it and just seeing what happens. 

I spent the week at the Hacker Halted conference in Miami and had a great time.  Except for the part where my iPad gave me an error message stating it needed to be restored from back up and commenced a reboot cycle.  Which lasted until Wednesday afternoon.  Nothing like being at a security convention and having mysterious issues with your electronics.  Talk about having your paranoia spike off the chart!  My talk with Mike Dahn on Compliance in the Cloud (it really is about more than just PCI) was well received and we should see our interview with Tony from InfoSec Island within the next couple of days online.  I’m glad to be home with the family for a little while before hitting the road next week to speak at BSides DFW.  I actually get to give the closing presentation.  No pressure there.  But in the mean time, I have an appointment to keep with my coworker Josh Corman and Rapid 7′s HD Moore to talk about Josh’s idea, “HD Moore’s Law”. 

Open Tabs 10/28/11

• Op-ed:  The shocking strangeness of our 25yo digital privacy law – Why can’t we write laws that are broadly applicable?
• Who else was hit by the RSA attackers – One hell of a list.  And one hell of a wake up call for the industry as a whole.
• #SecBiz or the better answer to Martin’s question – I’m glad the Down the Security Rabbithole podcast I’ve been doing with Rafal Los has sparked some thought.
• First Circuit finds that fraud mitigation costs … – Long title to say that at least one court believes you should be able to sue to recoup your personal mitigation costs after a breach.
• Where is your Chaos Monkey? – It’s an interesting idea to purposely fail some of your infrastructure at random intervals to make sure your stuff works.
• Disastrous IP legislation is back … and it’s worse than ever – I got to speak to Kevin Bankston from the EFF at Hacker Halted.  When an EFF lawyer tells you something is the worst piece of legislation he’s ever seen, you know it has to be a steaming pile of crud.  Please, please, please contact your legislators and let them know this can’t be allowed to pass!
• Looks like Congress has declared war on the Internet – A lot more information on this atrocious legislation

Yesterday was a very productive day, and I’m more than a bit proud of myself.  I’ve working from home for more than a few years now and I’ve gotten progressively bigger and bigger and in worse and worse shape.  I’ve been in worse shape than I am right now, but it’s been a downward trend recently, something I haven’t been doing enough to combat.  So I decided to quit researching stand up desks and make a prototype standup desk for myself, something i can use to decide if I want to invest in the wood to make something more polished and longer lasting.  With the help of my father in law, who actually has decent skills at woodworking, something I’m sorely lacking.  I’ll write up the desk in a week or two when I’ve had a chance to use it for more than a few hours.

Open Tabs 10/23/11

• Anonymous hackers take down child porn websites, leak users’ names – I hate the users, but I still have a hard time with vigilante justice.
• Metasploit Community Edition – Time to fire up a couple VM’s and play!  Good chance of having HD Moore on the podcast soon, with Josh Corman to explain ‘HD Moore’s Law’
• Dropbox’s Mobile API gets a security boost – It’s about time.
• iOS tip: putting Newsstand in a folder – I hated having Newsstand take up space on my iPhone and iPad screen! (Thanks @dszp)
• A Friday rant on cybercrime legislation – Great rant by Nick Selby on why knee jerk legislation concerning computer crimes is going to do more harm than good.

The problem with having a body clock that thinks it’s on the East Coast even when it’s not is that I’m up early no matter what day of the week it is.  I’d like to sleep in, but once thoughts of CDN’s and presentations start dancing in my head, it’s time to get up.  Which is okay, since there’s a lot to do this weekend before I head to Miami and Hacker Halted on Monday.  I’m going to be presenting with my good friend and former colleague, Mike Dahn.  Then it’s back home for a few days and off to BSides DFW for a completely different presentation.  The next trip after that is with the family, so the only commitments I’ll have is keeping the kids out of trouble.

