Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/25/2012
12:11 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

A Backhanded Thanks

As we recover from the Thanksgiving weekend, let's give our brand of security thanks for all the good (and not so good) in our world

Around Thanksgiving time in the U.S., I usually take a minute or two between football overload (like that's possible) and binge eating to reflect on the year. It's hard to believe folks are putting holiday decorations up, and we're in full-fledged planning for 2013. Didn't 2012 just start? Uh, I guess not.

The only thing funnier than the onslaught of 2013 predictions that will overflow my inbox over the next few weeks is the folks giving thanks. We are security people. Our job is to look at a situation and figure out how many ways your organization will get pwned. We look for the worst and try to prepare for it. There are some unique individuals who are optimistic pessimists and can see light at the end of a brutal incident response. Or they use the reality of a public breach disclosure as a catalyst for change. The rest of us grumble through our day and wait for the other shoe to drop.

This month, let's give thanks to the other side of that equation. If there weren't bad in the world, we security folks wouldn't have anything to do. We wouldn't be able to appreciate the few times a user doesn't click on that link, or download that file, or install that malware. We may not win a lot, but we shouldn't gloss over the good that happens to us.

First, let's give thanks to the attackers and organized crime syndicates and nation-states footing the bill. Without those folks pushing the envelope on innovative attacks, we'd still be using firewalls and antivirus as the leading controls to stop advanced attacks. Wait, what? OK, never mind.

Though how much fun will it be when all of these folks being trained by nation-states to break into stuff make their way into the commercial markets? On both the good and bad sides. It'll be a lot of fun to clean up the mess when a cyber-ninja takes down a competitor inadvertently because, well, that's what they do. The idea that we'll ever get ahead of the attackers, well ... forget that.

Next, let's be thankful for PCI and compliance, in general. These mandates set the bar for security controls and pushed many organizations to do something to improve their security postures.

And for the most part, it has made a difference. The average organization did nothing about security five years ago. Now it does PCI, so that's a net positive. Let's also be thankful for the low bar that PCI represents. For those attackers just looking for low-hanging fruit (and there are a lot of them), anyone who thinks PCI is good enough is a soft target. Since that isn't you (right! right?), you should be thankful that there are organizations out there that make your security defenses look advanced.

Let's also smile on our good fortune that the compliance folks only think a prescribed control set needs to change every three years or so. Of course, nothing changes that quickly, so what's the risk of only mandating new controls every couple of years? Yeah, that's not going to work out very well for most of these organizations looking at the ROC as the end of the security journey.

We shouldn't forget the tech media that chases the latest obscure attack and creates a bunch of work for practitioners to ensure they aren't vulnerable to the latest TPM chip freeze attack, or other such nonsensical exploit. To be clear, there are times when making sure you've got a plan for a new attack vector is a good thing. But in an age of zero fact-checking, misplaced punditry, and news value success based on page views, if you are only getting your threat intelligence from the trade press, you're doing it wrong.

We also need to appreciate the increasing number of young people who choose security as a profession. They are studying in the mushrooming number of secondary education programs providing some training in information security. They take jobs to do the scut work that experienced folks don't want to do. These programs do a good job of teaching the fundamentals of attacking and protecting, but don't bother telling students that security is a thankless job ... which is good because if any of them knew what a security job was really about, they'd study Java or Rails, or something useful like cloud computing.

Speaking of being unappreciated, let's give a shout-out to our executives -- those folks who seem to have no problem remembering how to game the numbers to maximize their year-end bonuses, but can't seem to understand why they need to keep investing in information security. You know, those folks who believe that since a breach hasn't happened lately, they can reduce investment. Those are the folks who make the security job fun. And by fun, I mean like a root canal.

Of course, there aren't many other disciplines in today's economy with a negative unemployment rate. And few allow you to engage with smart adversaries and actually win sometimes. You don't find a lot of jobs where an organization suddenly gets religion and give you carte blanche to fix the problem. Nor will you find a lot of roles with a higher visibility than security right now.

So during the holiday season, as you and your teams are putting together plans for 2013, asking for money you know you won't get, and battling attackers you have little chance of stopping, just remember that you could have made a less fortunate career choice. Personally, I'm thankful that I live in interesting times, and that as long as people continue to steal from each other, I'll be able to pay my bills. And so will you.

Mike Rothman is President of Security and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.