@shortridge Too many vendors are interested in keeping the status wuo because it guarantees future business. I can understand that.
However, I do not understand individuals taking these stances as “provocative” or “contrarian”/“controversial”. Looking at other (engineering) disciplines/fields and how they deal with failures and failure culture, this should become obvious sooner or later?
@shortridge The negative/adversarial reaction is what I do not understand or rather do not know where it comes from. Do such people feel somehow personally attacked?
I mean just looking at the list and how you formulated these points it should be clear that the motivation behind it is trying to dig deeper and have a clearer understanding of what went wrong in order to find solutions that guard against a failure class instead of a single instance.
@Kensan 🎯 yes, they usually feel personally attacked (although will rarely admit it). As to why… I have my armchair psychology analysis I often put in my blog footnotes that can summarized as “an industry that has self-selected for psychological insecurity for a long time.”
@shortridge Right, that sounds pretty accurate but at the same time also rather bleak… Maybe that’s also one¹ of the reasons I don’t really do ITSec conferences etc.
As an industry it should be straightforward to look at other industries and their successes as well as faulures and try to learn from them, e.g. Aviation. As long as this is not done, nobody should claim ITsec is a mature and professional industry IMHO.
__
¹ Among others.
@shortridge It’s just like fixing a single bug aka. playing whack-a-mole vs. defending against an entire bug class.
I think one issue might be that collecting and analyzing data and making empirical decisions based on said data, is often not done. It’s more often opinions or preconceived views instead of acting on hard data. Maybe people know that arguments get handwavy rather quickly…
@shortridge A simple copout which can almost always be interjected is “You cannot prove a negative/security”. It is True that it is not simple to show how something makes a system, company, etc more secure but you better have some data to convince me that a solution, software etc brings an actual benefit and deserves the trust I put in it.
@Kensan I agree entirely, it’s why I bring up that SREs also have to deal with counterfactuals in their work in my blog post from a month ago or so… it isn’t the “gotchya” infosec ppl think it is
I imagine it depends on what their goal is; in theory, their goal ought to be stopping threats while helping the organization do its job. Except, if the only concrete measurables that float down to them are the threats, they can get to feeling their job is stopping threats, full stop. Under that perspective, users start looking like part of the problem rather than the people they exist to serve.
It's a problem in any scenario where people "should" work towards multiple goals but are actually measured only on one or two of them: pretty soon those become the only goals they pay attention to. Like, I'm a believer in big business serving idealistic goals such as better wages and a positive impact upon the community; but as long as the only metric managers are evaluated on is their ability to make money, they'll never pay more than lip service to other goals.
So I guess "maintaining positive user experience" can become a metric for IT to be evaluated on too. Start doing that and maybe IT will be more responsive to user needs.
@kingbeauregard@Kensan yep, there are quite a few overlooked metrics that can proxy for, “are we making other teams miserable?”
help desk tickets related to security policies; temporal and spatial backlogs (shoutout to the 6 month security review backlogs I hear about all the time); % adoption of a security tool / workflow / other thingy (bonus points for it captured over time — eg does it stagnate?), etc
and one I especially love, per @geoffbelknap, is capturing the security team’s NPS
My security team: “we just eliminated a core functionality without warning or notice and you’re only going to find out when your users start complaining.”
Us: “we understand why you did that and in many ways it was a good idea but there’s no way this was a spur of the moment decision so we’re a bit put out that we got no warning so we could have new systems in place to replace that functionality”
@paulc@shortridge I get my revenge in other ways. We have a very specific software approval process that requires security sign off.
I am allowed to just submit a suite. But the members of a suite are then not listed in the approved software search, which is confusing for the people I support.
So maybe this year I submit individual approval requests. Like sixty. Per platform.
@bynkii@shortridge WOW I got angry just seeing that reaction. Reminds me of a toxic place I worked at where everyone was so proud of the security guy making someone cry because they clicked on a link. I’m like “Dude that’s security team’s failure, not the user who was just doing their job!”
@curiousrobot@shortridge I told a security guy once that if clicking on a link was able to pooch their entire network, their security was less realistic than a toddler wanting to be a fire engine when they grew up.
@bynkii@curiousrobot@shortridge then you have the other extreme where the security teams role is to “advise” and you get a lot of vague and not helpful advice along with the scans.
“It’s our job to advise you on best practices” as a response to basically everything…
Thank your for listing the iso controls… I can read the documents… I need advice on how to implement them. Not what they are!
@shortridge and literally all we want is a heads-up. We had a critical testing/design tool stop working. The cause? A new antimalware package on both servers and clients. No warning.
We constantly get OMG OVERDUE emails about vuln patching, but fhe “standard way” was security -> central IT -> us.
Every time we begged them to just send us the vuln reports, they ignored us. So I finally found the procedure to get our own reports.
We get the next OMG emails and this time I was “yeah, we know, already working with the vendor on the right procedure, think you could yank the fw block preventing us from downloading the update? Here’s the ticket I put in on it”
They were quiet about that. Like dude, LET ME HELP YOU!
No one gains from unpatched vulns, but you literally cause us to miss the deadlines by being control freaks.
@shortridge@bynkii me: excuse me, did you just uninstall log4j from all my developers machines?
Them: oh, yes, haven’t you heard? It’s very bad.
Me: you uninstalled their Java build tools too. You know that about half of them are Java devs? And, maybe more importantly, none of those machines were running server processes that used log4j? So, you didn’t actually do anything for our security by doing this. Would it be okay with you if I patched out the vulnerable classes?
This literally happened to me. And it was even worse because there was a KNOWN BUG in the script that deleted more than just the vulnerable versions because the string match check sucked. It deleted even patched log4j or even things that weren’t log4j.
@derekheld@c0dec0dec0de@shortridge I have become convince that infosec actively removes the ability to properly assess danger and remediations from its adherents.
@bynkii@derekheld@shortridge in this case, I think it’s more Goodhart’s Law than anything of that sort. IT has a dashboard with Nessus reports and a requirement to be at least some percentage of total compliance.
Some actual security-minded folks seem to be out of the loop doing fun red-team-y things for brown bag tech talks. https://en.wikipedia.org/wiki/Goodhart%27s_law
@c0dec0dec0de@derekheld@shortridge in 30 years, the number of infosec people who cared about business needs beyond their paycheck fit on the uninjured fingers of my right hand.
The ones that understood the business and worked to help the business be secure in a way that caused the least amount of problems for people is smaller still.
By and large, infosec people treat companies as their own personal playgrounds, and act as though the business works for them.
Add comment