Workarounds, accepted mediocrity and questionable future benefits/improvements….
Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).
So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:
Does proposed Australian Internet Filtering/Censorship or what is happening in New Zealand for example, at present, give us something that is going to improve our security and usage of the Internet now and for the future? Or is this a knee-jerk tactical response and plan that falls into the “workaround” and “accepted mediocrity” categories that divert our attention from better solutions that may more directly attack the root cause of problems and plans to better address those root causes? I believe it does.
Most things we (in the industry) do, does fall into these categories and we’ve been using these tactics since day 1. Attacking the root cause of problems and dealing with them is generally deemed too difficult. Great in theory you’ll be told, but we need “pragmatic” solutions (while agreed to be far from perfect) that work today! Gees, if human-kind always approached problems this way, we’d still be living in caves. (Well maybe a slight exaggeration).
It’s 2009 and after 15+ years in this industry, I see we’re still not thinking past just trying to bog up the rust to keep something at an acceptable level/working order (relative to what individuals involved believe is workable and effective for them). It’s subjective and those “acceptable” levels/ how that determination has been made needs to be questioned. Is the complete picture there and was there sufficient data accumulated for correct/accurate decisions to made? How often is it not but decisions are still made to the detriment of the business? More often than not I put it to you.
Defeatist attitudes that lead to “workarounds” and “accepted mediocrity” is detrimental to any significant change and a better future. There is no ideal world and perfect security – we know that, but all “workarounds” and “accepted mediocrity” have done is to move us backwards, and we continue to move backwards. It makes no sense that we accept this as our lot. We are losing the battle and as new technologies and business approaches evolve on the Internet, we further accept this as our lot going forward and for reasons mentioned, revert to the “trusted” (yet dis-proven) tactic of “workarounds”.
WAFS (and IDS/IPS, Firewalls and most technologies we use in the Information Security industry) are workarounds to deal with our inherently insecure technologies based upon insecure software. I’ll never accept we should implement workaround technologies as the sole thing available to us so let’s make the most of it. If a WAF protects an organisation from something bad to a level of 60% or so, that is failure to me. Does the decision maker that purchases these products and services fully understand this when it it sold to him? Is the picture clear to them about alternatives focused at attacking the root cause from a micro-level perspective (ie; their organisation)? Is the former solution (WAF for example) at the end of the day going to be better for them at present given they can’t at present comprehend what else can be done, or even if they can, just cannot do it due to the old expertise, resources, funding issues? Will they even try to consider this seriously? It just doesn’t happen in our world of fantastic and magical products they’re sold – products that they are “sold” to believe will do all they want to allow them to sleep better at night.
How do you judge, outside of the marketing claims that really cannot be accurately confirmed [by them] vs. more difficult theoretical holistic arguments that can’t be plug and played like the former?
Lets spend a few million on something that “will make our organisation secure”! The sales guy guarantees it. (12 months later, sales guy is working for a competitor and now bags that product he sold the client last year as being crap “….and far from being able to deliver what we told them it would”). Just recently I spoke with a Senior Sales Head who has moved onto another company. He wasn’t fussed at all to tell me about a large Managed Services deal he closed last year with his old company that also included a heap of leading-edge “security” products. “We made a squillion! But you know what Draz, while it’s “okay”, it just doesn’t work in some critical areas – parts of the SLA the client deemed as critical to them and areas we told them it would work. They won’t know and the chances of them finding out is low to non-existent. “How could you do that?”, I asked. “Well it was a key requirement for the client and we decided we could do a sort of “workaround” that almost gave them what they really wanted. They don’t know that. We wanted to win this business and we did what it took to win it.” Knowing what it was he was talking about, and to protect my source, I won’t go into detail about it, but their “workaround” was not so much a “workaround” in my opinion, but rather, something that totally changed the outcomes of the deliverable to a level that potentially would increase the risk to the client. How often does this happen? More often than not in my opinion and we see stuff like this all the time.
