Blame the Silver Heads?

Tuesday, July 17, 2012

Ian Tibble


I would like to start by issuing a warning about the content in this article. I will be taking cynicism to the next level, so the baby-eyed, and "positive" among us should avert their gaze after this first paragraph.

For those in tune with their higher consciousness, I will summarise: Can we blame the C-levels for our problems? Answer: No.

Ok, pass on through now. More positive vibes may be found in the department of delusion down the hall.

The word "salt" was for the first time ever inserted into the hall of fame of Information Security buzzwords after the LinkedIn hack infamy, and then Yahoo came along and spoiled the ridicule-fest by showing to the world that they could do even better than LinkedIn by not actually using any password hashing at all.

There is a tendency among the masses to latch onto little islands of intellectual property in the security world. Just as we see with "cloud", the "salt" element of the LinkedIn affair was given plenty of focus, because as a result of the incident, many security professionals had learned something new - a rare occurrence in the usual agenda of tick-in-box-marking that most analysts are mandated to follow.

With LinkedIn, little coverage was given to the tedious old nebulous "compromise" element, or "how were the passwords compromised?". No - the "salt" part was much more exciting to hose into blogs and twitter - but with hundreds of analysts talking about the value of "salting", the value of this pearl of wisdom was falling exponentially with time - there was a limited amount of time in which to become famous.

If you were tardy in showing to the world that you understood what "salting" means, your tweet wouldn't be favourite'd or re-tweeted, and the analyst would have to step back off the stage and go back to their usual humdrum existence of entering ticks in boxes, telling devs to use two-factor authentication as a matter of "best practices", "run a vulnerability scanner against it", and such ticks related matters.

Infosec was down and flailing around helplessly, then came the LinkedIn case. The inevitable fall-out from the "salting" incident (I don't call it the LinkedIn incident any more) was a kick of sand in the face of the already writhing information security industry.

Although I don't know of any specific cases, based on twelve happy years of marriage with infosec, I'm sure they're as abundant as the stars and occurring as I write this. I am sure that nine times out of ten, whenever devs need to store a password, they are told by CISSP-toting self-righteous analysts (and blindly backed up by their managers) that it is "best practice" and "mandatory" to use salting with password hashing - regardless of all the other factors that go into making up the full picture of risk, the operational costs, and other needless over-heads.

There will be times when salting is a good idea. Other times not. There cannot be a zero-value proposition here - but blanket, parrot-fashion advisories are exactly that.

The subject matter of the previous four paragraphs serves as a recent illustrator of our plight in security. My book covers a much larger piece of the circus-o-sphere and its certainly too much to even to try to summarise here, but we are epic-failing on a daily basis.

One of the subjects I cover in Security De-engineering is the role of C-Level executives in security, and I ask the question "can we blame the C-levels" for the broken state of infosec?

Let's take a trip down memory lane. The heady days of the late 90s were owned by technical wizards, sometimes known as Hackers. They had green hair and piercings. If a CEO ran some variant of a Windows OS on her laptop, she was greeted with a stream of expletives.

Ok, "best practices" was nowhere to be seen in the response, and it is a much more offensive swear-phrase than any swear word I can think of, but the point is that the Hacker's reposte could be better.

Hackers have little or no business acumen. They have the tech talent that the complexities of information security afford, but back when they worked in infosec in the late 90s, they were poorly managed. Artists need an agent to represent them, and there were no agents.

Hackers could theoretically be locked in a room with a cat-flap for food and drink, no email, and no phone. The only person they should be allowed to communicate with is their immediate security line manager. They could be used as a vault of intellectual capital, or a Swiss army knife in the organisation.

Problem was - the right kind of management was always lacking. Organisations need an interface between themselves and the Hackers. No such interface ever existed unfortunately.

The upper levels of management gave up working with Hackers for various reasons, not just for scaring the living daylights out of their normal earthling colleagues. Then came the early noughties. Hackers were replaced by respectable analysts with suits and ties, who sounded nice, used the words "governance" and "non-repudiation" a lot, and didn't swear at their managers regardless of ineptitude levels. The problem with the latter CASE (Checklist and Standards Evangelist) were illustrated with the "salting" debacle and LinkedIn.

There is a link between information and information security (did you notice the play on words there - information was used in..."information"... and also in... "information security" - thereby implicating that there might just be a connection). The CASE successor to the realm actually managed to convince themselves (but few others in the business world) that security actually has nothing to do with information technology. It is apparently all about "management" and "processes".

So - every analyst is now a "manager"?! So who in the organisation is going to actually talk to ops and devs and solve the risk versus cost of safeguard puzzles? There are no foot soldiers, only a security department composed entirely of managers.

Another side of our woes is the security products space. Products have been lobbied by fierce marketing engines and given ten-out-of-ten ratings by objective information security publications. The products supposedly can automate areas of information risk management, and tell us things we didn't already know about our networks. The problem is when you automate processes, you're looking for accurate results. Right?

Well, in certain areas such as vulnerability assessment, we don't even get close to accurate results - and vulnerability assessment is one area where accuracy is sorely needed - especially if we are using automation to assess vulnerability in critical situations.

Some product classes do actually make some sense to deploy in some business cases, but the number of cases where something like SIEM (for example) actually make sense as as an investment is a small number of the whole.

Security line managers feel the pressure of compliance as the main part of their function. In-house advice is pretty much of the out-house variety in most cases, and service providers aren't always so objective when it comes to advsing their customers on technology acquisition. Products are commonly purchased as a show of diligence for clueless auditors and a short cut to a tick-in-a-box.

So the current security landscape is one of a lack of appropriate skills, especially at security line-management level, which in turn leads to market support for whatever bone-headed product idea can be dreamed up next. The problems come in two boxes then - skills and products.

Is it the case that security analysts and line managers are all of the belief that everything is fine in their corner? The slew of incidents, outgoing connections to strange addresses in eastern Europe, and the loss of ownership of workstation subnets - it's not through any fault of information security professionals? I have heard some use the excuse "we can never keep out bad guys all the time" - which actually is true, but there is little real confidence in the delivery of this message.

Even with the most confidence - projecting among us, there is an inward sense of disharmony with things. We all know, just from intuition, that security is about IT (not just business) and that the value we offer to businesses is extremely limited in most cases.

CEOs and other silver-heads read non-IT publications, and often-times incidents will be reported, even in publications such as the Financial Times. Many of them are genuinely concerned about their information assets, and they will ask for updates from someone like a CISO.

It is unlikely the case, as some suggest, they don't care about information security and it is also unlikely, as is often claimed, that security budgets are rejected minus any consideration. If there is really no consideration given, there's probably a historical element at play - such as years of asking for expensive enterprise products with no returns.

CEOs will make decisions on security spending based on available information. Have they ever been in a position where they can trust us with our line reporting? Back in the 90s they were sworn at with business-averse rhetoric. Later they were bombarded with IT-averse rhetoric, green pie charts from expensive vulnerability management suites, delivered with a perceptible lack of confidence in analyst skills and available tools.

So can we blame CEOs? Of course not, and our prerogative now should be re-engineering of skills, with a better system of "graduation" through the "ranks" in security, and an associated single body of accreditation (Chapter 11 of Security De-engineering covers this in more detail).

With better skills, the products market would also follow suit and change radically. All of this would enable CISOs to report on security postures with confidence, which in turn enables trust at the next level up the ladder.

The idea that CEOs are responsible for all our problems is one of the sacred holy cows of the security industry (along with some others that I will be covering). Ladies and gentlemen: security analysts, managers, self-proclaimed "Evangelists", "Subject Matter Experts", ad infinitum are responsible for the problems. Lets look at ourselves before blaming others.

Cross-posted from Security Macromorphosis

Possibly Related Articles:
Information Security
Best Practices Due Diligence Leadership Network Security CISO Information Security Infosec Executives Professional
Post Rating I Like this!
Michael Johnson Hackers have little or no business acumen. They have the tech talent that the complexities of information security afford, but back when they worked in infosec in the late 90s, they were poorly managed. Artists need an agent to represent them, and there were no agents.

It's gone totally the other way, and therein lies our problem. So much management talk and emphasis on processes, policies, procedures, etc., and so few hackers with the skills and ability to 'think outside the box'.

Back in my early days, I felt safest using the Internet with a total geek of an IT technician to guide me. I had no doubts whatsoever in his ability to control the situation should something go horribly wrong, and he wasn't even a security guy. He simply had a good awareness of the threats/risks, and enough mastery over the technology to counter those threats.
It's this type of trust and confidence we must inspire in those who rely on us.
Ian Tibble True Michael. The trust and confidence starts at the bottom. If the infosec manager doesn't have much faith in her team, the whole infosec strategy reverts to its current state of being purely compliance driven.
Also the analysts need to feel that their interests are well-served and performance rewarded. Being the manager at this level can be very tough indeed. Better to have "graduated" from several years as a talented analyst. Any other approach is more likely to result in dictatorship rather than leadership.
Gregory MacPherson No, you are mistaken.

Yes the imperious social skills of hackers and the misinformation of the unwashed managerial masses have corrupted and confused the security issues. However security needs to be driven from the top down, no exceptions. If I had space I would offer chapter and verse on this. Suffice to say that people whose main goal in life is to 'maximize shareholder value' are NOT the proper people to be making engineering decisions. There needs to be a Chief Engineer (Scotty) who is responsible and accountable to the business people on matters pertaining to infosec. That Chief Engineer needs to be an engineer - a CS graduate, not an MBA or CFO or other non-technical person. And part of their job description should include being able to be antisocial and vulgar if and when they deem it necessary.

One salty haired engineer put it to me this way: when he was asked by the head business ch0ad why everyone else always agreed with him and this person always argued with him, his response was, "Their job is to kiss your ass, and my job is to cover your ass!"

Ian Tibble Nope, we seem to be on the same page actually.

"trust and confidence starts at the bottom" doesn't mean security is driven from the bottom, although from the rear-end is from where it originated, and nothing much has changed since.

anti-social and vulgar - kind of irrelevant really. Being anti-social and vulgar did put more strain on the security manager to justify such behaviour - it made her job harder than it should be in reporting up the chain. Thing is, the management at the lower levels was as you mentioned "MBA or CFO or other non-technical person". They were ineffective in managing security and hackers. They weren't able to justify why being vulgar and crusty is not just ok, it's mandatory.

I prefer sarcasm and cynicism and never trust an IT person who isn't cynical about everything.

The early noughties were a nightmare. Cynicism died out. Nobody spoke the truth any more in security. Cynicism was replaced by unfounded joy of doing...well not much at all really, other than putting ticks in boxes. Zen stole the day, and the self-righteousness of the CASE led us to where we are today.

Of course the other thing that led to hackers being ousted was Nessus and other such deadly malware. Again though, it was the job of the security manager to stand between the hackers and the hoardes who wanted them off the pay-roll. There was no such representation.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.