Tuesday, December 29, 2015

Security reminds me of the gym on January 2

If you have any sort of gym membership you dread the month of January. Every year, there are countless people who make a resolution to get in shape, so the gym is flooded with people for much of January. I'm in favor of everyone staying in shape and having a gym membership, my point isn't to claim how annoying the n00bs are. The point of this story is how few people stick around, and most give up because doing nothing is often easier than doing something.

What does this have to do with security?

The parallel here worries me. Let's use Heartbleed for our context.

After Heartbleed (January 1), everyone was talking about security, it was super important and everyone wanted more security (flooding the gym). After a while (February) most people stopped obsessing over security, a few stick around, most don't. As a species we're not really doing any better now than we were before Heartbleed. You could make some arguments, but it's a rounding error at best.

The real issue here is this is how humans work. We love running to whatever is popular, pretending we always knew it was cool, and watching for whatever next hip thing will pop up for us to latch on to.

Our current security problems aren't technology problems, they are human problems. We have to assume we can't change human nature. The vast majority of people will never take security seriously. They know it's important, they might even want to do it right, but at the end of the day they're not going to do anything about it.

The only solution is to make secure the default option.

This is probably harder than changing human nature.

Can this problem actually be fixed? I'm not sure. I need to think about it. I don't want to say no, but my crystal ball is pretty fuzzy here. There are a lot of weird problems all tied together in bizarre ways. I'm always happy to listen to new ideas, let me know if you have any. The more I learn the less I know seems to be the only constant.

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, December 21, 2015

A Christmas Cyber

Mallory was dead: to begin with. Bob knew he was dead, and nobody liked Bob, he was the security guy, nobody likes the security guy.

"Merry Christmas Bob!" said Alice. "Bah humbug!" was the reply. Bob had to work over Christmas protecting the network, he had no reason to be merry. As Bob opened the door to the server room he noticed the door knocker looked like Mallory, which was odd as the server room door didn't have a knocker. A closer inspection led Bob to believe his mind was playing tricks on him.

Bob sat down at the terminal and heard the door slam shut. This is of course impossible as the door has a slow closer on it so this sort of thing couldn't happen. As Bob peeked around the side of the terminal he saw the ghost of Mallory.

"How now!" said Bob, "What do you want with me?"

"Much!" said Mallory.

"Tonight you will be visited by 3 spirits, they will guide you in hopes that you can avoid my path."

Mallory walked backwards, hit his head on the door, fell down, then stood up, looked around, and snuck out as best as one can after running into a door and falling down.

"Still an idiot" thought Bob. "I can't imagine any of this is real."

Cyber Past

Later that night while reading Alice's mail instead of checking the IDS logs, Bob heard a sound that made him look up quickly. There standing before him was a woman with a ghostly appearance.

"I am the ghost of cyber past" whispered the spirit. "The ... what, wait, what? This stupid thing is real?" "I'm here to show you how you used to be, the shadows of things that once were."

Instantly Bob was transported to the server room ten years ago. He was speaking with the lead architect about how to secure the infrastructure.

"I remember him" recalled Bob. "He should have been fired for incompetence." "You weren't always like this" said the spirit "You once had hope you could change things and help them." "Well, I was a foolish youth, these people are beyond help now" Bob recalled.

The Spirit gazed at the youthful Bob. "We should create a security policy that will help keep the network secure, it's important not to get in the way too much, I have no doubt we can do this if we work together!"

Just then the scene faded and they were returned to the server room of today, a drab place that had no joy or good ideas anywhere you looked.

"Sigh, there are going to be two more of these bozos who come tonight I suppose. I probably won't get anything done. This will be worse than end of quarter."

Cyber Present

The clock struck one, which was odd given there isn't a clock in the server room. "Now why is that even needed" yelled Bob.

Bob looked up and saw another Spirit. "You're the one who will show me nobody likes me right!" The spirit looked at him and sighed. "This is why nobody likes you Bob, let's go."

