Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/25/2012
12:11 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

A Backhanded Thanks

As we recover from the Thanksgiving weekend, let's give our brand of security thanks for all the good (and not so good) in our world

Around Thanksgiving time in the U.S., I usually take a minute or two between football overload (like that's possible) and binge eating to reflect on the year. It's hard to believe folks are putting holiday decorations up, and we're in full-fledged planning for 2013. Didn't 2012 just start? Uh, I guess not.

The only thing funnier than the onslaught of 2013 predictions that will overflow my inbox over the next few weeks is the folks giving thanks. We are security people. Our job is to look at a situation and figure out how many ways your organization will get pwned. We look for the worst and try to prepare for it. There are some unique individuals who are optimistic pessimists and can see light at the end of a brutal incident response. Or they use the reality of a public breach disclosure as a catalyst for change. The rest of us grumble through our day and wait for the other shoe to drop.

This month, let's give thanks to the other side of that equation. If there weren't bad in the world, we security folks wouldn't have anything to do. We wouldn't be able to appreciate the few times a user doesn't click on that link, or download that file, or install that malware. We may not win a lot, but we shouldn't gloss over the good that happens to us.

First, let's give thanks to the attackers and organized crime syndicates and nation-states footing the bill. Without those folks pushing the envelope on innovative attacks, we'd still be using firewalls and antivirus as the leading controls to stop advanced attacks. Wait, what? OK, never mind.

Though how much fun will it be when all of these folks being trained by nation-states to break into stuff make their way into the commercial markets? On both the good and bad sides. It'll be a lot of fun to clean up the mess when a cyber-ninja takes down a competitor inadvertently because, well, that's what they do. The idea that we'll ever get ahead of the attackers, well ... forget that.

Next, let's be thankful for PCI and compliance, in general. These mandates set the bar for security controls and pushed many organizations to do something to improve their security postures.

And for the most part, it has made a difference. The average organization did nothing about security five years ago. Now it does PCI, so that's a net positive. Let's also be thankful for the low bar that PCI represents. For those attackers just looking for low-hanging fruit (and there are a lot of them), anyone who thinks PCI is good enough is a soft target. Since that isn't you (right! right?), you should be thankful that there are organizations out there that make your security defenses look advanced.

Let's also smile on our good fortune that the compliance folks only think a prescribed control set needs to change every three years or so. Of course, nothing changes that quickly, so what's the risk of only mandating new controls every couple of years? Yeah, that's not going to work out very well for most of these organizations looking at the ROC as the end of the security journey.

We shouldn't forget the tech media that chases the latest obscure attack and creates a bunch of work for practitioners to ensure they aren't vulnerable to the latest TPM chip freeze attack, or other such nonsensical exploit. To be clear, there are times when making sure you've got a plan for a new attack vector is a good thing. But in an age of zero fact-checking, misplaced punditry, and news value success based on page views, if you are only getting your threat intelligence from the trade press, you're doing it wrong.

We also need to appreciate the increasing number of young people who choose security as a profession. They are studying in the mushrooming number of secondary education programs providing some training in information security. They take jobs to do the scut work that experienced folks don't want to do. These programs do a good job of teaching the fundamentals of attacking and protecting, but don't bother telling students that security is a thankless job ... which is good because if any of them knew what a security job was really about, they'd study Java or Rails, or something useful like cloud computing.

Speaking of being unappreciated, let's give a shout-out to our executives -- those folks who seem to have no problem remembering how to game the numbers to maximize their year-end bonuses, but can't seem to understand why they need to keep investing in information security. You know, those folks who believe that since a breach hasn't happened lately, they can reduce investment. Those are the folks who make the security job fun. And by fun, I mean like a root canal.

Of course, there aren't many other disciplines in today's economy with a negative unemployment rate. And few allow you to engage with smart adversaries and actually win sometimes. You don't find a lot of jobs where an organization suddenly gets religion and give you carte blanche to fix the problem. Nor will you find a lot of roles with a higher visibility than security right now.

So during the holiday season, as you and your teams are putting together plans for 2013, asking for money you know you won't get, and battling attackers you have little chance of stopping, just remember that you could have made a less fortunate career choice. Personally, I'm thankful that I live in interesting times, and that as long as people continue to steal from each other, I'll be able to pay my bills. And so will you.

Mike Rothman is President of Security and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7814
PUBLISHED: 2020-07-10
RAONWIZ v2018.0.2.50 and eariler versions contains a vulnerability that could allow remote files to be downloaded and excuted by lack of validation to file extension, witch can used as remote-code-excution attacks by hackers File download & execution vulnerability in ____COMPONENT____ of RAONWIZ...
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...