The Best Laid Plans of Mice and Men
Lately, I have been thinking... I know, bad sign huh? What has been on my mind?
Well, other than using a chainsaw to remove numerous limbs and detritus from my property, I have been thinking about the state of information security today.
It seems every minute I am online (Twitter, blogs, news sites etc. etc.) All I hear and see is a cacophony of competing headlines and cries in the night about this issue or that that could be the end of us all!
But... if you just listen to me, or buy my product! You will be safe!
The other side of that coin is the constant flood of new vulnerabilities being located, released, and exploited while the software companies try to keep up with patches and fixes.
I feel like I am in a 1930′s street set for a information security slanted version of “Newsies”, only without the step ball change and jazz hands.
All of this stuff just has everyone on a constant infosec overload... If you are paying attention, as many people with the titles of “security” should be doing. This all causes a general malaise I think though, much of which is because it is hard to divine who to believe and what.
“IF” you are a cognizant, and dedicated security worker at your average corporation, you must I think, be feeling overwhelmed by it all. It seems no matter what you do, you will always have some chink in the armor that will allow for compromise.
If though, you are sleeping well at night because you have the policies and the magical shiny machines that protect your whole environment from compromise, you must be living in Narnia at the right hand of Aslan.
*Wave Security Unicorn!*
For the most part though, I am sure there are many of you out there who feel like you are being branded the “Security Cassandra”. You come to them with dark prognostications of compromise to which they look upon you as either a paranoid delusional individual or someone to just be patted on the head and told to go back to your dark cubical.
To you Cassandra’s out there, I say you are the most sane... Though, one might want to consider a career change.
Anyway, back to the task at hand here. I am writing this post to lay out the single idea that no matter the solutions, no matter the rules and check boxes filled out, you will always be compromised.
Embrace this idea, love it, hold it dear and keep it kindled like the guys from “Quest for Fire” because it is the ultimate truism today. No matter how many fancy machines, no matter how much you teach the end users and the C level execs about security, you will always have failures that will lead to compromise.
Always. “The best-laid plans of mice and men often go awry”, as the saying goes…
General Prophylaxis and “Penetration Testing”
Pentesting, who’da thought it would be a full time job back in the early 90′s huh? It has become a general term now often confused with security assessments or vulnerability scans and boy, how FUBAR it has all become.
There is a movement out there now (PTES) but really, how often are the scopes of pentests so confined that they are generally useless? I have heard it many times that you can hack the heck out of the stuff given to you, but there is a TON more outside the scope that would be trivial but is left untouched because the client said “no”.
One of the more fun facts is that after every pentest one could just (and often it was made clear in documents from IBM) that even after looking at a general architecture, someone could just come in the day after and plug in a new piece of hardware or misconfig something that would void all of the work done previously. It’s a wave form really, and once you look inside you collapse it.
So, pentesting is fun and can be very helpful in specific situations... IF people re mediate their issues... But. you and I and the lamp post know just how many places really re-mediate their problems right? So pentesting is no general prophylaxis to security problems.
Never has... Never will be.
Oh, and it is all greatly dependent on who you hire and how good they are. That is a simple fact that when companies are shopping for pentesters often do not take into account. It’s a crap shoot.
Impossible! That Can’t Happen! We Checked All of the Check Boxes!
Ah yes, the inevitable security through compliance and check boxes! Wow, yeah, like no one will ever just check things off because they think no one’s gonna check right?
Even if you check all your boxes off and you have auditors come in to look at your logs of your log reviewing activities, you still can and will be compromised!
Yes, it’s true.
Yet again, this is no guarantee of security, but all too many places think that this is the end all be all. They carry on with their SOX audits to be in compliance with the law, but, it’s a law that has as much relevance on information security and technical security as it does to being epic literature.
So, any audit firms who tell you that you are going to be just fine as long as they audit you (with their non technical auditors) on your computer security, you are being lied to... And robbed.
Meanwhile, there has been a lot of talk lately about compliance and security... I have news for you all.. Compliance does not mean secure. Compliance does not mean agile, and compliance just gives middle managers something to do with their days. It has no inherent security.
The Shiny Machine That Goes PING!
Ok, on to the shiny machines that so many resellers want to get into your networks. All too many times I have sat in meetings with vendors who offer solutions that will stop the APT! Stop the MALWARE! Monitor your network flow and tell you who’s being naughty!
What was it about the walls of Troy and it never falling that a simple wooden horse defeated? Yeah, the aptly named Trojan of today still applies in the shiny modern world. Look at it this way, for every machine, there will always be a weakness that someone out there will find and exploit.
Just as well, for all those machines and programs that are to stop people from exploiting hardware and software, there will always be the guy who is exploiting the wetware. That’s right, people are the weak link... Both the attackers and the sales people know this.
Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.
Now re-read that with the word “security” in there. No matter the hardware, you still are not safe.
The Digerati, A Cacophony of Competing Blather and Snake Oil
I have been blogging now for some time and only recently have I become more aware of the flimflam going on with so many faux experts. My run in’s with the likes of Greg Evans and Craig Wright have shown me the great variation within the community and how they can and are listened to by too many people. The internet is still like the wild west and it is easy for any traveling salesman in a Conestoga wagon to show up and put out his snake oil shingle.
“Come on down and get Mr. Wright’s miracle cure! I can see you there! YOU ma’am are sick aren’t ya! I can cure that security lumbego with this here tonic! Just two bits!”
There are too many competing opinions in the mass media and the community at large and no coherent stable, rational sources I think for security guidance. Well, there is NIST and other places so maybe that isn’t quite correct a statement, but, it seems that these shylocks get more air than NIST and others because they are so flamboyant.
And you know the more dire and scary the prognostications (Richard Clarke) the more air play they get. So, what do we do about it? Nothing... Just know that no matter what you do... You will be compromised. No need to go all Doctor Strangelove... Just accept it.
Inevitability and Jelly Donuts
“Time has little to do with infinity and jelly donuts” ~ Lt. MacReynolds Magnum P.I.
Speaking of acceptance, I have heard the use before of the idea that it should all be approached in a 12 step way. I can agree with that, but, the key point is the inevitability of compromise.
Remember, you will be compromised... Get used to the idea... Embrace it... It is inevitable.
Once you have come to terms with this, you can work toward the real work of dealing with it on a daily basis. There’s defense and there’s offense, but the reality is that both are at work every day and every day one of the two wins the day.
It’s how you deal with it that is key. Do your best, teach all that you can and know that in the end, no matter how much you try and try and try, the defenses will be beaten and your data stolen. Move on.
The Zero Sum Game
Finally, back to the title of this piece. I see infosec as an industry as a giant Rube Goldberg device because all too many times we have way too many steps and kluges in play that are supposed to “secure” us. My point to this whole article is that NOTHING will ever be the cure all. You can only do your best and sometimes, that means the simpler the better.
We currently have so many layers and levels that only are panacea to the real truth... “Security is a Zero Sum Game".
What was it Whopper said? It was better not to play the game? Well, I am not going there, but, unless every single one of you, whether you are a consultant, a pentester, or a CSO accept the fact that you will be compromised no matter what toys or compliance strategy you have bought into, you will ultimately fail at your jobs.
Not because you got compromised... Because you were foolhardy to believe that you wouldn’t.
All of you out there who are getting bent or fomenting ulcers over all of this... Breathe...
Cross-posted from Krypt3ia