The first stop was a party where Alice is talking to some friends. "Then he actually said bah humbug. I mean, who even does that. The guy is totally mental." Bob shouted "It's not like you're any better!" "She can't hear you" said the Spirit. Bob grumbled something foul to himself.

"I had hoped to show you more, but this is the only person I could find who even talked about you, seriously Bob, you need to be nicer to, well, anyone."

The scene changed to Bob's apartment. It was a disheveled room with clutter everywhere. The computer chair was the only place that didn't have a mess on it. "I have friends in World of Warcraft!" "That's a lie and you know it!" said the Spirit. "They kicked you out of the guild because you treat them all horribly."

"Really Bob, I've been doing this a long time, you're without a doubt the most unlikable person I've seen, you need to be nicer." "Maybe if they were nice to me!" "It really doesn't work that way. Stop being such a jerk." Bob looked at the Spirit "Aren't you supposed to be all mysterious and not tell me what to do?" "I've made an exception. Also, clean up this dump when you get home."

With that the room vanished and Bob was again in the server room.

"What a waste of time" he sighed. "That guy was dumber than the people I have to work with."


Cyber Future

The last Spirit was waiting for Bob as soon as he arrived. "This one is supposed to scare me" thought Bob. He looked up and saw one of his sales reps. "Oh FOR ..." "Hi Bob, shall we get going?" "I always knew there was something up with you, you actually are the devil!" "Spirit Bob, I'm a spirit." "Oh whatever, look, I'm busy, can we just assume you show me a terrible future so I can finish up?"

"No."

The server room was suddenly much brighter, it was clearly daytime at some point in the future. There were two people talking. "Will you miss him?" said the first person, Bob didn't recognize them. "Absolutely not" said the second person. "That guy was horrible. Nobody liked him, I'm amazed it took so long to fire him, what a pain". "You can't just be a tyrant, security is important, we need someone who can help, not just tell us 'no' anytime a question is asked." "Hah, that's true, all Bob ever did was say no and yell. Thank goodness they fired him."

"They fire me!" asked Bob. "They had no choice" said the Spirit. "You weren't actually helping, you just made problems worse really. Remember this is but the future that could be if you don't change your ways. There is still hope for you Bob, you can make things better instead of just being part of the problem. Tonight was all about showing you the error of your ways so you can become the security person you once thought you could be. The security person the world needs, it's important. It's time to go now, you've seen enough. I'll call you on Monday, I think your firewall it out of compliance."

With that the server room scene changed back to the present, it was dark outside and Bob was alone in the room. He shivered, it was suddenly chilly.

Bob took a deep breath, what a night. He looked up at the clock, it was almost time to head home. The future Bob saw made him nervous. "That's not how I want to go out, I'm smart enough to make things right" he thought. Bob leaned back in his chair. After thinking about what to do Bob decided he had to change things. That's not the future he wanted he had to build a new future. A great future, a future he deserves!

Bob grinned, grabbed a scrap of paper and started writing something down. He taped it to the door. The note read "Merry Christmas everyone, Love Bob."

"This will be a Christmas to remember" Bob said out loud.

He then shut off the power to the whole server room and left. His phone started ringing immediately and he ignored it as he walked to his car. "Nobody fires me!" he thought to himself. "I wonder if the guild will let me back in?"

Monday, December 14, 2015

Security is the new paperless office!

If you're old enough, you remember reading a lot about the coming "paperless office". It never came, but I realized there are parallels we can draw in the context of our current security problems.

Back in the 90's, everyone wanted a paperless office. It sounded neat and with the future coming, who would need paper with all the flying cars and hoverboards! It turns out paper didn't go away. Everyone keeps talking about how security is the most important thing ever, investing in the paperless office was once the most important thing ever.

Stage 1: Magic!

This is where security is today. Everyone knows it's neat, but nobody knows what to really do. Well some people know, but nobody listens to them. Instead we want a magic solution that will fix everything. Most of it doesn't work but who cares, it's magic, shut up and take my money!