Open Tabs

• Secret iOS business; what you don’t know about your apps – We’re in an age where I phones tattle on us all the time.  Or leaking information.  Or just plain insecure.  Scary, isn’t it?
• HOW TO: Spy on the webcams of your website visitors – If the patch isn’t out already, it should be soon.  But I unhooked my webcam already.  Mostly because I leave it unconnected.
• New security threat:  Infected QR codes – No surprises here.  Someone posted huge QR codes at Defcon this year.  If you used one, you got to see Goatse pictures.  Yay!
• Anyone with a Smart Cover can break into your iPad2 – Along with being able to use Siri without unlocking the 4S, Apple’s made some bad default settings lately.
• AntiSec targeting law enforcement in support of Occupy Wall Street – I think AntiSec is going after police servers because the financial company servers are too hard for them.

A couple late additions, since I’m waiting on the next cup of coffee to be ready:

• How security pros can leverage PCI compliance initiatives – Why aren’t you doing this already?
• Calvin and Hobbes explain Occupy Wall Street – Watterson is an absolute genius!

The last couple months seem to have flown by.  It seems like just yesterday I was complaining about September being gone before I knew it and now it’s almost Halloween.  I’m pretty certain no one’s stealing my time, but some days I wonder.  In any case there’s stuff to do and places to go today, especially since I spent the last few days trying to recover from last week’s conference.

I used to use the blog as my extended, external memory.  Kind of like Ratbert strapping a piece of liver to his belly and calling it an external brain-pack. Except I’m hoping the blog won’t start to smell after a few days.

Open Tabs 10/20/11

• My friend Ken Smith sent me a link to videos of the presentations given at the Boston NAISG chapter over the last few years, including his.
• Google to begin encrypting searches & outbound clicks by default with SSL search – Just remember, you’ve got to be logged in and using SSL already, it won’t default to SSL for everyone
• Son of Stuxnet found in the wild on systems in Europe – “Duqu, I am your father!”  Sorry, for some reason I keep thinking of a Star Wars character with this name.
• 7 key skills new IT grads are lacking – I’d say half of these are common to all grads, not just IT grads.
• Where’s the Steve Jobs of security – That’s a good question.  I think we need someone who can see beyond our preconceived notions and find real answers.
• Hackers expose Citibank CEO’s privates – His private information, that is.  I’d be more interested in seeing his financials, myself.
• US DHS expects Anonymous to attack infrastructure – Our infrastructure is incredibly brittle, so why shouldn’t they attack a weak point.
• Bad Siri! She’ll let anyone use a locked iPhone 4S – I can imagine some of the pranks being pulled around the office and ‘resignation letters’ being sent.

I used to post some of my reading material at least daily, but got out of the habit because I was using the posts to fuel the podcast.  But since I’ve been bad at posting anything at all lately, I’ve decided that I should post at least every few days the articles I’m reading to keep myself up to date.  I know I could use something like Instapaper to do this as well, but I’m an old-school blogger, so I’ll do it here instead.

Open tabs 10/18/11

• Linux Torvalds and others on Community Burnout – Sent to me by one of the members of the Security Burnout Panel, which is going on this week without me at Sector
• Germans condemn police use of spyware – Which they should!  I just hope we do the same when it comes to light here.  And I do mean ‘when’ not ‘if’
• Time zone database has new home after lawsuit - Just in time for Daylight Savings Time to kick in.
• Sesame Street’s YouTube Channel gets hacked badly – Is password guessing hacking badly?  (I hate this use of badly)
• BlueCoat:  US technology surveilling Syrian citizens online – Again, how will we react when this comes to light at home?  Oh, wait it already did, we pretended it didn’t.
• 4chan’s Chris Pool:  Facebook & Google are doing it wrong – Big surprise here!
• Network Security Podcast, Episode 256 – Almost forgot this, since I wasn’t there last week.

I’m not a big fan of opinion polls, especially when the people writing them present them as if they were facts, rather than simply opinions of the people polled.  There’s a huge difference between the reality we live in and the way we perceive that reality.  That’s simply a fact of life, not a criticism of anyone in particular.  But it has a huge impact on the real usefulness of data when it’s based on perception rather than a quantifiable measurement.  And in the information security field, we’ve been working on perception and intuition for far to long and need to start relying on real, measurable data instead.  I have been told I’m too hard on polls, since opinions are valid data points as well, but I’m not so certain.

