Security is Hard: Give up

Impossible is not a fact. It’s an opinion. – Muhammad Ali

There seems to be a popular trend of late, showcasing the security failings of just about everyone.  Because of these incidents, opportunistic people are on their soap boxes criticizing the various approaches used– mostly (in my opinion) to push their own agenda forward.  PCI is broken! WAFs suck! Rugged is stupid! SDLC doesn’t work!   Personally, I find these people who celebrate failure to be nothing more than trite detractors who do nothing to push the security industry forward. You know who you are– or at least I do.

It’s funny too because, as a developer we have similar divisions.  People have become process zealots to the point that anytime a project of the opposing focus “fails”, they’d use that as a means to tout the silver bullet benefits of their way.  When that project fails, which oft it does, it just goes back and forth.  Building software is hard, and if you listened to what everyone has to say about software development– you’d think that no one ever finishes building software.  Yet here we are.. the world is still moving and software some how makes it out the door.  Sure it’s not perfect, but we don’t really need perfect software– it doesn’t exist.  We need usable, reliable, and appropriately secure software.  And that is achievable.

None of this diminishes the fact that things in security don’t really appear to be working well.  Microsoft still has patch Tuesday, Adobe is a joke, Linux just found a semi-major regressive bug, Macs have mega security patches..etc…  There are even scarier things on the horizon.  But, there is a huge difference between losing and lost– failing and impossible.  We all seem willing to agree that perfect security doesn’t exist, yet we sure like to measure success based on it.  The thing, however, that people seem to often forget is that you don’t NEED perfect security.  You only really need to be better than those who aim to do you harm.  That, in my opinion, is where we seem to have lost our way.

The proponents who tell you that you are going to lose before you begin, tout what I believe to be the exceptions to the norm. They set up scenarios that always prove their “points”, regardless of if they are viable or realistic threats.  I mean, lets face it– how many of us are prepared to battle off the impending zombie invasion, or fight Chuck Norris in a battle for your life?  While those are obviously far fetched scenarios– how does a person who has no experience dealing with computer security know the difference?  They RELY on us to help them understand what constitutes a credible threat vs. zombie invasions.  Though, quite unfortunately, credibility in this field can be difficult to come by.  < gripe > Dear CNN, please research your “experts” before you interview them for advice.. it’s kinda your job.  < /gripe >

As some of my co-workers have pointed out, attackers often lose too.  They are failable human beings, who don’t have unlimited resources, aren’t being backed by government nations, and are not the next Einstein.  Sure, some might be highly trained– but to say that’s everyone… no dice.  Some of the more lucrative attacks against major corporations took advantage of BASIC FUNDAMENTAL WEAKNESSES IN SECURITY.  Period.  It wasn’t a legion of hackers breaking into the Gibson– it was a known vulnerability you should have fixed or virtual patched.  Even then, many of these individuals have been or are getting caught.  And that part is only getting better through agency cooperation.  It’s not all bleak.

The man who has no imagination has no wings.  – Muhammad Ali

To ensure I am not accused of only complaining, let me offer this.  I have given up the pursuit of perfection a good while ago now.  Instead I strive for improvement and appropriateness, because those are both entirely in my ability to achieve.  To improve, we have to listen to what attackers are telling us and focus on defensive strategies that are rapid in adapting, progressive in thinking, and can change quickly. I find it funny that our military seems to have got that message by-and-large, but security experts haven’t.  Modern national defense doesn’t look like castles and moats, yet our modern computer security approaches do.  I highly disagree that “If you’re not compromising intruder boxes and putting pressure on their ops, then you’re not playing by the same offensive rules.”– there are other ways to put pressure on ops, to take away resources, and make the stakes high enough to change the cost of entry.  I don’t want to play their game– that’s how you lose.  I want to stack the deck and make them play MY game.  I just think most defensive strategies aren’t thinking that way.  Yet.

To be appropriate we need to better understand and represent actual risks and challenges.  That is difficult to do when there are those among us who have given up hope make a living off selling fear.  You aren’t going to train your grandma in MMA to deal with a bunch of thugs in her neighborhood… so stop trying to sell her on the idea it’s the only way to deal.  If you can’t, at least stop talking to mine.

Fly dammit. Fly.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: