The Nature of Infosec: A Zero Sum Game

Thursday, December 08, 2011

Infosec Island Admin



The Zero Sum Game

Lately I have been party to as well as watched debate on Twitter and other venues by my compatriots in Information Security on their woes.

The woes consist of laments about certifications like CISSP, how “Company B” is not following its policies, or just how much FUD (Fear, Uncertainty, and Doubt) there is within the business as well as how much of that is being spun by the media and vendors.

In thinking about all of this, I have come to the conclusion that security really is a “Zero Sum Game” meaning that no matter what you do, no matter how many policies you have, or blinking lights on an appliance that is alleged to keep out #APT in the end, you really have not won the day.

In fact, if you have not been hacked or abused that day, it was really just a fluke. You just can’t win.

Human Nature: The Anathema to Security (AKA The Deadly Sins... No not Seven of Them)

Now, why can’t you win? Well, one of the primary reasons that you can’t is the human element. You can design all the nice nice Visio’s of the network, you can buy all the hardware you want and configure it to work securely, but, eventually someone will screw up that config either by FUBAR’ing it by accident, or, some C level exec will decide he wants his open access to the latest and greatest www site or game and demands a rule be added that is insecure.

Well, ok, maybe I am being a little rough there... More than likely it will be some “mission critical” application that will make gazillions of dollars (maybe) and they ABSOLUTELY MUST HAVE IT! Even after we tell you that its not a good idea and make you sign off on the risk (if you are lucky and that actually happens in your org) So, the human element is the most dangerous of them all. Core to that element is the very nature of it... “Human Nature”.

Human nature has various components, but I will focus on a few of them for this article:

1) Laziness

2) Fear

3) Greed

4) Stupidity

Many of you might be saying “AH HA! The Seven Deadly Sins!” but, alas, no.. I could not make all 7 fit into this story so, its the 4 deadly sins. All of these behaviours in human beings lead to security flaws to be introduced and exploited because people add them to the system. Step back and take a look at all of the problems that most of us are talking about in the community...

It’s not hardware issues... It’s wetware! From coding practices to lack of policies, to FUDDERY and Luddites running the show.

Think about it. The real problems revolve not only about 0day but the fact that people are able to “click sh*t” as someone on my f-list says in hashtag form. Skynet has it right.

Greed, FUD, Charlatanism

Ahh, one of my pet peeves lately... The FUD, The Greed, and the Charlatans. What can one say? The INFOSEC sea is filled with trawling sales sharks seeking to use buzzwords to sell their crap to unsuspecting Luddites in positions of power. We, the Infosec community, roll our eyes and try to call them on the floor as they say they can stop all APT from breaching your network!

But... In the end, most of the time its the Luddite with the wallet and the agenda. They all too often reach for the easy solution that comes in a shiny package and think they will be safe... Thus making us, *security* more sickened and thinking: “Crap, why do I do this again?”

Meanwhile, you see trolls like Ligatt or others out there stealing others work and pimping themselves to the unwashed masses while you, the one who has been plagiarised cannot even mount an effective case against them because it costs 10K just to start talking about doing it.

Sure, we can send DMCA letters and we can shame them... But... My experience thus far has been that they do not go away... They just keep scuttling along like a digital cockroach.

Personally, I have called BS on so much lately in the news and being spewed by alleged “experts” that I am just inured to it now. I give up really, because no matter how much you say: “This guy’s a moron!”

The media and the masses usually aren’t listening... And the travesty goes on…

Cults of Digital Personality

Meanwhile, within our little insular community we have the cult of digerati. My tweets today about Tao *Beitlich* being case in point on this. Some people agree but for the most part, he is seen only through the vacuum of the echo chamber that he lives in. The same can be said about others out there but I don’t have time to name them all.

Look, people are people... We all have opinions but none are Gods. This whole infosec rockstar thing just shows the fact that you would love to be mainstream and loved... But... you’re geeks and don’t fit in with the beautiful people.

Frankly, many people who I would consider to be some of the best of the best never get to see the light of a camera... and they want it that way.

Look! I Can PWN THIS!

Ugh, now this... This is a whole issue unto itself that could get a separate post. However, the highlight is this...

Do you really have to pwn stuff then show it to the world just to get attention? Can we just talk about responsible disclosure a bit? Even if you tell the company in question do you give them time to fix the issue?

Then, think about this, do you even expect that the Pandora’s box you have created and just outed for the masses is going to be fixed by Jose Schmoe and his company who then get compromised from your little baby?

I think more can be done on this issue... I just wanted to toss that out there though.

Certificate BINGO!

Lastly, the certificate BINGO or as I see it, the Certificate Mafia. Being certified means frak. However, as per my twitter reposts yesterday, it is the go to for employment today even though the said certified person may not be capable for the said job.

Certs are subjective really as are the notion that if you went to college that you are capable of doing anything well but drinking and throwing toilets out of dorm windows.

Simple as that.

So, all this talk about CISSP for instance... I agree... It’s BS... The board needs a shake-up but we shall see what happens with the new members. However, yet again, we are forced to deal with human nature and peoples proclivities to believe in things because they have a title or a set of initials attached to their names.




Cross-posted from Krypt3ia

Possibly Related Articles:
Information Security
Certification CISSP Information Security Infosec FUD Ligatt Plagiarism Media
Post Rating I Like this!
Gabriel Bassett I feel you man. However, I think there's a small windows that security pro's often ignore. Instead of saying "I can't secure this X without Y.", they should say "I've got Y, how much can I secure with it?" I took that approach once and made HUGE gains. Were things perfect? not at all. Did we make it extremely hard? absolutely! (Maybe I should write a blog about what you can do with just what you have: zero cost security.)

Ultimately, your first question was right. "Did I get hacked today?" Fight the battle daily. You can't win in perpituity, but you can win each day. And on the day you lose, (because no-one wins every day), realize you list and make sure the next day you've kicked them out and collected enough intel indicators to keep them out for a while.

Ultimately, this isn't an engineering fight. This is an Operations fight. Engineering supports it. Intel supports it, but you win or lose in operations. Don't have operations? Now you know why you're losing.
Gabriel Bassett Ignore the two 'ultimatelies'. I had a second last thought after I had my first last thought. =).

Also, a general comment, not directed at anyone.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.