That’s quite an opening statement for a look at the latest security survey by Symantec, but I wanted to get my own personal biases out of the way before starting.  It also help explain some of my skepticism of the value of the Symantec State of Security 2011 report.  It’s pretty, it’s glossy, it has nice pictures, but it’s still an opinion poll and I always have to wonder how much it’s been affected by the perception of the people who were surveyed, how much they were willing to answer honestly and whether or not they actually knew the answers or just made stuff up.  As I said, I’m not a big fan of opinion polls in security, in large part because I’ve filled out more than a few of them myself.

There’s a lot of white space, large type and big graphs in the the report.  Padding that should have been replaced with more analysis and discussion rather than being wasted.  Which tells me this was probably produced by the marketing department rather than someone in engineering or security.  Marketing might have gotten the analysis right, but the 19 pages would have been boiled down to 8 or 10 pages if it had been written by an engineer instead.  That’s not to say there isn’t some good information in the report, but it does mean there’s a lot of fluff to wade through to get to it.

One of the important tidbits is that, according to the poll, 41% of security professionals feel that security has become more important to their businesses over the last year as opposed to 15% who think it’s decreased in importance.  Given some of the high profile attacks that we’ve seen in the last year, I don’t find that surprising, but I’m still glad to see that what we do is gaining in awareness of management.   41% of respondents also feel that they’re being given more budget, which leads me to ask if the increase in awareness is leading to a greater budget or if an increased budget lead to a feeling of more awareness?  Given how long we’ve been underspending on security, it is good to see some positive movement on this front.

I found the trends that are driving security concerns a little confusing.  According to Symantec, mobile computing, social media and consumerization of IT top the list of concerns; this was explained to me as coming from the newness of the technologies, but I find that hard to swallow.  Smart phones aren’t new, social media isn’t new and consumerization certainly isn’t new.  I know I had to deal with consumer products in the workplace when I was a sysadmin and that’s been nearly a decade.  The first thing I’d point out is that there’s only a 4% difference between the top 6 items in the list and Symantec acknowledges a 5% margin of error in the survey.  Which means that nearly any one of those categories could actually be the biggest security concern.  I’m a little surprised they split different aspects of ‘cloud computing’ into various subcategories such as SaaS, PaaS, public and private cloud, but I mean that in a good way.  It’s so nice to see someone who actually realizes that the ‘Cloud’ isn’t one technology but a collection of very loosely related technologies and implementations. 

I would like know more about how the question concerning significant security threats was posed to the people polled.  Hackers top the list, but there’s also a category for hacktivism, criminals, industrial espionage, targeted attacks and state-sponsored attacks.   I see those all as potentially falling under ‘hacking’ which could mean that there was a flaw in the question asked that biased the results.  I’m also not sure how this perception actually gains us any understanding in the first place.

“71% of respondents saw an attack in the last year…”  Oh boy, that’s a loaded statement.  If only 71% of the companies saw an attack, what were the other 29% doing, because I’m absolutely certain they were attacked, even if it was simply a drive-by attempt.  Were they playing ostrich, with their heads buried in the sand and no detective measures on their network?  Did they have anti-virus and ignore the malicious code that found it’s way into their network or did they not have AV at all?  Were they actually looking at the logs from their IDS or were they ignoring those as well.  I’ve run into more than a few security professionals who’ve said their management didn’t want detective measures  in the environment because detection would mean they’d have to do something about it.  But even I have a hard time believing it was 29% of the companies. 

The one perception I find in this report that I find scary is the measure of what security professionals think they’re doing well.  52% of security professionals polled believe they’re addressing routine security measure effectively.  But that also means 48% of security professionals don’t think they are.  Close to half of us are willing to admit we aren’t doing a good job at the basics.  And that was the highest measurement amongst all the data points.  If half of us admit we aren’t even doing the basics well, is it any wonder that we’ve seen so many breaches in the last couple of years?  Do we even have a chance if half of us admit we don’t have the resources to do the basics?

