Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

She Blinded Me With INFOSEC! *Blergh*

with 4 comments

So lately I have noticed the whole lot of drama surrounding the Infosec scene and I am frankly fed up with the crap. All of the posturing and the whining has got to stop before anyone takes anything seriously outside of our own insular, and functionally autistic community.

We, that is not the royal ‘we’, as a whole, get it in the Infosec workspace.

They, as in ‘the real world that certainly outnumber us by exponential numbers’ do not get it.

Simple really. Now I want you to understand one more thing…

THEY (the real world outside of the Infosec sphere) WILL NEVER GET IT AND WILL LIKELY NEVER CARE SO QUIT YER BITCHIN!.

Whew.. I said it.. That’s been building up like a shaken can of coke with a Mento in it.

I guess the best navel gazing on this issue I have seen of late is the post by jhaddix called “Doing It The Hacker Way” wherein he comes to the same kind of conclusion I have; stop the douchbaggery and just deal. I have to agree whole heartedly with this statement, however, I would like to add some more perspective to the whole debate here on the “Them vs. Us” thing that seems to be the mindset of the Info/Offsec communities as well as some observations.

So here goes.

  • I have said it before and I will say it again now. People as a species, are poorly equipped to understand and react to long term threats. Just look at Japan and Fukushima to illustrate this. Building nuclear facilities the coast of an island prone to seismic activity AND tsunami’s? Yeah, perhaps not the best idea. How is that for long term threat cognition? Now think about this and computing/networking where the concepts of threats are even more arcane to the general populace. Yeah, it has all the makings of a disaster.
  • Now, if you have a group of people who are unaware and unable to comprehend the dangers AND they happen to comprise a companies hierarchy, how do you get the issues across to them and elicit that comprehension and resulting action to mitigate the problems? Furthermore, how do you get them to continue to understand and be mindful to prevent the same if not more issues in the future? The current answer seems to be to fuck the daylights out of them with every tool and trick you have. Rape and pillage, scaring the living shit out of them.. Or, to be the Cassandra who says that all of these things can be done and likely will. Neither of these approaches my friends will be enough to change the evolutionary process to MAKE them really care. So breathe for a while and contemplate.
  • Yes, you are some of the smartest people in the room, but, remember even smart people can be eggheads who can’t park a bicycle right.
  • This is a young ‘industry’ however, you need not act like a juvenile.
  • One must admit that no matter how many times an assessment is carried out and things are found/exploited there are ALWAYS more vulnerabilities being introduced. You will never get them all and the client, if they understand this, will become inured to it.
  • Attempting to subjugate companies, and people to your way of thinking by rooting the shit out of them will only serve to get you escorted off the premises and land you MUCH less work. NO ONE will ever get to perform all of the tests they want to (carte blanche) at any company. There will always be caveats to testing/assessments for clients simply because they do not understand the threatscape as you do… And don’t forget, they may not really care.
  • In the end, companies only have to comply with good faith efforts “Due Diligence” to supplicate the likes of the government on security issues. This is why most regulations are toothless. If you really mandated true security compliance, companies would never be able to sustain the weight of that standard and fail.
  • The general populace doesn’t care about their emails being popped and spam/phising attempts being sent to them. More than not, they do not even know or care that such events like Epsilon even happened and if they do get an email from company A that their PII was taken, they will shrug it off and forget about it. Once again, they do not comprehend the ramifications of what “could” happen to them from such a breach and won’t unless it does happen to them. Once it has happened to them though, they have little recourse to force any company to do any better on security, just as much as the Infosec community attempts to and finds frustration in.
  • “It’s human nature stupid” This is your mantra now if you want to stay sane.
  • Lastly, FORGET worrying about corporate America (unless that company holds key infrastructure networks such as NASDAQ/NYSE/TELCO/ELECTRIC) and worry about the government and military security postures. If you really want to worry about shit, worry about their being secure. After all, if that shit goes down it will be pandemonium out there in the world. Ask yourself this question.. If the power went out for a year or more, do I know how to survive without my electronic shit? Can I even jury rig a pump to get fresh water? If you can’t then you’re fucked. So worry about that instead of “I just wanna break shit because I know I can and you all need to learn!”

Sure, there is a place for the discourse on making companies see the Infosec light, but, there just seems to be too much yammering and complaining and not enough cogent thought on how to really effect positive change. PTES will be a great help in the effort of bringing a standard to pentesting, but, will that in fact get that corporate horse that you brought to the trough to actually drink? I don’t think so. We ALL have to have a little more common sense about things and have a better understanding of not only human behaviour but also herd mentality. Without being able to manage the elephant, we will only get our little green VW Beetle sat on and crushed.. Whereupon we will rock back on our floppy Infosec clown shoes crying “Woe is me!”

K.

Written by Krypt3ia

2011/04/08 at 15:53

Posted in Infosec

4 Responses

Subscribe to comments with RSS.

  1. Well said, could not agree more! It’s time that infosec pro’s accepted that regular users have no motivation to learn, and adapt our approaches to respond to this.

    Stuart

    2011/04/11 at 21:49

  2. The biggest problem I see in this community is a stunning lack of understanding of how the real world works. There are so many kids out there who scream they’re “security professionals,” but the idea of a profession is that it’s something you’ve spent a lot of time studying and developing skills in — not some haphazard smattering of notions and half-baked conspiracy theories from Slashdot.

    I almost wonder if the security community wouldn’t do better with an apprenticeship system. The major problem then becomes, how do you certify who’s qualified to teach the profession to apprentices?

    Rob

    2011/04/12 at 13:22

  3. There is a third way.

    In “matured” information security offices, there is a “Risk Assessment” process, whereby a new (or existing) venture (or application, or server, or whatever) is examined for its “level of risk” down to the specific individual threats. A list of the vulnerabilities, along with a report of the relative threats of each are provided to — and this is important — the business owner.

    It is up to the business owner to 1) accept the risk (ie, go on their own pig-headed way), 2) transfer the risk (try to get someone else to accept it) 3) mitigate the risk (fix or protect the problem from exposure to the threat) or 4) abandon the project or find another way to accomplish the same goal or service.

    Once acceptance of the risk becomes a very real and potentially career-limiting move for the business owner, fixing the problems becomes a much more “worthwhile endeavor.”

    xaetognath

    2011/04/12 at 19:37

  4. I do agree with you.

    I do see ‘average users’ being interested in security though, but they don’t understand the technology enough to be able to figure anything out. Convenience rules, and making most people think too much or too hard just causes shutdown.

    Personally I’d like to see the security minded included more often as a voice in the planning stage- pre-implementation. That’s when the super smart techs that are so in love with the possibilities need to be introduced to a bit of reality. When the “we can do this and this and this and this” most needs to hear “well maybe we shouldn’t because this can happen.”
    That’s when risk assessment needs to start, and so often in the past has failed.
    When business cycles are in fast growth, security gaps are often built into the infrastructure in the sheer hurry to expand.

    All that said, there’s no reason to pick nits.

    Skullaria

    2011/04/13 at 08:34


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: