I was in the shop the other day because my car was making strange noises, and the mechanic told me that the oil pan had come unlocked. It was going to be an easy fix, once they removed the engine to get at the clamp that needed replacing.
When I tried to get an understanding of how severe the issue was, he told me that it could bounce around and break other bits of engine. I think he thought I was some sort of drooling idiot, and thought about taking away my keys. He probably also looked down his nose a bit because I was behind on my oil change. (It’s probably a good thing that oil changes are less enforced than password changes.)
Four hours and more money than I care to count later, I came to a realization. I had no idea what any of that meant. More importantly, I had no idea if I was being taken for a ride. But far more significantly, I realized that my conversation with the car mechanic was typical of how we security professional sound to the people who come to us with their problems.
No, actually, that’s a lie: We sound far, far, less understandable. On a good day: “There was a drive-by download from a malware site and then some pass the hash…” And on a bad one: “There’s a highly critical XSRF vuln in the WAF and we decided to take your site offline immediately while we patch.”
Let me start by ranting about the term “drive by downloads.” Are these exploits? If so, why don’t we simply talk about “browser vulnerabilities” and the exploit kits that select a payload that works on your browser? If so, maybe we should banish the term “drive by download” and say “browser vulnerabilities” and -- more importantly -- the fix is to keep your browser up to date? Similarly, “pass the hash” has come to mean a set of credential theft attacks, some of which no longer even involve hashes.
The second sentence is hard to understand for a different reason. First, it is acronym-heavy. But more important, the judgment calls are overwhelming. First, seriously, “highly critical?” I don’t even know what that is supposed to mean.
No, I do: It’s all about who comes up with these schemes. The answer, of course, is product managers trying to make their product’s report seem more serious. But no one is really served by a scale that starts from “very critical” and goes to “extremely critical.” Reality includes moderate and low severity findings. This problem has gotten so bad that there are now companies whose entire business advantage is providing a better scale.
Or how about the statement: “We decided to take your site offline immediately.” Really? Did you think a little notification might be a good idea, first? Let me put you in touch with our marketing department about the promotion that we are running.
But I digress. What’s important here is that I worry when talking to car mechanics, and, similarly, those seeking help from us worry in the same way.
The car mechanic has studied and developed a set of skills. He cares deeply about the problem in front of him, and wants my car to run safely and efficiently. He knows that a bad set of brakes, a failure in the steering, or a host of other issues could literally kill me or others. There’s an analogy here. Like my mechanic, security professionals have worked hard to develop a set of skills. We tend to care deeply about the problems. We want systems to run safely (and sometimes we even care about efficiency.)
Then, someone comes in for what they think is a minor issue, feeling virtuous about trying to get ahead of a problem, and they leave wondering how the explosion of issues that they “must” fix came at them.
So what’s the takeaway? It’s not simply more clear communication, although that’s a big help. It’s also about understanding people’s budget, in terms of time, energy, or competing work. It’s about understanding what their competing priorities are. Perhaps my mechanic can understand that my pending tax bill makes it hard to fix something right now, and can advise that it needs fixing on some other time frame.
That understanding needs to be a two-way communication, and not just between me and my mechanic, but between security professionals and the organizations they serve.
Related content:Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio