Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/25/2012
12:11 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

A Backhanded Thanks

As we recover from the Thanksgiving weekend, let's give our brand of security thanks for all the good (and not so good) in our world

Around Thanksgiving time in the U.S., I usually take a minute or two between football overload (like that's possible) and binge eating to reflect on the year. It's hard to believe folks are putting holiday decorations up, and we're in full-fledged planning for 2013. Didn't 2012 just start? Uh, I guess not.

The only thing funnier than the onslaught of 2013 predictions that will overflow my inbox over the next few weeks is the folks giving thanks. We are security people. Our job is to look at a situation and figure out how many ways your organization will get pwned. We look for the worst and try to prepare for it. There are some unique individuals who are optimistic pessimists and can see light at the end of a brutal incident response. Or they use the reality of a public breach disclosure as a catalyst for change. The rest of us grumble through our day and wait for the other shoe to drop.

This month, let's give thanks to the other side of that equation. If there weren't bad in the world, we security folks wouldn't have anything to do. We wouldn't be able to appreciate the few times a user doesn't click on that link, or download that file, or install that malware. We may not win a lot, but we shouldn't gloss over the good that happens to us.

First, let's give thanks to the attackers and organized crime syndicates and nation-states footing the bill. Without those folks pushing the envelope on innovative attacks, we'd still be using firewalls and antivirus as the leading controls to stop advanced attacks. Wait, what? OK, never mind.

Though how much fun will it be when all of these folks being trained by nation-states to break into stuff make their way into the commercial markets? On both the good and bad sides. It'll be a lot of fun to clean up the mess when a cyber-ninja takes down a competitor inadvertently because, well, that's what they do. The idea that we'll ever get ahead of the attackers, well ... forget that.

Next, let's be thankful for PCI and compliance, in general. These mandates set the bar for security controls and pushed many organizations to do something to improve their security postures.

And for the most part, it has made a difference. The average organization did nothing about security five years ago. Now it does PCI, so that's a net positive. Let's also be thankful for the low bar that PCI represents. For those attackers just looking for low-hanging fruit (and there are a lot of them), anyone who thinks PCI is good enough is a soft target. Since that isn't you (right! right?), you should be thankful that there are organizations out there that make your security defenses look advanced.

Let's also smile on our good fortune that the compliance folks only think a prescribed control set needs to change every three years or so. Of course, nothing changes that quickly, so what's the risk of only mandating new controls every couple of years? Yeah, that's not going to work out very well for most of these organizations looking at the ROC as the end of the security journey.

We shouldn't forget the tech media that chases the latest obscure attack and creates a bunch of work for practitioners to ensure they aren't vulnerable to the latest TPM chip freeze attack, or other such nonsensical exploit. To be clear, there are times when making sure you've got a plan for a new attack vector is a good thing. But in an age of zero fact-checking, misplaced punditry, and news value success based on page views, if you are only getting your threat intelligence from the trade press, you're doing it wrong.

We also need to appreciate the increasing number of young people who choose security as a profession. They are studying in the mushrooming number of secondary education programs providing some training in information security. They take jobs to do the scut work that experienced folks don't want to do. These programs do a good job of teaching the fundamentals of attacking and protecting, but don't bother telling students that security is a thankless job ... which is good because if any of them knew what a security job was really about, they'd study Java or Rails, or something useful like cloud computing.

Speaking of being unappreciated, let's give a shout-out to our executives -- those folks who seem to have no problem remembering how to game the numbers to maximize their year-end bonuses, but can't seem to understand why they need to keep investing in information security. You know, those folks who believe that since a breach hasn't happened lately, they can reduce investment. Those are the folks who make the security job fun. And by fun, I mean like a root canal.

Of course, there aren't many other disciplines in today's economy with a negative unemployment rate. And few allow you to engage with smart adversaries and actually win sometimes. You don't find a lot of jobs where an organization suddenly gets religion and give you carte blanche to fix the problem. Nor will you find a lot of roles with a higher visibility than security right now.

So during the holiday season, as you and your teams are putting together plans for 2013, asking for money you know you won't get, and battling attackers you have little chance of stopping, just remember that you could have made a less fortunate career choice. Personally, I'm thankful that I live in interesting times, and that as long as people continue to steal from each other, I'll be able to pay my bills. And so will you.

Mike Rothman is President of Security and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20811
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
CVE-2019-20812
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
CVE-2020-13776
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
CVE-2019-20810
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
CVE-2020-4026
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...