“Strutting and fretting his hour upon the security industry stage, And then being heard no more”
The Frustration And Gnashing of Teeth:
Recently, I have heard others lament the state of the “security industry” as well as have posted about my own adventures into the land of FUD and Security Theater as well as a side trip into the shadow lands of denial. My last post about a call that went awry also got responses from others in the business including Mr. Reiner, who had a post somewhat similar to what I had written about, but took it further. His post mirrors much of what I am hearing and feeling myself now 13 years into it.
- The industry has become just that, an industry that makes cookie cutter security and passes mediocre services as “state of the art”
- The industry is now full of salesman and charlatans like Gregory Evans and Ligatt
- The clients still just don’t get it and often do not want to
- There are too many bells and whistle firms but too few true “holistic” security offerings out there
- The exploits and vulnerabilities are growing at a rate faster than Moores Law and never will there come a time when you can catch up
- Nothing is truly secure
- Regulations are inadequate mechanisms for security best practices inspiration (notice I do not say compliance here)
- Coders and the companies that hire them are coding insecurely and do not wish to change that
- Greed is Good (Gordon Gekko)
Generally, the experience out there is that as everything else that someone loves to do as an avocation which turns into a vocation, becomes not so much fun anymore when business gets involved…. Especially big business. Unfortunately, this is exactly what has happened today with information security/technical security. It has become a pre-packaged, pick your services lunch counter style of operation and you rarely get what you really need and instead get the fatty happy meal instead.
Taking A Step Back:
As professionals in the field we all have different skill sets and personal bents on and in the security theater. I am putting us all into the “theater” because really, we are all like Shakespeare’s players who: “struts and frets his hour upon the stage, And then is heard no more” We are in fact often times the character of “The Fool” The one man who is the outward conscience of the king and the one person in the court who can tell the truth to the monarch that they indeed have no clothes on. Of course this really only works for those who are contractors/consultants and can then leave the site after leaving a report on their vulnerabilities and how to fix them. Unfortunately, if you are a full time employee of said “court” you may indeed find yourself in the oubliette quickly enough. We need to embrace this fool role and then decide just how we will approach our careers as well as the means in which we ply our trade for the betterment of the courts we serve in.
One must remember that we all serve the will of the king… And sometimes the king is an idiot, lout, Luddite, or schmuck.
My Goal Here:
My goal with this post and what I think is shaping up to be a series of them, is to cover the players involved here, the game being played, and the realities of our business. So many of us are running into the same walls and I have been hearing the same things over and over from you all out there as well as in my own head as I deal with clients. All too often we do our best to tell the client that they have things that are vulnerabilities within their organizations as well as their infrastructures all for naught.
Others see the bigger picture of with everything that we do, there still is always a way into the org and their infrastructure and a method to steal their data. All too often this also happens because of simple low hanging fruit attacks such as SE attacks or completely un-secured networks that lack policies and processes that might in fact prevent much of the attacks from happening were they documented and in force.
Still others see the grand scale of not only the snake oil salesmen out there but also the malfeasance of the companies that make the software and hardware systems (might I mention ATM machines Deibold? yeaaahhh I think I will) that are completely insecure and egregiously so! Even in this day and age where hacking/cracking is so prevalent they STILL do not want to take the time and the effort to code securely… And as Weld Pond said today
“YOU SHOULD BE ASHAMED OF YOURSELVES! THESE ARE SYSTEMS THAT PASS OUT MONEY!” *paraphrase likely there*
To that end, I have created the following framework for the posts to come. Some of them are posed as questions and if you like, you can comment answers that you think apply. Overall though, I would like to pull the security industry apart as well as the motivations for not only the vendors, but also the clients. I want to lay out all the players and variables, examine them all, and then come up with a strategy for what I am currently calling “Holistic Security” (I know all scented candle touchy feely new age sounding) A method of looking at the security needs of a client and offering them what they really need as well as methods to bring that client to the troth to drink from the security well.
I know.. This is going to be nearly impossible huh?
It’s either this or just packing it in and walking away though… Really… Once you reach a point where you hate the job and you feel constantly that you are doing nothing to change things you either have to walk away, or make drastic changes happen.
What do you think? Don’t you think that with all our SE and other skills we ought to be able to overcome all this?
Check out the future post framework and let me know… I will work on the players tomorrow.
CoB
Krypt3ia 
“Nothing is truly secure”?! I know of a couple of folks who’d swear on a stack of (aborted) marketing powerpoints THIS HIGH *points to wall over head* that some things aren’t just “truly” secure, they’re ULTRA ecure(tm)!
*ducks* (please don’t hit me again!)
(please?)
Xaetognath
2010/07/29 at 20:51
Sounds like a plan!
I’ve become accustomed to people not listening to me, so I just do my thing, present my findings and recommendations, and put the ball in their court. If they want to do something about it, then great, otherwise, it’s not my problem.
My book and my blog are my last ditch efforts to save the world from itself. Talk about mission impossible! It’s worth the time and effort … at least for a little while. 😉
Mister Reiner
2010/07/29 at 23:16
[…] Players: In my first installment of this series I laid out the framework for what I wanted to do to create a new paradigm in […]
“Strutting and fretting his hour upon the security industry stage, And then being heard no more” Part Deux « Crabbyolbastard Ruminates
2010/08/06 at 16:22
[…] my previous installments of this series 1 & 2, I discussed the general environment and the players within the infosec business, now lets […]
“Strutting and fretting his hour upon the security industry stage, And then being heard no more” Trois « Crabbyolbastard Ruminates
2010/08/13 at 14:05