A recent discussion in our office about WAFs; “What percentage of major vulnerabilities that we’ve found in the last 50 Web Application Security reviews could have been stopped if the client had a WAF?” The consensus was – not many and even fewer of the really bad ones! That alone is concerning and flies in the face of benefits of such workaround solutions. “Betting” on the part of the client that a dedicated attacker will be impacted by their implementation of a WAF is a risky approach to take. I am not totally against WAFs. We’ll sell them one day but only under certain scenarios. They’ll probably get better but sole reliance on a technology creates more risks – not less, as they [the client] would have expected by deploying it. Add the following into the equation and there’s even more to think about. This part is scary.
Dealing with the root cause is too hard and many critical thinkers in our industry have accepted that we’re never going to be able to effectively attack this root cause. That concerns me. We as an industry are very insular and as a result of this, many have made the determination on behalf of broader society that the cause is a lost one. How can you do that? I say, broader society awareness is going to help. When society is more aware, we make a determination on what we expect and what we don’t want to accept. Lets not give up on this and accept our hands are tied.
Some further reading:
- Metl on Risky.Biz: The Infosec Industry is a Fraud
- Cyber security at the Crossroads
- “System” view security vs. “Application” view security
- Sucking corporate security budgets dry
- Have we made any real and measurable progress in 2008?
- Talking with David Rice
- It’s all just a matter of time…….
Okay, flame on.
March 22nd, 2009 at 7:31 pm
Waiting for the generational breed out of the current boys club and the coming global awareness and masses of tech literate. That and 2012, Towers of Babel…
Meanwhile, back @ the ranch, we anachro-cynicist-decentralists are quite happy to now watch the snakeoil and poke fun, contribute now and again, and work on the projects we deem socially responsible while educating and slowly changing awareness. As with most things once one becomes enlightened it is only a matter of time… tick, tock…
March 23rd, 2009 at 5:39 pm
D2, your first point is good. The more that “influence(r)s” outside of the industry become involved in influencing directions within the industry, the more you would expect that things we see as too hard or near impossible can become realities. We know within the industry what needs to be done to improve things (regardless of how hard it may be) but we shouldn’t and cannot be the ones to make that call on behalf of society in general. (Going over much of what I have said already in this post and many previous ones). We’re an indirect factor [the IT security industry] ourselves. i.e; we don’t build the technologies, we don’t market and sell them (directly). We should though be the guide(s) to those who are in a position of influence and can make change and guide them to the best of our abilities. If we give up, what sort of signal does that send to those people who rely on expertise from within our industry? Yes, time will “breed out” elements of the industry that do hold things back also and there’s a lot of that that won’t be missed.
Lets not decide to give up and go down the “easier” path and neglect continual focus on what we know needs to be done. “Pragmatic” sometimes (most times?) means mediocre when used to discuss IT security issues, and if people are keen to accept that then above the long term good, then they’re doing everyone a disservice.
June 7th, 2009 at 11:48 pm
I think people confuse “mediocrity” with “pragmatic”. An easy enough mistake sometimes.
I think a security professional – if he/she is indeed a professional – should be able to tell the difference between a mitigating strategy or ‘compensating control’ (to borrow a PCI-DSS term) and a sturdy, robust solution. A good security professional should be able to do a risk assessment, come up with a reasonable estimate of how much effort to apply to a given solution.
Sometimes, they will raise hell because they know the problem is large enough to warrant it. Other times, they might just have to accept that some things have to fall to the wayside because they other, higher priorities. And sometimes, just sometimes, they will get it wrong. It’s just a fact of life.
Until security teams start controlling the purse strings (heh) then businesses have to rely on the security professional’s judgement and ability to articulate (as well as escalate) the more serious issues to the right people. That’s what we’re paid for.
Re: your example Drazen, let’s not confuse “salesman” with “security professional”.
- J.