The recommendations by Symantec are generic and could have come from nearly any security report written in the last few years.  Policy, process, buzzwords don’t help much.  What should have been highlighted is the need to get the basics right, rather than work on policies that most people in your company will never even know exists.  Yes, policy gives us a lever to pry money out of management from time to time, but it doesn’t address the real problems of just being aware of what’s happening on your network.  But that’s probably not what management wants to hear anyway.

Take a little time to read the report, it won’t take you more than 15 minutes to read every word in it.  As with any report there are some nuggets of knowledge to be gained, but question the analysis put forth by Symantec.  I wish they’d included more information about the specific questions asked, because that tells a lot about the biases involved.  I would also like to see hard data points about the points made, rather than just opinions.  But I guess a couple of years of hanging around people like Alex Hutton and Wade Baker, writers of the DBIR, make me value analyzing data over opinion.

I have had way too much experience changing jobs and adjusting to new workplaces.  Over the last decade I’ve worked at six different companies, only one of which have I lasted at for more than two years.  In and of itself, this isn’t necessarily a bad thing, since job changes are common in the security arena and every one of these job changes has been a step up or an escape from a situation that was not beneficial to my mental health.  My latest change from being a Qualified Security Assessor at Verizon Business to becoming the newest Security Evangelist at Akamai was an escape as well.  I wasn’t escaping from Verizon, a company and group of people I can honestly say I enjoyed working with, but rather a (partial) escape from working in a compliance framework I was completely burnt out on.  Four years as a QSA is more than anyone should subject themselves to, but that’s a post for some time when I’ve recovered more thoroughly from the experience.  And the act of changing jobs frequently isn’t even what this post is about; it’s about one of the bad habits I’ve developed when changing jobs.  It’s about going silent on the blog and pulling back into myself while I figure out where I’ve landed.

I have a voice in the community.  I’d be guilty of false humility if I didn’t admit it was a fairly big voice.  I’ve been doing this for a long time, which in and of itself creates an awareness in the community and frankly, I sometimes have some points worth committing to digital paper.  But when I started blogging, no one knew who I was and no one I worked for had any awareness of what a blog was or what sort of impact it could have on a career or on a company that employed a blogger.  Quite frankly, eight years ago I was just another faceless guy managing an IDS and web filter.  I had some ideas I wanted to throw against the wall in order to see what stuck and to have people pick apart so that I could learn and strengthen my understanding of security.  I didn’t realize at the time that blogging would be instrumental in forming my career and putting me in touch with security professionals around the world.  I also didn’t realize that employers might read my blog and make decisions on whether or not to hire me based partially on my writing.  I also didn’t realize that blogging could affect my employer and get me fired.

I’ve learned a number of lessons about blogging the hard way.  I’ve learned that no matter what I think I’m writing, what’s important is how other people are reading it.  There have been a number of posts over the years that I thought were just throw away ideas that somehow struck a cord with a huge number of security professionals.  More often, there have been posts that I thought should provoke a major outcry by readers that went out with barely any notice at all.  I still don’t completely understand the difference between the two.  But in both cases, I’ve realized that people are reading and judging what I write, for good and for ill.  And when I write something people read, it can get back to my employer.  I know of at least one job I left, at least in part, because of something I wrote on the blog.  I also know of at least two roles I’ve been offered directly because of my blogging, podcasting and social media experience and voice, including my current role.  Overall, I have enjoyed a huge positive impact on my life due to the blog and I will not give up on it.

But one of the bad habits I’ve picked up because of my negative experiences has been going silent when I start a new position.  There’s a few reasons for that, and understanding an employer’s tolerance for blogging is only one of them.  It’s stressful to start a new job, no matter who you are and how much you love the job you’re moving to.  My new role at Akamai is no exception to this rule, in fact it’s one of the more stressful changes I’ve ever had.  I love the job, I love my role, but there is SOOOOO much to learn and I’m expected to be an expert NOW, rather than in six months.  I can do it, I love the challenge, but cramming so much new information into my tiny little brain leaves very little extra horsepower to synthesize the information into something worth blogging about.  And I’m not the sort of person who wants to merely regurgitate information, I want to be able to use what I’ve learned and reframe it into something that’s valuable to the security community as a whole.  Which is really hard when you’ve got a fire hose of information aimed at your head and you’re just trying to find the room to breathe.

