I would like to start by issuing a warning about the content in this article. I will be taking cynicism to the next level, so the baby-eyed, and "positive" among us should avert their gaze after this first paragraph.
For those in tune with their higher consciousness, I will summarise: Can we blame the C-levels for our problems? Answer: No.
Ok, pass on through now. More positive vibes may be found in the department of delusion down the hall.
The word "salt" was for the first time ever inserted into the hall of fame of Information Security buzzwords after the LinkedIn hack infamy, and then Yahoo came along and spoiled the ridicule-fest by showing to the world that they could do even better than LinkedIn by not actually using any password hashing at all.
There is a tendency among the masses to latch onto little islands of intellectual property in the security world. Just as we see with "cloud", the "salt" element of the LinkedIn affair was given plenty of focus, because as a result of the incident, many security professionals had learned something new - a rare occurrence in the usual agenda of tick-in-box-marking that most analysts are mandated to follow.
With LinkedIn, little coverage was given to the tedious old nebulous "compromise" element, or "how were the passwords compromised?". No - the "salt" part was much more exciting to hose into blogs and twitter - but with hundreds of analysts talking about the value of "salting", the value of this pearl of wisdom was falling exponentially with time - there was a limited amount of time in which to become famous.
If you were tardy in showing to the world that you understood what "salting" means, your tweet wouldn't be favourite'd or re-tweeted, and the analyst would have to step back off the stage and go back to their usual humdrum existence of entering ticks in boxes, telling devs to use two-factor authentication as a matter of "best practices", "run a vulnerability scanner against it", and such ticks related matters.
Infosec was down and flailing around helplessly, then came the LinkedIn case. The inevitable fall-out from the "salting" incident (I don't call it the LinkedIn incident any more) was a kick of sand in the face of the already writhing information security industry.
Although I don't know of any specific cases, based on twelve happy years of marriage with infosec, I'm sure they're as abundant as the stars and occurring as I write this. I am sure that nine times out of ten, whenever devs need to store a password, they are told by CISSP-toting self-righteous analysts (and blindly backed up by their managers) that it is "best practice" and "mandatory" to use salting with password hashing - regardless of all the other factors that go into making up the full picture of risk, the operational costs, and other needless over-heads.
There will be times when salting is a good idea. Other times not. There cannot be a zero-value proposition here - but blanket, parrot-fashion advisories are exactly that.
The subject matter of the previous four paragraphs serves as a recent illustrator of our plight in security. My book covers a much larger piece of the circus-o-sphere and its certainly too much to even to try to summarise here, but we are epic-failing on a daily basis.
One of the subjects I cover in Security De-engineering is the role of C-Level executives in security, and I ask the question "can we blame the C-levels" for the broken state of infosec?
Let's take a trip down memory lane. The heady days of the late 90s were owned by technical wizards, sometimes known as Hackers. They had green hair and piercings. If a CEO ran some variant of a Windows OS on her laptop, she was greeted with a stream of expletives.
Ok, "best practices" was nowhere to be seen in the response, and it is a much more offensive swear-phrase than any swear word I can think of, but the point is that the Hacker's reposte could be better.
Hackers have little or no business acumen. They have the tech talent that the complexities of information security afford, but back when they worked in infosec in the late 90s, they were poorly managed. Artists need an agent to represent them, and there were no agents.
Hackers could theoretically be locked in a room with a cat-flap for food and drink, no email, and no phone. The only person they should be allowed to communicate with is their immediate security line manager. They could be used as a vault of intellectual capital, or a Swiss army knife in the organisation.
Problem was - the right kind of management was always lacking. Organisations need an interface between themselves and the Hackers. No such interface ever existed unfortunately.
The upper levels of management gave up working with Hackers for various reasons, not just for scaring the living daylights out of their normal earthling colleagues. Then came the early noughties. Hackers were replaced by respectable analysts with suits and ties, who sounded nice, used the words "governance" and "non-repudiation" a lot, and didn't swear at their managers regardless of ineptitude levels. The problem with the latter CASE (Checklist and Standards Evangelist) were illustrated with the "salting" debacle and LinkedIn.
There is a link between information and information security (did you notice the play on words there - information was used in..."information"... and also in... "information security" - thereby implicating that there might just be a connection). The CASE successor to the realm actually managed to convince themselves (but few others in the business world) that security actually has nothing to do with information technology. It is apparently all about "management" and "processes".
So - every analyst is now a "manager"?! So who in the organisation is going to actually talk to ops and devs and solve the risk versus cost of safeguard puzzles? There are no foot soldiers, only a security department composed entirely of managers.
Another side of our woes is the security products space. Products have been lobbied by fierce marketing engines and given ten-out-of-ten ratings by objective information security publications. The products supposedly can automate areas of information risk management, and tell us things we didn't already know about our networks. The problem is when you automate processes, you're looking for accurate results. Right?
Well, in certain areas such as vulnerability assessment, we don't even get close to accurate results - and vulnerability assessment is one area where accuracy is sorely needed - especially if we are using automation to assess vulnerability in critical situations.
Some product classes do actually make some sense to deploy in some business cases, but the number of cases where something like SIEM (for example) actually make sense as as an investment is a small number of the whole.
Security line managers feel the pressure of compliance as the main part of their function. In-house advice is pretty much of the out-house variety in most cases, and service providers aren't always so objective when it comes to advsing their customers on technology acquisition. Products are commonly purchased as a show of diligence for clueless auditors and a short cut to a tick-in-a-box.
So the current security landscape is one of a lack of appropriate skills, especially at security line-management level, which in turn leads to market support for whatever bone-headed product idea can be dreamed up next. The problems come in two boxes then - skills and products.
Is it the case that security analysts and line managers are all of the belief that everything is fine in their corner? The slew of incidents, outgoing connections to strange addresses in eastern Europe, and the loss of ownership of workstation subnets - it's not through any fault of information security professionals? I have heard some use the excuse "we can never keep out bad guys all the time" - which actually is true, but there is little real confidence in the delivery of this message.
Even with the most confidence - projecting among us, there is an inward sense of disharmony with things. We all know, just from intuition, that security is about IT (not just business) and that the value we offer to businesses is extremely limited in most cases.
CEOs and other silver-heads read non-IT publications, and often-times incidents will be reported, even in publications such as the Financial Times. Many of them are genuinely concerned about their information assets, and they will ask for updates from someone like a CISO.
It is unlikely the case, as some suggest, they don't care about information security and it is also unlikely, as is often claimed, that security budgets are rejected minus any consideration. If there is really no consideration given, there's probably a historical element at play - such as years of asking for expensive enterprise products with no returns.
CEOs will make decisions on security spending based on available information. Have they ever been in a position where they can trust us with our line reporting? Back in the 90s they were sworn at with business-averse rhetoric. Later they were bombarded with IT-averse rhetoric, green pie charts from expensive vulnerability management suites, delivered with a perceptible lack of confidence in analyst skills and available tools.
So can we blame CEOs? Of course not, and our prerogative now should be re-engineering of skills, with a better system of "graduation" through the "ranks" in security, and an associated single body of accreditation (Chapter 11 of Security De-engineering covers this in more detail).
With better skills, the products market would also follow suit and change radically. All of this would enable CISOs to report on security postures with confidence, which in turn enables trust at the next level up the ladder.
The idea that CEOs are responsible for all our problems is one of the sacred holy cows of the security industry (along with some others that I will be covering). Ladies and gentlemen: security analysts, managers, self-proclaimed "Evangelists", "Subject Matter Experts", ad infinitum are responsible for the problems. Lets look at ourselves before blaming others.
Cross-posted from Security Macromorphosis