Cybersecurity is (seemingly) pointless (Devils Advocate rant)
Hear me out.
I am a Cybersecurity "Professional" as one might say, so I am not just a random person ranting... I love my industry and have a passion for protecting the cyberspace.
However, when I gauge the ability of persistent threats and the resources us "good guys" have to protect against them, on a large scale it is seemingly pointless.
Side note: It's not even about a lack of resources. I think even if we had enough seats in chairs and money to go around, it still wouldn't be enough. 5 creative malicious actors can out perform 5,000 Cyber analysts + Security orchestration, automation, and response (SOAR) programs - it's not even a comparison.
We can protect a network from very specific threat vectors, like phishing e-mails or malicious downloads, which low level attackers may employ against company assets - fine. But past this, we have absolutely no way of protecting against a motivated team in a catastrophic attack.
When people talk about "protecting our infrastructure" I just don't possibly see how it can be done at a large scale.
Our only saving grace is MTTR or alternative solutions.
Take the AT&T event today as an example... (not implying it was a cyberattack).
Individual enclaves within companies may be able to do so for their sustainment, but at a societal level, there are creative ways to shut down businesses that we simply don;t have the ability to account for.
And this type of thing applies to every single country, it's the nature of the industry at the moment.
I hope I'm wrong - and I hope someone has a rebuttal!
24 comments
[ 5.0 ms ] story [ 61.2 ms ] threadI'm curious how policy will shape anything outside of that standard, however. Because for a company, that philosophy (full mitigation is not the goal, risk acceptance is) is sufficient. But for civil function, it stops a little short. It's unacceptable at the policy level if major banks go offline for 48 hours - or if traffic lights stop working on major roads - or if the hospitals go offline.
I don't have a solution, either - I'm just pointing out that when Cybersecurity is talked about, it really isn't understood from this perspective. Really, all we can do is mitigate risk, BUT, there will be a time where all these vectors will be utilized (hopefully not) and when/if that happens, people will debate how we got there. It's a near-impossible thing to avoid.
Lets break down what it really means to apply risk management to strategy and actions:
You think through potential outcomes of security breaches, and plot them on a likelihood/consequence grid. Then you put a lot of energy into high likelihood, high consequence items to move those concerns down on one or both of those axes, or to have detailed mitigation plans in place if there are items that truly cannot be moved.
When that is done, you move on to the 2 quadrants that require more strategic thought - high likelihood/low impact and low likelihood/high impact. Personally, I try to come up with mitigation plans for low likelihood/high impact, while trying to move the needle down on the high likelihood/low impact concerns.
If you get all that done, you either have corrected or mitigated everything other than low likelihood/low impact, and you are likely in a "good enough" state, where you can breathe a bit easier and just work on incremental improvements.
All that being said, corporate vs. civil doesn't change your process - what it changes is the "impact" axis. Different data, same approach.
There is only, what, 600% year-over-year growth in cyberattacks every year for the last 10 years? With exponential growth that slow you can keep outrunning them for like, 5-10 more years until there are enough hunters to eat you all.
With that, I see cyber security as an auditor and/or teaching field. =D
Just because your store can be broken into doesn't mean you can't take measures that make it much more difficult.
It's not that security mechanisms in a store are pointless, simply because you can't defend against the most advanced criminals.
You can make things much more difficult for criminals so they'll go to another store instead. Or at least they'll have to put in more effort as well.
Even if you do all of that, there is no guarantee criminals will move to the next house since they might have knowledge of a “zero-day” hole that you or even the manufacturer does not yet know about. Or you did not get around to patching one of the new holes in your wall.
So no, this is not apples to apples.
Of course if you want to enable people to make important decisions from their homes, you have two options, build a box around their homes too or accept that they are outside of the box and treat all of their activity as suspicious.
I would argue offense and defense are part of the same sports game. Soccer is a good analogy. Can you play pass?
J
https://noameppel.com/SecurityAbsurdity.pdf
Cybersecurity on the tech side, for most firms, is laughable. It indeed follows the herd model, where no one ever got fired for following "best practices", like forced password rotation every two weeks with no password reuse and absurd character requirements.
It takes a firm like Google to innovate with BeyondCorp / ZeroTrust initiatives and innovations. The rest of us are waiting for npm update to finish while CrowdStrike is consuming half the CPU of our MacBook Airs.
They have a lot of influence with Congress, and they know hacking can be stopped by experts, technology, and good habits.
I would recommend you check them out :)
CISA.gov
Ken Thompson underlined the crux of it it back in '84 with his "Reflections on Trusting Trust"[0]. People chattered, but it was effectively ignored. All of the nessus scans, rustifications, yubikeys in the world aren't going to solve the fundamental problem, which is lawlessness. When it all breaks catastrophically, this will change. Actual cyber-security will increase, but we will be presented with a different set of problems, which may be worse than the ones we already have.
