A nice and rainy sunday evening, at least from the perspective of the couch that I was on about 10 minutes ago. I have now gotten up and walked to my laptop to rant, rant about cyber and rant about the many excuses that companies use to not become more resilient against attacks. Funnily enough, those excuses have now become the excuses of the cyber people as well. This post won’t really solve anything, it will however allow me to refill my glass of wine and bring me a warm fuzzy feeling of having shared my opinion online, without any goal or intended audience.
If you just want to have a drink (non-alcohol included) and read some chaotic ranting, do continue. Hope you get at the very least a laugh out of it, since your pool of tears has probably dried up a long time ago if you work in cyber security. Oh and if you strongly disagree with this post or it gets you angry or frustrated, just remember that I wrote this to relax, enjoy some wine, rant and then on monday start all over again with attempting to make the reality in which I operate just a little bit more resilient, if possible.
The last X (whereby X is denoted by your own personal experience) amount of years have been amusing, to see how hacking, breaches and cyber have received so much attention, funding and the cry for “Cyber should be at the board level”. About 10 to 15 years ago, breaches & hacks also happened at a lot of high profile organizations. Yet, it didn’t receive the media or police attention it receives now. Some argue that is due to the “highly interconnected” and “highly dependant” new world that we live in. Which oftens is argued, will cause a larger impact onto society when disrupted.
In a sense this is then confirmed by ransomware and the visible sudden stop it often brings to those companies that have been affected. For some in the cyber security industry this has been the event that leads them to say “you should have fixed your pentest findings” for others it leads to “you should have monitored your environment” and for others it’s just been events that you shrug off with a simple “shit happens”. I have to unfortunately admit I have been among all of those, since well they are all kind of true, but not fully. After a while new buzzwords start to pop-up like zero-trust, call me an old fart but I’d say what is so different to the jericho concept?
This is (at least for me) the loop that you get so tired of when you work in cyber security. New buzz words, wise words (from red team, blue team) to the builders of networks and software but little advancements to eradicate root-causes of many issues that have haunted us for years. Not all is lost however, things like U2F which have visibly tackled password phishing and the many advancements in making memory corruption much more difficult do provide a glimpse of hope.
That hope is crushed as soon as you step out of your bubble however. A large part of the cyber industry is still advocating awareness or being absolute about security solutions, which they are technically correct about, but it doesn’t really move the needle for the rest of the world. That hope is also crushed when you talk to people who have to build software, networks or created golden images for workstations. Understaffed with a lot of deadlines, the only goal is to deliver, regardless of security. Although, since this is my perspective it could still be that N=1 and my rant is really just about the tiny bubble that I call my reality.
The universal get out of jail cards to not bother with security usually boils down to:
- Can you show me the business risk?
- We can’t because we have a deadline
- What about user experience?
How have we allowed those arguments to ever come into existence? I mean if we (and by ‘we’ I mean anyone that has developed software, networks, computers or security measures) do some soul searching, how can it be that it is easier for people to setup entire cloud infrastructures with complicated dependencies than to change default passwords or disallow unneeded traffic or limit permissions to only those that are strictly necessary?
Yes, I know the world is not as easy as it should be. The reality is much more harsh than we all would like to and we can’t just magically wave a wand to eliminate legacy IT. However, even when we have the chance to do it right, it just takes so much more effort than it should.
Have you ever tried to segment a large network properly? This includes rebuilding networks after a ransomware incident. Suddenly, all kind of software and requirements start to pop-up that require all kinds of exceptions. Up to the point that those exceptions create a wonderful path to full compromise of the network. Have you ever tried to clean-up the active directory of a large enterprise or implement allow-listing? Why on this god-forsaken world is it so difficult to do any of the above? We live in a world where we claim millions of users depend on IT, but many times it surely seems like we design most of the IT solution for a group of 10 users max, any larger and it becomes a tedious task to implement, test, approve, fix, improve and finally deploy into production.
Well, that surely felt good, that last paragraph made me feel relieved about half the problem. The other half is the whole damn, might I dare to say, invented company politics? Nobody knows how it works or why it works, but everyone knows it is critical to the company. It is not monitored or maintained, but don’t you dare to look at it, touch it or even think of it. Everyone is concerned about the convenience of their users, except when they have to fill-out multiple forms for a process that nobody knows why it exists in the first place. The latter is accepted within many companies, but implementing measures that make the environment safer for the end-user can’t be done because it will be inconvenient.
So, yes I do understand that since we seem to be unable to implement what is really necessary we resort to all kind of band-aids like a lot of pentesting and monitoring and fancy new buzz words. For some companies those are useful, because they have started to implement the fundamentals. For other companies it really makes me wonder. The 100 or 200 or 500K that they invest in cyber, what would happen if that would be invested in more network- and systemadministrators? What would happen if the board would encourage the implementation of safe defaults and proper IT fundamentals? Now, before you go yelling “cyber at the board level”. Fundamentally maneagable and qualitative good IT, should have existed before cyber even became a thing. If you as the board don’t know what the quality of your IT is, how on earth do you expect to be able to protect it against attacks?
However when I look at the reality of the software that we work with, I can’t really blame companies for not doing what their security advisors (cyber peeps if you prefer) advice them. It really is god forsaken difficult to properly implement a lot of the recommendations with the tools that we currently have within the expectations that most companies have in terms of speed, agility and cost of delivery. I mean, security is still an add-on for some of the vendors, just because otherwise the project cost would triple, so they opt to not implement it by default, but have their clients explicitly select it. Yes, I’m purposefully ignoring the possibility that the reason could also be: it allows them to make more money. I mean, if you’ve come this far, in my book this already counts as a fair rant, let’s leave money out of the equation.
Bottom line, ranting won’t change a thing. We will probably be stuck in the loop of attempting to implement cyber solutions because we aren’t able to implement the IT quality that we really need. Luckily a lot of people are working on offering the right tools at the scale that is currently needed. Not always perfect, but I like to think that we are bit better off now than we were yesterday.
I might keep writing rants in the future, the combination of a nice glass of wine, the time to write down my thoughts and the upcoming rainy period is a pretty enjoyable combination.