Archive for the ‘Infosec’ Category
Security Outsourcing: A.I. and Geographic
This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.
Recent events have gotten me thinking about outsourcing in the knowledge economy and in particular, the information security economy specifically, as it is my particular speciality. With the advent of A.I. in the form of the LLM’s out there now and others being created and implemented, the landscape is already changing quickly in the security space. However, that is only one force at work today, the other is of course the economic pressures and direction at play with the current economy.
I have been seeing a trend, as I was unemployed for three months, job seeking was a part of my daily grind. In the process of job seeking, I was seeing trends in not only the req’s that were out there, but also, through the process of interviews and rejections, it became clear that the trend is “Do more with less” By proxy, this also means do more with less skilled people, force people into multi role single positions, and to generally pay much less for experience if possible, and if not, hire less skilled individuals and hope for the best outcome.
The tech layoffs that have been taking place this year and part of last are not over, and in doing this, there is a purge of salaries and a bent by corporations to drive down the salaries for security operations. It’s been talked about in articles already in the news and all you really have to do is look at Mastodon or Twitter of late to see how many people you might know in the community getting laid off and seeking work. Add to this the idea that augmentation, if not replacement, of knowledge economy workers with the advent of A.I. you have a potent mixture of incentives by corporations to not only cut head count, but, also to outsource potential work to less skilled and cheaper sources of labor.
What this means for the moment, is that the cries before of there not being enough “skilled” security workers have died down to murmers if not silenced altogether for a cheaper and more amenable fiscal alternative that CFO’s like better, e.g. hire all those unskilled or underskilled workers and save the Benjamins. This of course doesn’t make the security of the corporation any better, but hey, we have cyber insurance!
We are good.
All of you should have no illusions that your company really cares about security. The security of the data they hold for their clients and their own IP even, isn’t a commodity that they consider to be paramount. Security has always been a cost center, and even today in the midst of all the hacking and leaking as well as geopolitical attacks happening, corporations are much more about the bottom line than they are about the ethics of security. So, what does it all mean?
Buckle up kids… It’s gonna be a rough ride.
Additionally to this bent towards cheaper labor, comes the thorny issue of outsourcing tech jobs to other nations that are certainly cheaper, and I have seen this happening as well. In one case, I was trying to hook up a mentee with a job only to be told that because they had an OSCP and they were in the USA, they could not hire them because they were cost prohibitive.
You read that right, OSCP and too expensive for an org that is making money hand over fist. Trust me, the company is flush, but, also known to be cheap with the owner raking in the money like a Russian oligarch sucking the collective’s carotid artery. This will be the wave of the near future I suspect. Perhaps this will change as a generality once companies are hacked or governments make companies more responsible about their security, but, I won’t hold my breath.
Meanwhile, the A.I. movement is already building capabilities with the likes of Microsoft with their announcement of it’s implementation into CoPilot.
The above image is a screenshot from an article released last week about the implementation of A.I. into CoPilot. Yeah, seems to be adding fuel to the fire right? Well, Microsoft is only reading the auguries really, they aren’t stupid. So, what does this mean? Well, soon enough, the A.I. will be at a point where skilled labor will be a niceity instead of a need and corporations will gobble that shit up.
More on CoPilot: Microsoft brings GPT-4-powered Security Copilot to incident response and Microsoft Puts ChatGPT to Work on Automating Cybersecurity
See, the problem isn’t the A.I. or that it exists, it is the greed and the inability for comprehension of the issues that could arise from its use that will adversly affect society that is the problem. We may have created A.I. but we are still simple tool users who want a path of least resistance to doing work. Societally as well, we are in no way capable of having a true utopian ideal because we are still too unenlightened to seek the benefit of all over the one.
Anyway, I asked ChatGPT-4 about the problems around its use in something like CoPilot and this is what it puked out…
It’s not wrong…
K.
The integration of ChatGPT-4 capabilities into security products like CoPilot in Microsoft can have a transformative effect on the information security landscape. As corporations increasingly adopt AI-powered tools, it’s crucial to consider how these technologies might lead to the replacement of high-paid information security workers and enable less skilled workers to take over certain functions in the field.
- Cost reduction: Corporations are always seeking ways to reduce operational costs, and by leveraging AI-powered tools like ChatGPT-4, they may be able to replace some high-paid information security professionals with lower-cost alternatives. This could lead to cost savings for the organization.
- Upskilling and reskilling: With AI-powered tools like ChatGPT-4, less skilled workers can be trained to perform tasks previously handled by highly skilled professionals. This upskilling and reskilling can provide opportunities for employees to move into information security roles while using AI as a support system.
- Streamlined processes: AI-powered tools can automate and simplify complex processes, enabling less skilled workers to perform tasks that previously required expert knowledge. This streamlining of tasks can lead to increased efficiency and effectiveness in information security operations.
- Enhanced decision-making: ChatGPT-4 can help less skilled workers make better decisions by providing real-time insights, recommendations, and contextual information. This can empower these workers to take on responsibilities that may have been reserved for highly skilled professionals in the past.
However, there are potential challenges and risks that corporations must consider:
- Loss of expert knowledge: The replacement of highly skilled professionals with less skilled workers may lead to a loss of expert knowledge and experience, which could negatively impact the quality of information security operations.
- Over-reliance on AI: Relying too heavily on AI tools like ChatGPT-4 could lead to complacency among less skilled workers, who may not have the experience or knowledge to recognize when AI-generated recommendations are inaccurate or incomplete.
- Ethical considerations: The displacement of high-paid information security professionals raises ethical concerns regarding the impact on job security, employee well-being, and long-term career prospects.
- AI limitations: While AI technologies have made significant advancements, they are not infallible and still require human oversight, particularly in complex and evolving fields like information security.
In conclusion, while ChatGPT-4 and similar AI-powered tools have the potential to enable less skilled workers to take on functions in information security, it’s essential for corporations to weigh the benefits and risks carefully. Organizations must maintain a balance between leveraging AI technologies and preserving the human expertise that is crucial for effective information security operations.
Krypt3ia generated this text with ChatGPT, OpenAI’s large-scale language-generation model. This author reviewed, edited, and revised the language to my own liking and takes ultimate responsibility for the content of this publication.
Ethics In Hacking and Dropping Code
With the release of Autosploit, a tool for automatically scanning and exploiting hosts located via Shodan.io, a shit storm erupted on the ethics of releasing a tool like this. The problem has become just how easy it may now be to automate the attacks on vulnerable systems en masse that this tool could potentially provide. In an age where IoT devices as well as SCADA and ICS are sitting online in vulnerable states makes the possiblity of great damage to large networks more probable with such a tool. It also brings to the table the idea that the barrier to success on such attacks has been lowered to a new class of individuals with a limited knowledge base and creates an asymmetric threat model of a single individual able to wield greater attack capabilities with one tool.
Many arguments have been made on Twitter about the efficacy of releasing code like this but most have not focused on tools per se but instead on malcode or 0day’s. Now that there are bug bounty programs and companies that sell vulnerabilities we are living in a more dangerous time where the few with the money could buy exploits and do mass damage or commit mass surveillance and espionage. This also applies to countries willing to pay for 0day exploits to be in control of the attacks and have the upper hand. Think about that, our politics and our lives are at the mercy of code being sold to the highest bidder. We have weaponized code and tools made from it on a medium that was supposed to enlighten and bring us all together. Instead our baser nature has made the internet and everyone’s devices a tool for repression or subversion.
After the release of Autosploit, the hue and cry went up, and rightly it did. In a time where we have people releasing code and remarking “Let the world burn” I think it is time that we began to talk about the ethics of doing these things. Ethics kids is a philosophical discipline where you consider the moral responsibilities of what you do and the effects your actions could have. I think that too many people of a certain age group have had little to no training on ethics and this has helped to lead us to where we are today. In this specific case let’s talk about the ethics of releasing any code or tool that would lead to potential disastrous effect.
Many tools over the years have been dropped for free by hackers out there that could and were abused by others who downloaded and used them for their own desires. I have been exhorted to mention things like BackOrifice or L0phtcrack in the past and, well, there you go. Both tools were used for bad purposes as well as ostensibly good in the hands of penetration testers. Of course these were just placed on the net for free for anyone to have at first and this is where the quandary starts right? Did L0pht or CDC consider the potential damage that could be done with their tools? Did they put them out there with some self awareness that they may in fact be complicit in crimes because the tools that they created and distributed, for good or for ill, could be misused?
I point you all to Alfred Nobel, the inventor of Dynamite. He created a tool that would help in mining but in the end that tools devastating effects were used in other ways to hurt people and wage war. In an obituary that was accidentally run about him instead of his brother, he learned what the world perhaps thought of him regarding his invention. This bothered him so much that to atone for his actions he created the Nobel Prize to further science and other pursuits that do not further the harm of others. The idea that his inventions use for ill and how he would be perceived by history prompted his ethical response.
Today, we have people creating tools that could be misused and in some cases are for the sole purpose of misuse. The Autosploit tool may be a boon for some penetration testers, but the reality is that it is just another mass scan tool that seeks out vulnerable systems throughout the whole of the internet and loads the exploit potential to just break into them. This is not a refined tool for a scoped penetration test, this is a tool for mayhem. This is why I think others have made comments about the way it was released and the dangers in doing it so. The ethics though seem to have been glossed over concerning this release. What are the ethics of Autosploit’s creation and release on a Git repo? What is the morality behind doing so? Are there arguments for either of those or is it just another hacker saying; “Let the world burn” with no thought or accountability because it is the internet?
The problem we have today is that there are no ethical demands being placed on these coders and hackers. In fact, the whole notion of hacking has a very troubled side where illegal activities are the norm because the ethical and moral question of “should I do this” has not even been contemplated over the desire to know things. Sometimes I personally think that there is a fair bit of sociopathic behaviour in this community to begin with so that actually kind of aligns with the argument that ethics have not even been contemplated in some of these works. So as we move forward into a world of cyber warfare we have to care for the ethics and morality of what we do just as we have in all other forms of warfare in the civilized world.
While people like Katie Moussouris advocates for penetration testing tools being classified in ways that they are not declared illegal, we too have to look at the ethical concerns of the tools and how they are released to the world at large. Wassenar is a great idea but I feel that it is a myopic approach to larger issues in our ever more connected world. If you look at the actions of the Balkanization of the internet, you can see the actions of China and Russia joining together in a pact to repel the US hegemony in the internet you have to follow that all the way back to the tools that make such issues possible. The tools that you all create for hacking and exploitation that you should have some ethical concerns over when they are used perhaps in ways you did not intend.
Thus, take the ethical pause before you just dump them online …Unless all you care about is watching the world burn.
K.
I Am Danny Glover: I Am Too Old For This Shit
Welp, I am gonna say what others I interacted with this year at Defcon imparted in person. Just gonna rip the Band-aid right off, no Bactene, nada….
Defcon has become too big for it’s own good.
There, I said it…
*waits for inevitable whining and recriminations from those who love it and run it*
Really though, the congestion even in Caesar’s was too much to deal with and certainly the fact of getting into lines and then not seeing the talk because you were too far down said line is… Well.. Disappointing to say the least. Add to this that you can see the media later online, why the fuck am I going to attempt to brave the hoards and pay $260 to attend? Everyone says “HallwayCon” now but even that was stupifyingly impossible because the traffic analysis had been fubar’d for this one.
Nope, I am just too old for this shit now. The paradigm of BlackHat is the new RSA, Defcon is the new BlackHat, and Bsides is the new Defcon is really true I think. I had a better time at Bsides and actually got to have substantive educational interludes as well as conversations at Bsides. I attended BlackHat this year and had classes and I also have to say that the Classes were excellent but the presentations were a bag of fail, but hey at least I got to see them. A special note goes out to Matt Suiche on spectacular fail on slides with large blocks of text and his inability to speak English clearly for the ShadowBrokers presentation. In fact, let me also add that he did not add anything to the discourse on the subject by just regurgitating, in large blocks of text on screen, things we all could just Google.
But I digress…
It seems to me now in hindsight that the only way one will get good content and a hassle free way to consume it is to pay exorbinate fee’s to see it so all the other kids aren’t there rubber necking in front of you gawping at all the shiny shiny. Even if you have to listen to the likes of the CISO of FaceCult drone on about how they are going to save the world in between laser light shows (YAY HOOLICON!)
Jesus fuck I am too old for this shit…
Next year maybe I will just do SANS…
Dr. K.
Eugene and the DoD
Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…
Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…
Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?
Fuck you.
FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.
Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?
Imagine that Eugene’s software is clean as a whistle.
Now imagine that it is sitting on many USGOV and MIL systems.
Now imagine that all that telemetry from those systems is going to RUSSIA.
Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”
Think about that hacker kids.
Think about that you spies too.
You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?
So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….
So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?
Yeah neither do I.
K.
The DNC Hack: SVR? KGB? GRU? Lone Hacker?
Attribution Games:
I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!
“I summon the Russian GRU!”
“I summon the LONE ACTOR!”
“I summon the KGB!”
*slaps down cards on table* TAKE THAT!
The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!
“Whoa”
So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.
So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”
Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?
Metadata and Cyrillic:
Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович) Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!
NAILED IT!
You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…
- Much of the data was stamped out in saving from format to format
- Emails of users though were still embedded in the excel files
- The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
- The image files have no metadata.. none.. niente clean.
- Grizzli777 is just someone who pirates
Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.
*squint.. takes drag of cigarette*
So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!
All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!
YAAAAY!
Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!
It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?
DATA:
Motivation Analysis and Hypothesis
RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…
Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…
- Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
- Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
- If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
- Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
- Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!
So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????
Why Pooty of course!
Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin? *sorry had to use that one* Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.
That’s my theory and I am sticking with it… For all the fucks that it is worth.
I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.
See you all in INFOSEC attribution Hell.
K.
Insider Threats: The Most Dangerous Threat
On The Seven Pillars of Wisdom the notion that the “insider threat” can be one of the most devastating threats to an organization. I have pointed this out before concerning INFOSEC but I thought it would be prudent to do so again with the story of the caliphate and Abu Hamed. As a practitioner of the INOSEC arts *chuckle* one of the things that we have to take into account in the #BlueTeamLife is the insider threat and the general tenor within the organizations we work for. One has to take the pulse of the org and see what the overall temp is of the work force. Have there been layoffs? Are people generally disgruntled? Who amongst them may be a turncoat and be stealing your data or setting up the Locky malware inside your domain controllers?
All of these thoughts should cross your mind now and again as an internal player within a security organization. Frankly yes, you can have utter devastation to your network and your org from just one end user being click happy, but imagine if you will a disgruntled employee who has keys to the kingdom and a will to wreck it all as they give you the finger walking out the door. I personally have been party to one such incident that included a logic bomb and many hours trying to figure out what they did to get the org working again. You can never discount the insider threat and you shouldn’t.
The same can be said about agent provocateurs in your org as well. This may seem like fiction to you but consider where you work and what they have as data goes. Would a competitor want to steal that data? Perhaps they would instead like to burn your org down to the ground to get ahead? All of these scenarios are possible and you as the #BlueTeamLifer have to consider these things as you attempt to secure the sieve that is your networking environment.
Do you have any content in your awareness training about outsiders trying to get information from your employee base? Do you have content about not wearing badges to local bars or being circumspect at conferences? If not, perhaps you should assess your crown jewels and start creating some.
At the end of the day it is better to be prepared for this type of activity than to be totally unaware of the possibility.
Think about it.
K.
Dark Reading: CISOs Caught In A Catch-22
JESUS FUCK.
Now that I have that out of the way let me take this article and turn some things on their head a bit. I would ask, if I were writing an article on this subject just how talented on average are these CISO’s that are being made scapegoats and not allowed at the C-Level table? Are these CISO’s capable of making those security decisions to start? How technical are these CISO’s on average and have they worked the bulk of their career in information security?
See this is what burns me much of the time. We have CISO’s who are titular C-Level execs that most often than not NEVER carried out a pentest and have little to no real experience carrying out a security program to start with. This is a problem and one that everyone seems to not quite grok in the corporate world but if you are in INFOSEC and you are capable, usually you are not considered to be C-Level material at the average corp. This is just my experience of this being in the business so long but hey, this article seems to be backing this up a bit as well.
On top of all this it seems that the people asked in this survey of sorts showed that the CISO, like much everything else in INFOSEC is considered the red headed step child that is better neither seen nor heard. That is until they have had a breach and then they can blame the CISO that they have not empowered and perhaps never trusted because they weren’t competent to start with.
But hey.. That’s just me right?
The role of the CISO is evolving more now because the breaches today are at a high and the compromises with data dumps have been making the news cycle burn brightly. That’s the extent of it really, these companies aren’t looking at the news, turning to their boards or other C-Levels and saying
“SHIT! WE REALLY NEED SOME TALENT AND EMPOWERMENT TO THE CISO NOW NOW NOW!”
Mmmmmyeah, not happening that I have seen. Evolutions kids is a long ass process and in nature it takes millions of years. I am afraid though that in INFOSEC we don’t have that much time. So here are my bullet point thoughts to leave you with;
- We’re fucked
- If your CISO has no experience and shows that in meetings with other execs… You’re fucked
- If your CISO has no empowerment… You’re fucked
- If your CISO has no empowerment and no real experience he will be gone soon and… You’re fucked anyway
- Corporations are like living entities made of of large amounts of cells (people) that are in essence psychopaths. They are self involved, manipulative, and only want what they want and will do anything to get it.
You’re fucked.
K
THE DEFENDER’S DILEMMA: CISO’s and Execs to the right of me… APT’s and Hackers to the left… Here I am stuck in the middle with you.
The Defender’s Dilemma:
This week I came across a tweet from @violetblue about an article she wrote for ZDnet on a RAND study that had recently been published. The report; “The Defenders Dilemma: Charting A Course Toward Cyber Security” The report ostensibly showed that the end game for information security was as predicted by 99.9999 percent of the information security workers in the world today. Simply put, there is no winning the game and you should really just listen to the WOPR and not play at all. How about a nice game of chess?
All kidding aside though, many in the game know that there is no winning the cyber war. All you can do is perhaps win battles. Endless battles. The war will never end unless by some miracle someone uses the Nash Equilibrium Theorem to bring all the game players to the table and stop the game with wins all around. I somehow doubt that this will happen, just as much as I doubt that the same model can be used against Da’esh but that is a story for another day.
What this report is telling us though is pretty much common knowledge within the community and I have to wonder just how many execs, which come out of this report not too well as to their cognizance on the issues, will actually you know, read the report in the first place. It would seem that this reports 169 pages is another echo within the INFOSEC echo chamber that once again the executives will not see, hear, or understand because there are too many words to read. Honestly RAND, after you say all these things you really even expect them to read the executive summary and understand it all?
Sampling Problems and Conclusions:
Eh.. Still, even if someone like me were to try to synthesize this report into a comestible for the exec set, I would still have to deal with the fact that I dislike your sampling data and some of your conclusions up to and including your heuristic model ten years into the cyber future. Honestly, what the ever living fuck RAND? Let me start with your sampling of CISO’s out there in the wide wide cyber world.
As a result of interviewing 18 CISOs, we drew three sets of conclu- sions: those we expected, those that confirmed our suppositions, and those that came as surprises.
Eighteen CISO’s? EIGHTEEN? Holy what the bad statistics Batman! How do you even think you can conclude much of anything from such a small sample of the pool out there RAND? I read that and I literally felt like I had just re-heard one of those old ad’s where “Nine out of ten dentists approve!” What bullshit is this? Ok, let’s forget the whole thing about sampling and statistics, ya know, math and just go with the logic here of talking to only 18 guys. How do you know that these guys aren’t idiots? How engaged are these people? How efficacious is their leadership? I mean all of these things matter when you are asking people for their considered opinions for some kind of study! This number reminded me of a quote from “Back To School” with the late Rodney Dangerfield.
Thornton Melon: [in college bookstore] Hey, you guys get everything you need?
Jason Melon: Oh, yeah, we got it.
Thornton Melon: Good… Hey! What’s with the used books?
Jason Melon: Well, what’s wrong with used books?
Thornton Melon: They’ve already been read!
Jason Melon: Yeah, and they already been UNDER-LINED, too. Get it?
Thornton Melon: That’s the problem. The last guy who under-lined them, he could have been a maniac! Hey, get these guys some new books. Huh? Get some new books, will ya?
The sample is important kids and RAND just screwed the pooch on that one. Which brings me to another interlude they had in the report that shows you just how important this is.
WHAAAAAAAAAT? What kind of CISO doesn’t even know where the firewalls are?
Oh.. Wait… What am I thinking? I mean how many CISO’s are or were actual practitioners with real world technical experience out there huh? Now that would a statistic that is rather important to the comprehension of the issue in the first place right? Evidently RAND doesn’t think that this is an important data point in this study though. So yeah, we have “CISO’s GONE WILD” here as well as some seemingly tuned in responses from the whopping sample of 18 respondents that finished an average 15 out of 20 questions on their questionnaire. With these stats these guys may as well be Ponemon for fucks sake!
