Sunday, September 5, 2010

Security in the media - truth versus reality

Recently Dimension Data are presenting on a number of topics learned from Black Hat and Defcon and the particular emphasis is on social media as well as mobile phone security.

I recently delivered the Sydney talk with a colleague doing the Melbourne one, with more on the way in other states. Now what I enjoyed about this talk was that it was that we were able to discusst attacks either demonstrated or theoretical discussions based on known weaknesses and how simple they were to exploit. The defensive strategies was where things get really complicated because they involve a number of serious issues.

For example - what is a "secure" use of social media in the workplace, or better phrased, what is an "appropriate" use of social media in the workplace? If you ban it in the workplace, you can't ban it outside of the office? If that's the case, then how do you secure your employees for threats ranging from phishing attacks to targeted malware and the latest buzzword "APT" (Advanced Persistent Threat)?

Mobile security is equally bad. The technology is evolving and spreading faster than our ability to secure it. In the desire to go to market means that factors like usability and client experience trump security, every time. Past lessons have been ignored, or assuming that mobiles are somehow immune to the security threats that affect our desktops, servers and notebooks daily.

Without going into too much detail (or belabouring the whole APT thing), these are complex issues with easy answer, largely dependent on a number of variables:  an organisation's risk appetite, company culture (open vs. closed, trusting vs untrusting), degree of secrecy required, how connected they are to the outside world, staff mobility, etc. And that's just off the top of my head.

However, these issues and while we love to talk about stuff like this, cloud, etc, its interesting that so few people really talk about the fundamentals. The Wall of Shame series discusses these fundamentals and highlights their failures. Yet you rarely hear about how people get owned due to ignoring the basics. Media focuses on sensational stories that sell. CIOs want to read about cloud security because they're looking at cutting costs by eliminating data centres. They do not want to read how their patch management program is failing because application owners are risk accepting not patching their environment and jerking around their sysadmins by refusing all maintenance windows. Or their new vulnerability management system is a waste of money because it spits out reports that aren't actioned on.

Unfortunately, this is often what security comes down to.

Working in information security is not always fun, sexy, interesting or glamorous. Infact, it can be - and often is - dry, tedious, boring and often stressful.
(Caveat: what follows is a description of what it is like working in infosec for the uninitiated. For people who think its all about penetration testing, vulnerability research and exploit development, read on at your own discretion).
  • Imagine sitting in meeting rooms, having "spirited discussions" with application owners, system admins, business analysts, project managers, line managers, software developers, auditors and convincing them why they need to perform data validation on a web application during development, why the sunk cost is necessary and also why you need a stack of cash to perform penetration testing.    
  • It means reviewing SIEM logs, addressing false alarms by hunting down the root cause and fixing the bloody problem as opposed to creating a filter to ignore the white noise. So unless you work in a place where you have admin rights on everything, this often means talking with the appropriate techie, raising a change request, going through a lot of red tape for a 5min change.
  • It means reading vulnerability reports and actually getting them fixed. Talking to the asset owner, making them accountable, raising it in the risk register and getting it recorded, ensure they get it fixed within a mutually agreeable timeframe that doesn't fall outside of the next six months.
  • It means reviewing the patching process and explaining to people why not patching Flash, Reader and Java represent massive security risks. If you somehow convince people that this is a serious enough priority for the business (good luck with that) then you have to explore technology options that will enable you to patch all these applications, the processes by which this will be achieved, who will do it and how to minimise outages and business impact, etc.
  • It means creating policies, procedures and standards that people can read, understand and work with and reviewing them regularly. It means satisfying the right stakeholders and getting the right buy-in from execs to endorse it. And if the policies are broken/not working, having the sense of mind to honestly critique them and evaluate whether the policy/process is flawed or whether people are just being too lazy and not adhering to it.
This is the stuff you won't see in films or read in the news yet it is a good chunk of what happens every day. Moreover it is these battles that are the ones most infosec staff struggle with, the ones which are the most important and sadly the ones that get the least coverage. The media is always so concerned with the latest threat, hack, exploit, terminology or technological trend. And this isn't unwarranted or without understanding.

I guess what is disappointing is that we don't spent time on these basics enough. If you get your detection capabilities right, your basic patching and vulnerability management processes up, you have a lot more time to devote to the more 'interesting' parts of security.

I used to love reading a lot of bodybuilding magazines growing up, and in retrospect, I now find it hillarious reading about 'shock' programs designed to add 2 inches to your biceps in a month or some crap. What isn't drilled in enough is that people need to clean up their diets to get the results they need. Instead they'll interview some steroid laden Olympian frontrunner and ask about his routine. Said Olympian presents an incredible program which will cause overtraining in no-time for the average reader because they're ignoring the fact that this guy had his diet micromanaged for years prior to even touching steroids, takes an afternoon nap to aid recovery and then is juicing like a madman to facilitate even more rapid recovery.

While I am not excusing or condoning that behaviour, I am making the point that these are people who have mastered the basics in their field. These magazines would be more effective from a training view point if they interviewed bodybuilders and asked them how they managed their diets, how they prepared their meals, how do they cook, how to they deal with temptation to cheat, how do they deal with restaurants, etc.  Whether they would be commercially viable is another point entirely.

As a consultant, I'm finding more often than not, I'm called in to evaluate a particular project, design, issue, etc, and the threats that the client is concerned with is insignificant with the real threats that are there, clear and present. I think this myopic view comes from seeing the issue for so long, your mind tunes it out. In these instances I simply point out the white elephant which is being ignored and remind them that they have bigger problems. Helping to put some context around this and prioritising threats is some of the fun parts of the job.

I think one of the reasons I haven't blogged for awhile, isn't so much due to a lack of passion or time (although the time factor has certainly been there!) but rather that the more I look, the more I see it is these same basics which need tending to. I don't see a deep mystery with it for the most part. It just seems more and more like common sense - which is often in short supply.

I guess in many ways I see the media playing a role in not addressing them. It would be nice to see journalists being more responsible here. There are some journalists I used to follow quite closely because I thought they were authoritative, information and interesting. Now I am a little more discerning with my time.

I can see why these same fundamentals are not attractive to the media or its readership. The truth hurts after all. But it would be nice once in awhile if journalists did a post incident review using root cause analysis. You could still get the scoop as well as intrigue your readers and maybe educate them at the same time. I certainly see this responsibility as one that should lie predominately with media outlets, journalists and publications that pride themselves on being "security journalists" or targeting "security professionals".

I don't expect journalists to try and change the world, I'm just talking about journalists aiming to do a better job of reporting facts and educating readers rather than using FUD to increase readership. Is that too much to ask?

- J.


Matthew Hackling said...

Brilliant post! It outlines the "boring but important" stuff that is so critical to success in infosec.

Anonymous said...

RE:your 5 bullets in the middle: A-freakin-men.