Infosec Subjectivity: No Black and White

Monday, June 04, 2012

Dave Shackleford


I have noticed a trend in the infosec community over the past few years. A new idea or concept emerges, a few “thought leaders” espouse or eschew the idea, and many sort of “go along” with the “yes” or “no” mentality.

Sure, there’s a bit of debate, but it seems to be largely confined to a similar group of rabble-rousers and trouble makers (of which I am one, unabashedly).

Overall, though, here’s the rub: There are almost no security absolutes. Aside from some obvious things (bad coding techniques, the use of WEP, hiring Ligatt Security to protect you, etc…). Everything is in the gray area.

Let me say that again: There is no black, there is no white – only gray. Why? Because each case is different. Every company, every environment, every person and how they operate, etc. Many decry the buzz-laden overhyped acronym technologies like DLP. There are companies that are getting immense value out of DLP today. So no, it’s not just crap.

What about compliance? Plenty of organizations see it as a headache, sure, but many are really benefiting from a structured approach and some sort of continual oversight or monitoring. So again, no absolutes. Some other examples, just things I have observed through consulting, being a practitioner in end user orgs, and teaching, as well as just having debates on various topics:

Security awareness: Some would argue security awareness programs are beneficial. If even 5 people change their behavior to be more security-conscious, then it’s a win, right? I recently argued that these *traditional* programs are worthless, and speculated that building security in is a better option. A guy I like and respect a lot, Ben Tomhave, argued that I’m totally off base, and connecting people to the consequences of their actions is a better move.

Who’s right? Really, there’s a very solid chance we both are. One organization may take a draconian lockdown approach, others may take the “soft side”, but in reality, some of both is probably what’s needed. A great debate, and one that’s likely to continue for some time.

Metrics: This is another area where people tend to have wildly polar beliefs. Metrics rule! Metrics suck! Those that have latched onto the Drucker mentality that you cannot manage what you cannot measure largely fill the former camp, those that are just trying to keep their heads above water often say metrics are a waste of time. I’ve actually changed my position on metrics a few times – for me, it’s one of those areas that I just can’t draw a good bead on, and thus it falls squarely into the gray.

My friend Alex Hutton is a huge proponent of metrics, and worked hard to overhaul last year’s Metricon conference. Alex believes in metrics, and he’s a smart dude. Many others have argued we’re trying desperately to “fit” security into business, and it’s a round hole / square peg issue. Another tough one – what do we measure? How do we do it? What are the tangible benefits? On the other side, if we DON’T measure things, how do we have a clue what is going on?

Pen Testing: Pen tests are awesome. Wait, no, they are a total waste of time. But we need them for compliance?! And yet another gray area emerges. I do a lot of pen tests. I would love to think they have value when I do them. But I’ve seen plenty of cases, and customers, that get them performed just to check a box for compliance. So what’s the answer? Hmmmm.

This list can go on and on. But infosec is such a subjective area, I think we all have to take a step back sometimes and realize that our passion and desire to “get things fixed” usually has the caveat that one size almost never fits all. I am guilty of this. I think many in the “echo chamber” are sometimes.

The pendulum will swing one way, then another, but almost always settles somewhere in the middle…the gray area. I’m going to try harder to be more open-minded, and understand other points of view, even on topics I feel passionate about. Sounds like a New Years resolution… I know. But who puts a damn time frame on these things!?

They surely must be wrong.

Cross-posted from ShackFoo

Possibly Related Articles:
Information Security
Compliance Security Awareness Data Loss Prevention Penetration Testing metrics DLP Innovation Information Security Infosec
Post Rating I Like this!
Ian Tibble This reminds me of a conversation I had with service provider managers some time ago. They wanted white or black because its simple that way. I had to say sorry, because I could only give them grey. Adding some zen...go ahead and tell your customers that it's black or white, but it will come back to haunt you at some point...maybe.

We can often be quite specific about the color, especially if we're closer to the information in security (runs for cover), but yes, even then we are doing this with a handful of conditions applied...the complexity makes it all really grey.

Taking your example of pen tests, we are more aware of the greyness of the beast if we have plenty of experience of having conducted manual unrestricted tests.

In pen testing, it is grey, you're right. There is a slider...If both in-house analysts and testers are inexperienced, we can say the color veers towards the "waste of time" black or white end of the spectrum. As we push the slider up on the "experience" dial, the color changes and moves further away from the "Waste of time" color...but there are caveats ...unrestricted, knowledge of OS controls..etc. It's still grey. I would venture that if we know our OS and databases well, why do infrastructure pen testing (not talking about application testing)? But then there's always a chance that even the best analyst can miss something. Its grey.

Awareness...could argue that we shouldn't do it because human nature dictates that in a company of 1000s there wILL be a problem with clicking on the wrong link and so on, so let's just assume that something bad will happen. But then..if you have a decent awareness program, does it reduce the likelihood of problems down the road? Its grey.

Security is complex and it can seem like we can't win at times - but lets, you know, analyse stuff - it might even help us at some point, even if everything is grey. Doing security with checklists and best practices - this is a black and white approach.

Embrace the greyness folks!!

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.