Krypt3ia

The Five Stages

In the past I have written about the INFOSEC space and some of the problems I have faced with it. It seems today, with the ever present cyberdouchery over “cyberwar” and the seeming eternal specter of Dr. Cyberlove (Richard Clarke) prognosticating our doom vis a vis China, I feel compelled to talk about it all again. Mostly though, I want to impart to you all a sense of how things are going, where we are headed, and the general malaise that I feel the world of “INFOSEC” is faced with on a daily basis.

In listening to the last EL podcast, I once again heard the frustration in Lizzie’s and Chris’ voices and, as I was having a stellar week myself (which will be talked about on the podcast tonight) I came to some conclusions on what it is we all do, perhaps some motivations behind why, and a feeling that perhaps nothing will ever really change in how things happen within this business. In the past I have lamented, but, like any process of grieving or other, there are stages right? I guess this means that I have come to the last stage, that of “acceptance” This is a conclusion I have come to recently and I think all of you out there may in fact come to the same conclusion eventually in your own INFOSEC experiences.

I personally have come to the stage of acceptance recently. I accept that in truth, there is only so much I can do and beyond that which I have direct control over, nothing else can be done.

The Hype and The Realities

Like I said, we have Dr. Cyberlove out there every day it seems, hitting a new news resource to get his name and his company out there with outlandish plots of how we are already pwn3d by China. The generals in the military and the government movers and shakers are all moving with fear tinged with desire, for more control over the internet as a whole while the beltway bandits are all in the wings, like a murder of crows on a powerline, watching dark eye’d, waiting for their moment to strike.

You see, it will be the crows that have the best day of all…

For every headline, every law enacted, and every grab at power made, there will be one person that will have to deal with the outcomes..

You.

On they will roll with cyberwar talk and fearful stories of how the world will come to a screeching halt once the hackers (or APT if you listen to Dr. Cyberlove and others) hack into the power grids and the nuclear silo’s. We will be at an existential threat to humanity because of the likes of Chinese hackers or worse.. Anonymous. We MUST protect ourselves by making many more laws to govern how we act on the internet as well as grant ultimate domain to protect intellectual capital for Hollywood!! We must prevent world war III in CYBERSPACE!

…. Or so Dr. Cyberlove would like you to believe….

The realities are much more pedestrian and not as sexy a story line befitting a new “Die Hard” movie so you really don’t hear about them. The realities are that there are issues with digital warfare, for lack of a better term, that could make our lives a bit more difficult, but, they would not end our way of life. However, the perceptions of many might fit a more common scenario that we in the community and without, may be more familiar with.

Batman and his “Rogues Gallery” of evil doers. It’s not reality, but, many of us tend to gravitate to the stories and the ethos right? So, lets take a look at it all from the pantheon of Batman. I know, I have gone down this path before but it is an amusing one if not at least an apt one.

“I’m The Batman” You Say?

So, you… yes you… the one in the batcowl. Protecting your domain, your “Gotham” as the network warrior, the lone sentinel holding back the night of the internet. How are you feeling about your job of late? Post APT and Anonymous, how are you feeling about the safety of your city? Do you feel that you have the tools and the know how to protect it? Are you backed up by the right people? Funds? Tools? Do you sleep at night or do you toss and turn.. Oh, sorry, during the day, as you work at night…

This seems to be a common mentality in many of the network security folks out there, that of the protector, the Batman. You get into this business for sundry reasons, but many have had it from the avocation stage to now being paid fairly well for it. Some of you may have trod the path of Bruce Wayne and gone to live in the criminal world, to test yourselves, to know your enemy. Others, may just want to live the dream and be the Dark Knight of the Network because you think its cool.

All of you though likely have days when you ask “What the fuck am I doing?” We all love the illusions but the realities, like those above about the hype and the douchery often creep in and brow beat us into submission. Some of the realities are things like no one wanting to take your advice, others might take the form of outright loathing of you for your stances being too hard on the users and the management objectives as they are counter to theirs. Things would be much much simpler if you were just the Dark Knight, alone and able to mete out justice with a Batarang huh? Still though, this is reality and the closest you will get to being a protector short of either becoming a bodyguard or Secret Service.

So Batman, evaluate your goals in life. Do you want to be just like the Dark Knight? A vigilante to some? Loved by few? Generally seen as someone to put a stop to? That romantic notion of being the lone sentinel wearing thin a bit now?

Can You Really Protect Your Gotham City?

This should be the first question that you ask yourselves if you are in the position of being the “protector” of the domain (Gotham) that you live or work in. As security people, you have a myriad of kinds of jobs, but the majority of them are not the sexy hacking gigs. No, there are many others out there who are the grunts doing the security architect work or some other management security positions or, you may even be part of the “C” class and be management. What you will always find though, is that it’s not only the external forces of the rogues gallery looking to take you down, but also the lack of cognition on the part of those you protect as well that may be your demise.

Security, even today, is still seen by many as just a cost center as well as a nuisance at the worst. Your job, every day, is to protect the companies data, and by proxy, depending on the company, the data of clients or perhaps consumers as well. The business as a whole is seeking profit, and profit means that they do things quickly or “agile” as the term of the day seems to be. To be agile though, the businesses often don’t want to be burdened with the extra steps of security. Steps mind you, that you need to carry out to insure that the “product” or “the data” that the company uses, manages, or sells, is in fact safe from theft.

You sir/madam are now “The Batman” Feared by some, loathed by others, and generally looked upon as someone to avoid as the story goes. Sure, you are likely a hero to still others, but, those are not the majority, and it is your thankless job to protect them all.. .With or without their help.

Are you really prepared for that? Can you keep that fact at bay and do the thankless work or will it trouble your sleep just as much as the chinks in the armor that you aren’t able to fix in your cities defenses?

Do You Have A Commissioner Gordon?

In the world of Batman, he has one key player, and that is Commissioner Gordon. Gordon helps Batman, he agree’s that there is a need for something more than the status quo to protect the city and, Batman has stepped up to help. Do you have a Gordon in your organization? Is there someone who really believes in security as a necessity and will fight for it? Or are you the Dark Knight who, after Gordon has been killed has little to no help in the crusade. Unless you have some real help, all too often you will only find yourself alone fighting a battle that you cannot win.

In the world of INFOSEC, you have to have this advocate as well. Unless there is a top down approach, you will end up just flailing around and gnashing teeth trying to protect your Gotham, but will only end up frustrated and likely burned out. This is something I have seen and heard a lot about these last couple of years within the community. Batmen and women are getting burned out, jaded, and angry because they do not have the Gordon to help them on top of being misunderstood or maligned because their beliefs and their willingness to take action are misunderstood or ignored.

So, if you do not have an advocate in a position of power such as a commissioner, consider yourself in an even poorer position than you are already and resign yourself to a much higher chance of failure.

Is It All Really Worth It?

Another good question to ask one’s self before taking on the cowl, is whether or not this is all worth it. Being the Dark Knight is not glamorous, it is not lauded, it is thankless and often maligned as jobs go. Sure, it looks really cool in the comic books and movies, but the realities aren’t so pretty. While Bruce Wayne does all of this out of compulsion, we today in the INFOSEC field are doing it maybe out of an avocation, but to most it’s a mix of avocation and a living. Once that veneer of fun and accomplishment wears off, just what do you have? Will you really want to go to work every day? Or would you rather just walk away, or worse, go to the dark side?

Face it, you are protecting things and people who generally do not see the validity in what you do in many places. Sure, some get it, some Gotham’s lap it up and are true pockets of belief, but, on average, look at all the corporations out there who got popped this last year even after giving lip service to performing “security” to protect their clients and their data. The realities are that the majority don’t get it and perhaps don’t care to. Hopefully you find yourself in a place that gets it and you have the Gordon and perhaps even a Harvey Dent (before the scars and insanity) to help you in your quest to guard the line… But.. I am not saying you will.

So, is it worth it getting into this career? Into this dark world of back alley battles and leaking of informational blood? I guess for some of us there is no other choice. For good or for bad, we toil on in whatever environment we are in to try and make it better. Others, well, they like to break shit, and get to on a regular basis, but even those guys often are heard lamenting the state of affairs because they aren’t just malevolent.

They truly want to be Batman too… But they are more Nightwing instead.

Ultimately, you have to take stock of your battles and wars to decide whether or not this is the life you want.

Time To Hang Up The Cowl?

Meanwhile, just like the escalation of the rogues gallery, you too will have to face new threats every day. Jack Napier made Batman by killing Wayne’s parents in front of him. Batman made Joker by battling Napier later on and ultimately driving him insane, thus becoming the main nemesis for Batman. After that others came along, seeing the Batman as their nemesis and upping the ante. Do you see where I am going with this? Look at the INFOSEC world today.. APT, ANONYMOUS, HACKERS, CRACKERS, HACITVISTS, LULZSEC, LULZSEC REBORN… It’s all about escalation. Some want to one up the other while many just are looking for a new way to make easy money by stealing.

When you look at the progression and then the response in the government and military sectors as well as the corporate clowns looking to sell security snake oil, you start to see a bleak picture. Mostly from the perspective though that no matter what you do, no matter how many nights you put on the cowl and use the Bat-grappling-gun to swoop between crime scenes, you will NEVER truly be able to staunch the flow of loss.

And that’s the most simple of truths.

If you can deal with never-ending war then do gird your loins and wade into battle. If not, if you take stock and the battlefield is not even remotely in your favor nor will it ever be, consider what you are doing. This is a battle you can never win.

And in that realization, you have the final of the 5 stages… Acceptance. If you can accept these things, and you feel you can fight on.. Then let the battle rage. If not, then you might want to consider moving out of Gotham.

K.