There has been a lot of debate back and forth and plenty of ranting and angst about how "broken" the information security industry is. It's an interesting argument both ways, but rather than speculate randomly and attach emotion to it, I'd like to base my own views on it in my own experience.
These are, as I said, my own views. I'm not forcing this down anyone's throat, and it most definitely doesn't mean I don't care. If anything, I've taken the time to write this because I do care and I think as an industry we can do better.
tl;dr Version: Yes, I do think our industry is broken. But I think it's fixable and we can work towards fixing it. For what it's worth, many other industries are broken too. But hand-wringing, ostrich syndrome or blind surrender really won't help. Positive acceptance, working towards more detailed understanding and focus on moving forward is what is needed.
Ok, so here is the more detailed version...
The industry has shown us many examples of public brokenness. I'm not going to re-hash the escapades of the last few years and the public ownage of many large organizations here.
I've been in the information security industry for over a decade now, always as a consultant, so I've seen countless different environments in various industry verticals in the private sector, public sector, defense and intelligence sectors. I've worked on projects through North America, Africa, Europe and the UK as well as Australia.
I've also worked on both the defense side and the offensive side, having been a security engineer, architect, consultant, vulnerability management consultant, penetration tester and application security guy, trainer and researcher. Having led and managed teams where I had to perform QA on projects, I also have had the benefit of reviewing my really smart colleagues' work too, which exponentially increases the scale of what I've seen.
In terms of what I see alone, it validates what the industry has shown us.
The levels of compromise achievable on security assessments are almost ridiculous. I've seen compromise on a scale that frightens me. I've also seen a lack of basic defensive controls in many organizations where you'd least expect it. The scary part is so many security assessments still only focus on known and critical systems and applications. So many organizations don't even assess client machines, which is where the bulk of attack surface today is with the least controls. And that's just a single example of gaps...
Two cases in point from the recent past remind me of how truly broken things really are.
In a prior life I interviewed a ton of people for jobs, as well as tech screening contract candidates for clients. Something that disturbed me was interviewing for a specific role for a client, focused on endpoint security. Every single candidate without fail that we interviewed for a desktop security role didn't know a single thing about DEP or ASLR or any exploit mitigations. Even the self-professed "hackers". Really? How about why the browser and it's plug-ins present such a large attack surface? Nothing. Wow.
I also just completed a penetration test of a large organization, in a fairly notable vertical. They have many, many clients, and a lot of information on these clients. It felt like I was in a horrible 1990's nightmare. From the Internet - full Domain Admin access to the internal network, compromised client PII and payment details, compromised databases, SQL injection on the main website, compromised crypto keys and proprietary source for apps, compromised the CEO's email...pretty much compromised everything. And the worst part? Not even a hint at detection when I wasn't even trying to be stealthy.
Am I just that good? No. I wish. Are they just a freak case? No. Again I wish. Is this a big problem? Absolutely.
Many people much smarter than me have made the same and similar arguments that I'm deducing from my experience and from the data that I have access to. Things are broken. What we're doing isn't working. Why? Well, there are many reasons. Who is to blame? Again, many angles. But there most certainly are ways to fix it.
While that topic could be the content for an entire book alone, I think one of the primary issues is a lack of depth of understanding.
Understanding of how networks, systems and applications are actually attacked in reality, how they're compromised, what the effective countermeasures are, and of course...what we can't hope to defend / prevent and how to position an enterprise to detect and respond to these attacks when they get compromised.
Understanding of what works in the enterprise, where there are real constraints, budget, headcount, time, mandate...and how to make practical, helpful and actionable recommendations if you're a consultant. If you're a pentester even more so. Understanding risk and how to prioritize your recommendations. If you're assessing applications can you code? Really? Can you speak to developers?
Architecture by Visio doesn't work. Pentesting a single app doesn't address security at scale. What if you're Sony and you didn't assess those few apps that were owned? Setting a scope for your pentest? Great, and what if you get owned tomorrow by something "out of scope"? How do you explain that to your CISO, or even better the CFO or CEO? Budgeting for more security tech? Great - is it actually going to help improve your security posture the way you think it is?
How do you address security at scale? Do you even understand your attack surface? How do you reduce it? Those monitoring systems (you do have monitoring in place...right?) - do you even know how best to configure them to detect signal in the noise, and position you to detect attacks and respond accordingly?
These are tough questions, but ones that we honestly need to try address from both sides of the table, offense and defense, if we hope to make any positive change. Do I have all the answers? No chance. But I do feel that without taking a hard and honest look at what we do, how we do it and why, we have no chance of changing the status quo. And all the hand-wringing and gnashing of teeth in the world won't make a difference.
Security is the latest hot industry. In a time of economic difficulty, people flock to the flavor of the week. As @afekz pointed out we also tend to reward confidence rather than correctness. Twitter is a grand example of this. We seem to have fallen into a culture of he who speaks loudest being heard, and because someone said something on the Internet, they have to be correct. This is not at all a good combination. Here's hoping for a little less volume and a little more value...
As a final parting thought, let's get beyond our over-inflated image of ourselves...other important industries are broken too :)
No comments:
Post a Comment