Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘New Age INFOSEC’ Category

Security Outsourcing: A.I. and Geographic

with 2 comments

This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.

Recent events have gotten me thinking about outsourcing in the knowledge economy and in particular, the information security economy specifically, as it is my particular speciality. With the advent of A.I. in the form of the LLM’s out there now and others being created and implemented, the landscape is already changing quickly in the security space. However, that is only one force at work today, the other is of course the economic pressures and direction at play with the current economy.

I have been seeing a trend, as I was unemployed for three months, job seeking was a part of my daily grind. In the process of job seeking, I was seeing trends in not only the req’s that were out there, but also, through the process of interviews and rejections, it became clear that the trend is “Do more with less” By proxy, this also means do more with less skilled people, force people into multi role single positions, and to generally pay much less for experience if possible, and if not, hire less skilled individuals and hope for the best outcome.

The tech layoffs that have been taking place this year and part of last are not over, and in doing this, there is a purge of salaries and a bent by corporations to drive down the salaries for security operations. It’s been talked about in articles already in the news and all you really have to do is look at Mastodon or Twitter of late to see how many people you might know in the community getting laid off and seeking work. Add to this the idea that augmentation, if not replacement, of knowledge economy workers with the advent of A.I. you have a potent mixture of incentives by corporations to not only cut head count, but, also to outsource potential work to less skilled and cheaper sources of labor.

What this means for the moment, is that the cries before of there not being enough “skilled” security workers have died down to murmers if not silenced altogether for a cheaper and more amenable fiscal alternative that CFO’s like better, e.g. hire all those unskilled or underskilled workers and save the Benjamins. This of course doesn’t make the security of the corporation any better, but hey, we have cyber insurance!

We are good.

All of you should have no illusions that your company really cares about security. The security of the data they hold for their clients and their own IP even, isn’t a commodity that they consider to be paramount. Security has always been a cost center, and even today in the midst of all the hacking and leaking as well as geopolitical attacks happening, corporations are much more about the bottom line than they are about the ethics of security. So, what does it all mean?

Buckle up kids… It’s gonna be a rough ride.

Additionally to this bent towards cheaper labor, comes the thorny issue of outsourcing tech jobs to other nations that are certainly cheaper, and I have seen this happening as well. In one case, I was trying to hook up a mentee with a job only to be told that because they had an OSCP and they were in the USA, they could not hire them because they were cost prohibitive.

You read that right, OSCP and too expensive for an org that is making money hand over fist. Trust me, the company is flush, but, also known to be cheap with the owner raking in the money like a Russian oligarch sucking the collective’s carotid artery. This will be the wave of the near future I suspect. Perhaps this will change as a generality once companies are hacked or governments make companies more responsible about their security, but, I won’t hold my breath.

Meanwhile, the A.I. movement is already building capabilities with the likes of Microsoft with their announcement of it’s implementation into CoPilot.

The above image is a screenshot from an article released last week about the implementation of A.I. into CoPilot. Yeah, seems to be adding fuel to the fire right? Well, Microsoft is only reading the auguries really, they aren’t stupid. So, what does this mean? Well, soon enough, the A.I. will be at a point where skilled labor will be a niceity instead of a need and corporations will gobble that shit up.

More on CoPilot: Microsoft brings GPT-4-powered Security Copilot to incident response and Microsoft Puts ChatGPT to Work on Automating Cybersecurity

See, the problem isn’t the A.I. or that it exists, it is the greed and the inability for comprehension of the issues that could arise from its use that will adversly affect society that is the problem. We may have created A.I. but we are still simple tool users who want a path of least resistance to doing work. Societally as well, we are in no way capable of having a true utopian ideal because we are still too unenlightened to seek the benefit of all over the one.

Anyway, I asked ChatGPT-4 about the problems around its use in something like CoPilot and this is what it puked out…

It’s not wrong…

K.

The integration of ChatGPT-4 capabilities into security products like CoPilot in Microsoft can have a transformative effect on the information security landscape. As corporations increasingly adopt AI-powered tools, it’s crucial to consider how these technologies might lead to the replacement of high-paid information security workers and enable less skilled workers to take over certain functions in the field.

  1. Cost reduction: Corporations are always seeking ways to reduce operational costs, and by leveraging AI-powered tools like ChatGPT-4, they may be able to replace some high-paid information security professionals with lower-cost alternatives. This could lead to cost savings for the organization.
  2. Upskilling and reskilling: With AI-powered tools like ChatGPT-4, less skilled workers can be trained to perform tasks previously handled by highly skilled professionals. This upskilling and reskilling can provide opportunities for employees to move into information security roles while using AI as a support system.
  3. Streamlined processes: AI-powered tools can automate and simplify complex processes, enabling less skilled workers to perform tasks that previously required expert knowledge. This streamlining of tasks can lead to increased efficiency and effectiveness in information security operations.
  4. Enhanced decision-making: ChatGPT-4 can help less skilled workers make better decisions by providing real-time insights, recommendations, and contextual information. This can empower these workers to take on responsibilities that may have been reserved for highly skilled professionals in the past.

