Author: Chandler

Standing Still

Following up on Ben’s comment to s/green/secure/g,

infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening.

I’ll argue it’s even worse than that.

Since “secure” is neither achievable nor a static state, it can never be done and standing still means falling behind.  One of the frustrations that people express to me about Information Protection is that it’s never “done.”

Every hour of every day, some new threat is identified or exploit published.  Every single one of them could produce anything from a “move along, nothing to see here,” to a patching frenzy to a horrible realization that someone’s architectural trade-offs just failed very badly, which is to say, “expensively,” and now a whole lot of time and money is going to be required just to get back to the same level of risk they (thought) they had before they read that last email or news item.

So the workload increment here to go from falling behind to static state is not just fighting the fight, but also includes knowing what new risks are coming up that need to be managed.

The ones in the media or blogosphere are easy to deal with and mostly consists of reading through the journalistic hype so you can explain to your management why they should or shouldn’t be doing something about it.

It’s the risks that the company takes onto itself in the course of doing business that are hard.  Very rarely does anyone ferret those out for you, and if they do, it’s either to get your blessing (which may or may not be deserved) or to help settle some internal political fight which has nothing to do with security.

Then, you have to assess those risks accurately and recommend a course of action to manage the risk.  While this will usually be “accept” or “tell the IT Operations team to do their job,”  sometimes it’s asking a line of business to add additional controls or IT to deploy additional safeguards.  Naturally, they will never admit to having time or budget for this until you’ve backed them into a corner by exhausting all alterntives.

Finally, you’ll need to do this every day and still have the strength to stand firm and avoid contracting “security fatigue” when all this effort doesn’t even get your organization to “secure”–only (hopefully) “secure enough.”  Until you read that next news article or open that next email, that is.

How to be Cyberscary

The intersection of cime and technology is a fascinating place.  Innovation of fraud, theft, and industrial espionage is occurring at a phenomenal pace and is producing no shortage of real problems that Information Risk and Security professionals need to be learning about and addressing.  Unfortunately, the noise coming from journalists in this space is so hyperbolic that it becomes hard for people to take seriously.

In the arms race of cyberscare stories, Journalists have consistently held the upper hand over folks like myself, but no longer.  Foreign Policy has given away some of their key sercrets in 10 easy steps to writing the scariest cyberwarfare article ever:

With daily reports of severe breaches in national cybersecurity and devastating cyber-attacks on government infrastructure, many journalists are in dire need of a manual to enlighten their writing on the subject. Here are my ten(rather cynical) tips to make your cyberwarfare story succeed.

1. You need a catchy title. It pays to cannibalize on some recent tragic event from the real world; adding “cyber” to its name would usually trigger all the right associations. Studies show that references to “digital Pearl Harbor”,”cyber-Katrina”, and “electronic 9/11” are most effective, particularly for stories involving electricity grids or dams. Never make any explicit attempts to explain the bizarre choice of your title– you need to leave enough ambiguity out there for your readers to “connect the dots” themselves. This is a win-win: readers love solving important cyberspy puzzles – and you could get away without doing any analysis of your own. Quoting real facts would spoil the puzzle-solving experience; plus, the fewer facts you quote, the harder it would be to debunk your story!

It’s a great recipe for how to scare people about those scary hackers, both for journalists as well as for many Security Professionals. After all, if you’re looking to justify budget for your next case of silver bullets, it’s not enough to just have problems–things are tough all over, after all. Instead, you’ve got to have Big Problems–werewolves or vampires or some other mythological creature like Russian Mafia Superhackers.

Still, it’s missing a few key points, which I’ll add here so struggling journalists and FUD-based budget defenders can better justify their proposed capex or scare a few more people into buying a copy of the paper so they can read below the fold and thus eke out one more day as an ink-and-pixel-stained wretch.

  1. Never forget that Probable == Possible
    You will never get to be a famous cybersecurity journalist if you talk about what’s likely. If you limit your reporting to only those things which have a reasonable chance of having occurred or actually occurring, your journalism will be drab and uninteresting. Instead, find he most outlandish scenario you can imagine, then describe it with all caveats, useful statistics, or information about compensating controls removed. That simple step will improve both the brevity of your writing and the excitement of your content.The fact that your scenario just became a technical impossibility should never be a problem for you. After all, if you’re writing for a non-technical venue like a newspaper, your employer’s profitability is probably also technically impossible so you’ll be in good company.
  2. Achieve Maximum Impact
    An attack that knocks some servers you’ll never connect to off-line for 20 minutes is Not Interesting. Odds are, your own IT department did more damage than that to systems availability today just trying to get their jobs done.Instead, find a statistic involving a Large Number and supply it (without context, of course) as evidence that this could be The End Of The World. Even better, extrapolate that large number, ideally with the help of one of the experts from Tip #5, to show that this problem is growing like Grey Goo and will, again, be The End Of The World.
  3. Bring it Close To Home
    Just because a few people whose names you can’t pronounce–can’t even guess at since they’re not written using the Latin alphabet–are portscanning and dDOS’ing each other in places you also can’t pronounce whose total Internet backbone is a couple of DS-3’s is no reason not to imply either that they couldn’t bring the fight here (wherever here happens to be for you) and that this is a taste of what’s to come locally. For example, if you’re in the United States or Canada, be sure to mention mafiaboy if it’s a Denial of Service story, demonstrating that this stuff is so easy that even high school kids can do it.

Just as Foreign Policy’s list was incomplete, so is mine.  What are some other techniques that we could be using to ensure that every hiccup in Networks or Information Systems is made as cyberscary as cyberpossible when it shows up in a new story or slide deck?