What is worse? The occasional Mossad hack, or the impenetrable digital despotism of FAANG walled-gardens, but with even bigger moats built on either federal regulation or better technology? From what I've seen, the appstore has screwed ordinary people much harder than east euro hackermans would ever dream of. If the problem were solved purely with engineering, the jailbreakings of geohot and bunnie never would have happened. If the problem were solved via regulation, geohot and bunnie would be rotting in jail like Assange. In other words, be careful what you wish for.
[0] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
The closest analogy I can give to the state of things right now is to imagine our current power grid with absolutely NO fuses or circuit breakers. Instead of assuming that a circuit somewhere could be compromised, we've invested millions of human lifetimes being very careful about what we connect to the grid. Houses and businesses would routinely burn to the ground, power outages would be commonplace across all scales, any time a circuit fault developed, anywhere.
Instead of giving every device plugged into every outlet everywhere full access to all the power available on the grid, we use circuit protection. You're not going to be able to power a factory from a single 120V single phase outlet, but you can do useful work with it. Thanks to fuses, circuit breakers, and the like, you can effectively use any outlet in your home for almost any conceivable use, without worry. The same is obviously not true for computers, and running programs, although it used to be true!
Back in the early days of computing, we had systems which didn't have a single persistent mass storage. Because we booted off of removable and write-protectable media, it was possible to have a "known good" boot image, and make copies of it. It was always possible to bring the system up in a known good state. It was always known what disks were at risk for corruption, as they were the ones in the disk drives without write protection. You couldn't corrupt disks that weren't in the drives. Sanity was easy to preserve, and we routinely purchased tons of software and just tried it out without a worry.
Thanks to hard drives, and now SSDs that can't be write protected, we'll never be that safe again. Especially when our operating systems can't enforce write protection on even their own code.
We can fix it, but my personal estimate of when that would happen is about passed now.... I figured it would be about 2025, but these days I'm not sure it'll ever happen at all.
Edit/Append - Apparently there are forensic USB3 bridges which could be used to make your media actually read-only. They aren't cheap, though. That's half the problem, the other half is in the OS, and the Genode project (a Capabilities based Operating System) is going to spend 2024 focusing on usability, so a solution might actually be at hand.
But hey, nobody wants to admit that they fell asleep on the wheel. Then suddenly "IT security" was dead and "Cybersecurity" was born.
I get your feelings. Some organizations have the wisdom to give the CISO a chair on the big table, and some others prefer the quick buck at the risk of the big disaster. There is no correct answer on this. Their company = their choice. We can only chose to not-shop-from or not-work there.
Don't think of infrastructure as "one big thing". Consider that it was being secured one-asset-at-a-time. So, one server = 1 server hardening = Farm/WLAN+Firewall+IPS+IDS+Vuln+PenTest. And then you automate. One of my favorite mottos are "set it and forget it" (but set it right, automate the tasks and review schedulers and results thoroughly).
So yes.. it can be done, good and well, it can add value/reduce risk.
The problem is that the instant a Microsoft Windows PC comes online, it transmits a much of obfuscated packets, some of which relate to Windows licensing authentication.
Hi. I'm a Principal Security Consultant, former Red Teamer and Red Team Manager.
I completely sympathize with your position but I do think it's a resource issue. A really good defense (one that can detect and react quickly) only has to win once, just like the attackers. Sure, it'll take a while to clean up the mess afterwards, but one detection is the beginning of the end if it's a good one.
You need talented senior people who are good at working together on a purple basis to build the defense to that point. Lots of people say the cybersecurity skills gap isn't real, but at that level, it is. Even Fortune 500s struggle to meet that maturity level, let alone smaller orgs.
Is it realistic to try to lift smaller orgs above that security poverty line? I dunno. I'm sort of agnostic on the future of AI, but if that works out, I think the current pain will ease significantly.
I think that web is broken and needs to be fixed.
To buy something I need to part with some information that is useful only for the process of buying something (name, adress, credit card etc). After the goods change hands the company needs a part of this for their accounting and taxes. All my info should be anonymous and encrypted.
But this is not the case. Companies keep my info uencrypted because its easy to do and leak it when someone breaks in. This happens again and again.
I should own all my data and store it locally and only send it to a website if I want to buy something. Profiles stores should not be used.
So we need standards for how to store information and who is supposed to store what and how.
So your comment about cyber security made me think that its pointless, as we are trying to put out fires instead of fix a broken design which allows the fires to start in the first place.