Conclusions:
In the executive summary they lay out their conclusions from this study and surprisingly I agree with many of them but from long experience in the field not from 18 CISO’s answering nearly twenty questions. Most of these are just common sense really and logical conclusions and there was no need for a survey however poorly constructed to get to the answers. However there are some gems in there.
The conclusions we expected were as follows:
•Security postures are highly specific to company type, size, etc.,
and there often are not good solutions for smaller businesses.•The importance of intellectual property varies with the individual
firms’ missions.•Cybersecurity is a hard sell, especially to chief executives. ….Yes, yes it is.
•Although CISOs generally lack a way to know whether they are
spending enough on cybersecurity, they split between those who
think spending is sufficient and those who feel more is needed.….. So 50/50? Uhhh Clue please?
•Air-gapping, wherein networks are electronically isolated from
the Internet, can be a useful option. (In a softer form, it is com-
patible with tunneling through the Internet but otherwise not
interacting with it).……. NO. WAY. How long have we been saying this?
•Responding to the desire of employees to bring their own devices
(BYOD) and connect them to the network creates growing
dilemmas.…… WORST fucking idea EVER.
•CISOs feel that attackers have the upper hand, and will continue
to have it.…… Well duh, they do. It’s asymmetric warfare you idiots!
The conclusions that confirmed our suspicions were these:
•Customers look to extant tools for solutions even though they do
not necessarily know what they need and are certain no magic
wand exists.……..But Mandiant and others are more than willing to sell you a “wand”
•When given more money for cybersecurity, a majority of CISOs
choose human-centric solutions.……..What? Where? WHO?!?! FO FUCK SAKES SHOW ME! Oh yeah.. 18 CISO’s DERP.
•CISOs want information on the motives and methods of spe-
cific attackers, but there is no consensus on how such information
could be used..…What have I been saying? They want it but really it’s USELESS hear that TI firms?
•Current cyberinsurance offerings are often seen as more hassle
than benefit, useful in only specific scenarios, and providing little
return.…..But they are all the rage in making sure your ass is covered.
•The concept of active defense has multiple meanings, no standard
definition, and evokes little enthusiasm.….Yes, well they have not met Dave Aitel or any of the other boys who cry CYBER PEARL HARBOR!
•CISOs lack a clear vision on incentives
… Um not being fired?
•Information-sharing tends to live within a web of trust.
….And next to the land of the unicorns with gumdrop kids
•CISOs tend to be optimistic about the cloud, but, apart from
those who sell cloud services, most are willing to be only cautious
fast followers.…CLOUD IS THE NEW CYBER VIAGRA! But it isn’t the CISO’s choice remember that CEO guy?
•CISOs are likely to assign lower priority to security-as-a-service
offerings.…Well, yeah, I mean you wanna outsource everything and have nothing to control?
•CISOs, in general, are not ready to concentrate their purchases
from a single vendor (but also are not sure that heterogeneity is
the best solution, either).…Meh, I have seen a lot of eggs in one place lately.
The conclusions that came as surprises were the following:
•A cyberattack’s effect on reputation (rather than more-direct
costs) is the biggest cause of concern for CISOs. The actual intel-
lectual property or data that might be affected matters less than
the fact that any intellectual property or data are at risk.…Ummm yeah, if you have no CUSTOMERS then you don’t have REVENUE right? WTF.
•In general, loss estimation processes are not particularly compre-
hensive.… Loss estimation of future events.. Say heard of the Cat in box paradox?
•The ability to understand and articulate an organization’s risk
arising from network penetrations in a standard and consistent
matter does not exist and will not exist for a long time.…Uhh what? WTF? If you are pwn3d and your shit stolen you are fucked. Simple.
God.. What a wankery waste of time having to read all that drivel. It gets worse though as they philosophize on future events with heuristics. WOOOOOO! Now that’s a read! I had to extra coffee up for that nonsense. Look, if you want to study this shit great, but unless you have a solution to the problem why waste my time? Oh, and yeah, I will be the only one reading it all because I have taken a poll of my own that shows EXECS DON’T FUCKING READ THIS SHIT NOR MUCH ELSE THAT SECURITY PUTS OUT!
Just sayin.
I have linked the document above so go ahead if you like pain and read the whole 169 pages. I did and look how well adjusted I am!
K.
Krypt3ia 