Another reason it’s hard to blog when starting a new job is just the sheer enormity of change.  Finding the time to blog, the time to podcast, the time to exercise and sometimes even finding the time to spend with the family is hard at first.  What are my priorities?  What tasks have to be done before I can quit work for the day and what tasks can wait until tomorrow or be blown off all together?  When can I fit in an hour or so to collect my thoughts and put them on the screen? 30 minutes?  15? Please, can I just have 5 minutes to post a link or two?  The first few weeks or months are incredibly chaotic and somehow blogging is always one of the first things to suffer for it.  But better blogging than my family.

I’d be lying to myself if I didn’t say that gauging my employer’s willingness to accept blogging was one of the main roadblocks when I start a new role.  I’ve been burnt before and it’s left an impression on my psyche.  I’ve learned to be up front about my blogging and podcasting and my resolution to maintain them and my voice, but it’s still been a crap shoot in some cases to find out what my employer’s tolerance in real life is anything similar to what they said in during the interview process.  More often than not, my employers have maintained an air of benevolent ignorance towards my blog, but every so often I’ve gotten the “we’ve read your blog and are not happy” conversation.  Not often, but it has happened and it’s never comfortable talk.  I’ve actually told at least one manager that my blog and podcast are more important to me than my job.  Neither of us really walked away from that conversation happy.

I’m very excited to say my position at Akamai as the newest Security Evangelist is very different.  I was explicitly hired, at least in part, to blog, to podcast and to continue being a very vocal part of the security community.  Everything I’ve encountered so far tells me this is where I need to be now and hopefully far into the future.  Many of my coworkers were friends long before I worked for the company and will be for a long, long time.  But, like everyone, I’ve been scarred by some of my previous experiences and it takes a conscious effort to overcome the habit of initial silence.  Obviously, this post is part of combating that, but carving out an hour or two a week to post as part of my job rather than despite my job will also be an important part of the effort as well.  I’m supposedly a ‘thought leader’ and in order to be that, I have to actually have the time to collect my thoughts in order to put them out there for other people to read and critique.

One last reason I haven’t been writing nearly as much as I used to over the last year is saturation in the PCI field.  Not the field itself, it was my mind that had reached the saturation point with no room for new ideas to enter.  Over the last few years my arguments with folks like Josh Corman, Mike Dahn and a myriad of other really bright people had reached the point where we weren’t talking about anything new, we were just going over the same old ground from different directions.  Or just having the same argument again and again without anyone learning something new.  And that’s not what I want for the blog or for my own education.  While it’s not the same as not writing because of a new job, it has definitely been related.

So here’s to setting aside some time and energy to blog.  I like writing.  I like getting feedback.  I like putting my ideas out there for others to tear down or build upon.  There are a lot of people smarter and/or more experienced than I am and interacting through the blog makes me a better security professional.  And if you haven’t figured it out by now, I’m passionate about being a security professional and becoming better at it every day.  Blogging has long been one of my best tools for meeting that goal.

I don’t have time for a long post, but on the off chance you’re not a podcast listener and you’re not on twitter, I announced on the podcast last night that I am leaving my current role as a QSA at Verizon Business and I will be the newest Security Evangelist at Akamai.  I will be working with Mike Smith (aka @rybolov on twitter) for Josh Corman (aka @joshcorman) as the third member of the Security Intelligence team.  Or second, depending on how you look at it, since I was actually sent an offer letter before Josh.

I’m leaving a good company and crew behind at Verizon, but I’ve had enough of being a QSA.  It’s time to move onto something that involves the parts of security I’m passionate about; blogging, podcasting and generally arguing with anyone who has two ideas to rub together.  There will be some meetings and speaking engagements I’ll have to make as well, and I won’t be completely out of the PCI arena any time soon.  I’ll still be a subject matter expert on PCI, but I won’t be the one writing two hundred page reports anymore.  I will get to see a lot of the metadata about one third of the traffic flowing across the entire internet.

