Some time ago I attended BruCON. For those unfamiliar with it, BruCON is a security conference where everybody with an interest in security can share their views and findings. As always, it was a great mixture of technology, philosophy, personal opinions and hands-on workshops.
This time, however, I noticed a certain pattern in some of the talks. Chris Nickerson gave a presentation about "how to make a pentester's life hell" based on experience, Shyma Rose shared her views on risk management, Mark Hillick showed us how the security was improved at Riot Games and David Kennedy provided his opinion on the state of the information security industry nowadays. All four of them basically told pieces of the same tale from a different perspective and I will try to provide my viewpoint on the matter in this blog.
The security bubble
Both Shyma and Dave said the term 'Risk' is inflated and is nowadays used as a buzzword that no longer has a connection with actual threats. I couldn't agree more on this. Nowadays it is almost normal, when someone identifies a new vulnerability, to launch a complete marketing campaign including fancy names and logos, dedicated websites and huge social media presence. Risk is no longer used as an indicator of 'badness', but instead used as a catalyst for pushing 'money making silver bullets' to customers. And, since most clients don't know any better, they get away with it. And, as Chris showed, even customers who do know better, still enable them to push their crappy services by providing them ideal conditions to prove their effectiveness.
Hackers != unstoppable evil geniuses
Hackers are looked upon as the extremely smart guys with elite skills, where reality is that most breaches happen due to stupid stuff and decade old problems. The infosec industry's solution is products and services that no longer qualify for the fast changing world we now live in. Most services rely on stopping or identifying known attacks. In a world that is changing almost every heartbeat and especially in a world of mobile devices and cloud solutions, the 'castle and archers' approach no longer works. Facts show that in many hacks exploits weren't even necessary due to the possibilities of modern platforms. If an attacker has the possibility to access some maintenance or configuration part of your system it's game over. If an attacker can access some scripting environment, it's game over. If an attacker can lure one of your employers into going to a website or installing something, it's game over.
Another problem is the huge gap between security operations inside a company and the business and development departments. Many companies have internal security guidelines that are hardly aligned with the rest of the organization and therefore bypassed or ignored. The natural response to this is that the security departments push the guidelines ever harder, only causing the gap to increase even more. Based on experience Mark stated that security departments should get out of their ivory tower and start to understand what is really important. It's more effective to achieve 80% security with 100% alignment, than try to reach 100% security with 0% alignment.
Both the infosec industry and clients nowadays have enough money and attention to change things, so we should get rid of the technology driven approach and start focusing on talent and smartness. When you look at the root causes of many hacks it's not the technology that is to blame, but instead ego, culture, miscommunication and the working environment. As long as security is considered as something you can bolt on or use external expertise for, it will fail. We, both the suppliers and clients, should consider security as a standard quality attribute where everybody is responsible for.
Telling instead of training
In most companies the ratio between security and non-security minded people is way off. Security teams should therefore start acting as supporters and trainers. By becoming more visible in the organization and start aligning with it, the security awareness will rise within everyone. Every single person in the company should get a basic understanding of what security is about. And it isn't that hard to achieve. Developers should know secure coding, testers should learn to use security tooling, operations should know how hacking tools work and can be identified and taught the basics of forensic research. People also need to be trained to how to handle in case of an issue: build a good incident response program with flowcharts that everybody can use and apply. It's not rocket science, you can achieve a lot with good old common sense.
Another key item is visibility. Often incidents, breaches and other security related issues are 'kept under the radar' and only 'the chosen few' will know the details. By being open and transparent about these to the whole organization, people will start to understand the importance and challenge each other to prevent these in the future. By creating internal security challenges and promoting good ideas a community will form on itself. Use leaderboards and reward with goodies to stimulate people to improve themselves and get accustomed with the matter. Make sure successes are acknowledged. To quote Mark (who also quoted someone else) "If Tetris has taught me anything, it’s that errors pile up and accomplishments disappear."
Hackers don't only knock on the front door
Lastly, start to implement defense by default and assess every situation as if a breach had occurred. Assume bad stuff will happen at some point and see how you can minimize the damage from each point. Do this on all levels; disable local admin accounts, use application protection like EMET and Applocker, implement strict password policies, apply network segmentation between byod, office automation and backends, using coding frameworks, patch all the time, test everything, monitor everything, and start analyzing your external and internal network traffic. The ultimate goal is to make it pentesters (and therefore hackers) as difficult as possible. Pentesters should cry and require weeks, months or even years to get somewhere.
There is no I in team!
We, as an infosec industry, are facing a future where change is the constant factor and we have find a way to deal with that. In order to be successful, we have to understand and acknowledge that we can no longer do it on our own. Unless we start to behave as a member of the team, we will fail horribly and become sitting ducks.