However, there are potential challenges and risks that corporations must consider:

  1. Loss of expert knowledge: The replacement of highly skilled professionals with less skilled workers may lead to a loss of expert knowledge and experience, which could negatively impact the quality of information security operations.
  2. Over-reliance on AI: Relying too heavily on AI tools like ChatGPT-4 could lead to complacency among less skilled workers, who may not have the experience or knowledge to recognize when AI-generated recommendations are inaccurate or incomplete.
  3. Ethical considerations: The displacement of high-paid information security professionals raises ethical concerns regarding the impact on job security, employee well-being, and long-term career prospects.
  4. AI limitations: While AI technologies have made significant advancements, they are not infallible and still require human oversight, particularly in complex and evolving fields like information security.

In conclusion, while ChatGPT-4 and similar AI-powered tools have the potential to enable less skilled workers to take on functions in information security, it’s essential for corporations to weigh the benefits and risks carefully. Organizations must maintain a balance between leveraging AI technologies and preserving the human expertise that is crucial for effective information security operations.

Krypt3ia generated this text with ChatGPT, OpenAI’s large-scale language-generation model. This author reviewed, edited, and revised the language to my own liking and takes ultimate responsibility for the content of this publication.

Written by Krypt3ia

2023/04/03 at 11:11

SEC BURNOUT and The Psychology of Security

with 7 comments

baby-crying

 

 

Recent Days of Whine and Wiping of Noses:

Recently I have had my sensibilities assaulted by the whining on my Twitter feed coming from soundbites from Source Boston as well as others talking about INFOSEC Burnout and community communication issues. What really grinds my gears is the sense that we are all  just helpless mental geniuses that need to learn how to communicate better to do our jobs more effectively as well as the whole “Woe is me no one listens to me” bullshit I keep seeing it reverberate across the community. Well I am here to tell you right now to stop blubbering and put on your big girl/boy/transgendered pants and cut it out.

Last week I had a long back and forth with someone who is “studying” INFOSEC burnout and throughout the conversation (yes hard really in 140 chars per yes yes yes I know Beau) I could not get them to nail down exactly how they were “studying” it as well as what would be the efficacy of doing so. What are the ends that justify the means of this study? Was there to be a self help book? Or are you just having a kumbaya “I’m in INFOSEC and no one listens to me!” bitch session at each conference?

At the end of the day people got hissy and I began to think more and more about just how entitled this community thinks they are as well as how smart they “think” they are. So smart that they can’t get past a problem that properly studied would likely give you all some perspective and solace perhaps and this chaps my ass. While some of you out there are being vocally the new INFOSEC Dr. Phil’s others just go about their day in the war and do their jobs without whining about it.

Not all of us have INOFSEC Jesus complexes.

The Problem Statement:

So here’s the general feeling I get from what I have seen (yes I went to an infosec burnout presentation) from the community on this whole burnout thing.

  • We can’t win the war and it’s hard to even win battles
  • The job is hard because the adversaries have no rules while we do
  • We are constrained by our managements
  • Our end users are morons
  • We’re the God damned smartest people in the room and no one listens to us!
  • We are just perceived as an obstacle to be bypassed or ignored

I am sure there are other complaints that weigh heavily upon the INFOSEC brow but these are the biggies I trust. Perhaps a real study with a real psychological questionnaire is required to get some analytical data to use for a proper problem statement but to date I have seen none. While I agree we work in a tough field from the perspective of “winning” the day and yes we are looked upon by the masses as an impediment and a cost centre this is not the problem set we need to work on. I propose that this problem set is the most self centered and useless one making the rounds today and smacks of every bad pop psychologist’s wet dream of making it big.

In other words; You are all problem solvers. Solve the god damned problem by studying the root causes and then implement what fixes you can come up with. What you are dealing with is human nature, the mechanics of the human brain, and the psychology that goes along with all of this. Apply that laser like focus you all claim you have out there on the problem set and you will in fact come to some conclusions and perhaps even answers that will make you see the problem in a pragmatic way. Once you do this you can then rationalize all of these problems at the end of day and hopefully get past all this self centered bullshit.

Then again this is a community full of attention seekers and drama llama’s so your mileage may vary.