I agree with something Josh said in the podcast last night; Akamai is a company that can be an incredible pivot point in introducing greater security.  I’ve spoken several times about the tokenization at the edge solution and how it can improve credit card security.  Akamai announced a web application firewall solution last year, again pushing security measures closer to the edge.  I don’t even know the majority of the security services we offer, but I will in a few weeks.  And there will definitely be more coming in the future.

Bill Brenner was listening in on the Twitter stream and caught some of my tweets.

Over the last few months I’ve come to the conclusion that we’re doing security wrong.  Not the day to day details, though we’ve gotten a lot of that wrong as well.  I mean we’ve gotten the big picture issues wrong, we’ve made a number of false assumptions about how we should be protecting our enterprises.  We’re building the very concepts we rely upon to develop products, services and systems from on shaky ground.  If you don’t agree, just look around at the ease which hackers are tearing through the defenses of even the largest merchants (Sony) and you have to admit that something isn’t working like it should be.  You can blame businesses for not giving us the resources we need, you can blame a shortage in decent security professionals or you can do some self examination and realize that maybe security best practices and compliance efforts just aren’t working.

When I say we’re doing it wrong, I’m thinking at a more basic level than some of the common fallacies we run into every day.  We all know that ‘firewalls are a security device’ is wrong; they’re just a complex traffic management device and don’t do much more than filter traffic on the grossest level in most cases.  And that’s assuming they’ve been set up correctly, which too many aren’t.  When was the last time you saw good egress rules?  Or the fact that a number of studies have shown that antivirus commonly doesn’t catch more than 70% of all viruses and the number is falling.  These are both assumptions that executives and non-security professionals make, but most of us in the community know that firewalls and AV are just things we put in because the business has come to think of them as the expected minimums. 

But the flaws I’m looking for go deeper than the fallacies of firewall and antivirus effectiveness.  I’m not looking for the nuts and bolts assumptions that we make to work on a day in and day out basis.  I’m trying to examine the deeper assumptions, the ones that we’ve built our entire philosophy of security upon.  In a different context we my call this our morality or religion, which might not be a horrible comparison.  I’m looking to see what are some of the most basic truths we’ve decided for ourselves and what are the errors we’ve made because we’ve built these up from lessons taught to us by others.  Were these assumptions once valid, did they once have a grain of truth or were they merely the most basic and easy rules to put in place because they hadn’t been tested before.  And just as with religious or moral beliefs, to few of us ever take them out of the back of our mind to re-examine the assumptions and see if they still hold up as well to our adulthood as they did to our childhood.  The security assumptions that might have served you well when you were an IDS or firewall administrator may not translate well to a later point in your career, and in fact may cause damage to your reputation.

It’s never easy to change the core of your belief system.  I only know a few people who consciously make a habit of doing it on an annual basis and even fewer who live their lives in a constant state of re-examination.  It’s a powerful tool to be able to look at your worldview, understand that you’ve made some mistakes and adjust to the new realities of how that affects the way you interact with the world.  But it’s painful sometimes, and the change can be difficult.

So enough of the philosophical BS, what are the fundamental flaws in security reasoning that I’ve identified?  I’ll be honest, there’s only one I’ve identified and mulled over to the point that I’m ready to share.  We, security professionals have taken it upon ourselves to be responsible for all risk in the corporate environment.  We started by placing the firewalls around the outside of the network and as more and more complexity was added into the IT infrastructure, we took on more and more of the risk into our philosophy, without really stopping to consider if we are the ones who are responsible for the vulnerabilities and misconfigurations that spawn much of the risk in our environments.  We’ve only rarely been given, or fought for, the authority to make changes in the products and systems that introduce risk, we are all to often nothing more than a speed bump in the corporate culture and a scapegoat for compromises when they happen.  “Why didn’t you protect us?  It’s your fault this happened!”  But if we had little or no ability to change the underlying systems that led to the compromise, why are we considered responsible?  Responsibility without the authority to affect change is the surest route to being a scapegoat in the best of situations.