The Psychology of Security:

Once, a long time ago, I found Bruce Schneier relevant. Today I don’t so much think of his mumblings as at all useful however he did write an essay on Psychology and Security that was pretty damn prescient. I suggest you all click on that link and read his one piece on this and then sit back and ponder for a while your careers. What Bruce rightly pointed out is that our brains are wired for “Fight or Flight” on a core level when we lived on the great savannah and that Amygdala (lizard brain) is often at odds with the neocortex, (the logical brain with heuristics) that often times helps us make shortcuts in decision making out of pattern recognition and jumping to conclusions to save the brain cycles on complex data that is always coming at it.

What Bruce and others out there have pointed out is that all of our experiences in security, good and bad, are predicated on the fact that primates at the keyboards are the problem set at the core of the issues. We create the hardware and software that is vulnerable. We are the ones finding and creating vulnerabilities that are exploited by bad people. We are the ones who at a core level cannot comprehend the security values and problems because we are not wired to comprehend them on average due to the way the brain formed and works even today. There are certain problems psychologically and brain wiring wise on the one hand and then there are the social and anthropological issues as well that also play a part in the problem statement. All of these things can and do hinder “security” being something that generally is comprehended and acted upon properly as a society and a species that play into our day to day troubles as INFOSEC workers and we need to understand this.

So, when I hear people decrying that security is hard and that they are burned out because you can’t win or that the client/bosses/those in charge do not listen to you please step back and think about Schneier’s essay. The cognitive issues of comprehending these things is not necessarily the easiest thing to do for the masses. Perhaps YOU are just the Aspergers sufferer who’s wired differently to get it, had you ever considered that?

Security is a complex issue and you INFOSEC worker, hacker, Aspergers sufferer, should look upon all of this as a tantalizing problem to solve. Not to whine about and then turn it on it’s ear that you need to be more soft, and listen to your clients/bosses to hear their woes. We all have problems kids. It’s just a matter of looking at the root of the issues and coming up with solution statements that work. In the case of the brain and cognition we have our work cut out for us. Perhaps someday someone will come up with a nice framework to help us all manipulate the brain to understand the issues and cognate it all efficiently… Perhaps not. Until then, just take a step back and think about the issues at hand.

A Pragmatic Approach To Your Woes:

So with the problem statement made above what does one have to do to deal with the cognitive problems we face as well as our own feelings of inadequacy in the face of them? The pragmatist would give you the following advice:

  • It is your job to inform your client/bosses of the vulnerabilities and the risks
  • It is your job ONLY to inform them of these things and to recommend solutions
  • Once you have done this it is up to them to make the decisions on what to do or not do and to sign off on the risks
  • Your job is done (except if you are actually making changes to the environment to fix issues)

That’s really all it’s about kids. YOU are a professional who has been hired to be the canary in the coal mine. You can tweet and twitter all you like that the invisible gas is headed your way to kill you all but if the miner doesn’t listen …Well you die. If you want to change this problem statement then you need to understand the problems cognitively, socially, and societally (corporately as well) to manipulate them in your favour at the most. At the least you need to understand them to deal with them and not feel that burnout that everyone seems to be weeping about lately.

Look at it this way, the security issues aren’t going to go away. The fact of the matter is they will only increase as we connect every god damned thin to the “internet of things” so our troubles around protecting ourselves from the digital savannah and that “cyber tiger” *copyright and trademark to me…derp** are not going to diminish. Until such time as the brain re-wires or we as a society come to grips with the complex issues of the technologies we wield today we as security workers will need to just deal with it. Either we learn to manipulate our elephants or we need to get out of the business of INFOSEC and just go hack shit.

Catharsis:

Finally one comes to a cathartic state when you realize that only YOU can fix your problems coping with your work. Sure, people can feel better if this sit around and bitch about their problems but that won’t stop their problems from being problems will it? Look at the issues as a problem statement Mr. or Miss/Mrs security practitioner as a problem to hack. Stop being a whiny bunch of bitches and work it out.

HACK THE GOD DAMNED SYSTEM!

Failing that, come to accept the problems and put yourself in the place where you are just the Oracle at Delphi. You impart your wisdom and say “You’re mileage may vary” and be done with it. Until such time as you manipulate the means that you get this across to the companies management and they make a logical decision based on real risk you just have to accept it. If your place of work has no real risk acceptance process then I suggest you get one put in place or perhaps find a new job. You are not Digital Jesus. You can’t fix everything and you cannot fix those who are broken like Jesus did in healing the blind and making a hell of a lot of fish sandwiches from one tuna can.

Either understand and come up with a way to fix the problem or accept it for what it is and move on.

Stop the whining.

K.

 

Written by Krypt3ia

2014/04/13 at 12:22