So why have we accepted this risk responsibility without having any authority?  Because that’s how most of us have been taught to do security.  It’s not only our duty to identify risks and explain them to the business, it’s our duty as security professionals to shoulder that risk and do what needs to be done.  Despite the fact that we can’t change the underlying problems that introduce the risk.  Despite the fact that all too often we don’t have the manpower to deal with the problems we already have.  Despite the fact that we’re not given the budget we need to reduce the risks that existed in the enterprise before some new project introduced even more risk into our overstressed environment.

So if we’re not responsible for the risk in the enterprise, who is?  In a perfect world, the people who introduce the risks should also be the ones responsible for it.  Is the marketing department requiring a new feature on the company web site that also opens up the corporation to a partner?  Then they should be the ones who’s finances bear the burden of paying for the additional monitoring costs.  The development department is doing the programing for the corporate web site, so why is the security department being held responsible when a SQL injection attack not only takes down the site but also discloses a million customer records?  If a proper SDLC had been implemented, if tools for testing the software, if internal training had taken place, the SQL injection should never have happened.  Yes, we can be responsible for adding a layer of protection beyond that, but it’s the development team that should be taking the responsibility, since they’re the team that actually had the authority to make changes and prevent the risk from being placed in the environment in the first place.  We need to stop being the sin eaters of the corporate world, absolving all other departments of their responsibility for the risk to the corporation they introduce on a daily basis.  We need to push back and put the onus of dealing with risks and vulnerability on the shoulders of the people who are closest to the problem.

The fundamental flaw in security thinking is that we can effectively combat the risk for the entire company.  We can’t.  We have to advise and point out where new or existing risks are, but it’s impossible for the security team within an organization to deal with every single potential vulnerability and we shouldn’t even be trying.  We need to make a change to the way we think about security and start pushing that responsibility back on the people who can actually affect change.  It’s amazing how many requirements turn into ‘nice to have’ or ‘we don’t really need that’ when the department asking has to shoulder the responsibility.

There’s no quick fix, I think this is something that needs to be a ‘generational’ change in security.  One of the first things that was brought up when I floated this idea amongst my peers is that we can’t just barge into the corporation and force a new way of thinking on corporations.  And that’s true, we will never be able to make an overnight change to the way other business units perceive us and we can’t be militant in pushing other parts of the organization to take responsibility for their actions.  It will be an unpopular path to take, since no one wants to take back responsibility once it’s been offloaded.  But it’s imperative we start down this path, because this isn’t a problem that’s going to go away, and as more and more compromises happen, we’re only going to be blamed more for issues we had no authority to change.  We have to change the way we approach risk in the enterprise and slowly educate our businesses about where the responsibility for risk really sits.

There are a number of people who I think are already aware of this fundamental flaw in security thinking.  Andy Ellis over at Akamai, Rafal Los at HP and a number of senior security professionals understand that we can’t take the responsibility for all risk and are pushing it back to the proper departments.  This isn’t to say they’re blocking progress, but that they’re telling the departments, “If this is what you need, we will show you the risks involved.  But you will sign off on those risks and accept that if something goes wrong, it’s not the security department who will take the blame.”  Rafal gave a great talk on this recently at BSides Detroit, and my conversations with him subsequently were a large part of the impetus for this post.

Start by changing your own way of thinking about acceptance of risk.  Push back gently at first, but push back.  Even if you’re unable to get a written statement saying that others take responsibility for the risk they’re creating, bring it up in meetings and stop just accepting it for them. Talk to your legal department, make sure the corporate council knows when there’s a risk you think will put the company in danger.  Start cultivating relationships higher in the organization and changing the way other people think about security.  Because as long as we continue to take responsibility for all risk in the corporation, we will be the scapegoats for any compromise and will be unable to be effective.  Not only will we continue to suffer, but the business will continue to be compromised with frightening regularity.

—————-
This marks blog post 2000.  It’s taken 7.5 years.  But it’s been worth it.

Tweet