The paperless office had tons of bizarre things from magic scanners to document systems to things that almost looked like a tablet to store all your paper. None of those things really worked well, they were't purchased by a lot of people. Anyone who owned an early Palm Pilot probably remembers how just keeping the thing working took at least double the time a paper book consumed. That doesn't even count the odd writing style you had to use, I'm having flashbacks just thinking about it.

Back in those days most companies had rooms to store the documents. It generally had a lock on it that was never locked, and most of the documents got filed away and were never ever looked at again. The amount of wasted paper and floor space was crazy. If there was a fire, everything got lost. The reasons to get your data out of those rooms was pretty obvious. Just like the reasons to now protect that data is obvious, but how to actually do these things is not.

Stage 2: There is no stage 2

The thing is, there wasn't ever some mega event that ushered in the paperless office, there will probably never be a paperless office. What actually happened, and is still happening, is we saw a lot of incremental change over the course of decades to bring us to where we are today. I wouldn't say we're anywhere near paperless, but we will continue to approach zero. There are some things that make life a lot nicer and things seem to keep getting better.

Most companies don't have massive document rooms anymore, they store much of that paperwork on a server somewhere. A decent system can tell you exactly who viewed what, when, and why. We do this because it's better in almost every way, but it took a long time to work out how everything fits together. I never print out maps or travel information anymore, it's all on my phone. I don't keep receipts, I just scan them. A lot of HR documents are filled out through a web browser. I pay many bills through a web browser.

There are still people who claim paper is better with a nostalgic glee. There are plenty of crazy arguments about why paper is better, these people aren't worried about utility though, they have a view of reality that isn't based on the utility of something, they like things they way they are. More on this person later though, we all know one, keep them in mind.

None of these paperless changes happened quickly or with much fanfare. It was just the slow march of progress. Security is happening the same way. There isn't going to be a singular giant event that changes everything, there will be lots of little ones. Over the course of the next decade some people will continue to make incremental improvements. Things will get better one step at a time. Security today is better than it was ten years ago, it's still bad, but it is better.

Here's the catch though. a lot of security people today are actually fighting change. It's not the way they would have done it, and instead of helping they like to complain about how nothing will work. They are going to be the people in ten years talking about how much better life was when everything was on paper in a giant warehouse. Those trees had it coming!

Stage 3: Wait, but there was no stage 2 ...

So the question now is what can we do? The question of how do we fix all this mess keeps coming up over and over again. Nobody can answer it, some people don't even understand the question. If you consider yourself a security person, just start helping. Be patient, answer questions, give good advice. As everyone learns new lessons things will improve. There isn't one fix. Regulation won't fix anything, huge corporations won't fix anything, insurance won't fix anything. Everything will slowly fix itself. The best we can do is try to go from slowest to slower.

There is a bigger issue of are the bad guys moving faster than us? I think today they are, if that will ever change is a debate for a different day.

The world is going to deal with these problems, if the experts help it will go a lot smoother, if they don't we'll still get there, it just takes longer. Don't be the guy who wishes for the good old days. Figure out how to help.

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, December 7, 2015

Security lacks patience

I had a meeting with some non security people to discuss some of the challenges around security. It's a rather popular topic these days but nobody knows what that means (remember 5 years ago when everyone talked about cloud but nobody knew what that meant?). The details are irrelevant, the most important thing that came out of this meeting was when someone pointed out as a group we are impatient.

I sort of knew this, but I wouldn't have listed this in the top 10 of "what's wrong with us".

What does it mean to be impatient? We don't listen as well as we should. We get tired of having to explain the same thing over and over again. We don't like to talk to someone who knows less than us (which is everyone). There are plenty of other examples, I'm not going to dwell on them though. It's likely many of us have no idea we're impatient.

I think the most important aspect of this though is how we deal with new idea. In almost every instance of someone proposing a new idea, we rarely talk to them about it, we spend time telling them why they're wrong. There is nothing security people like to do more than tell someone why they're wrong. Being technically correct is the best kind of correct!

I was at a working group recently where a number of people suggested new ideas. In almost every case the majority of time was spent explaining to them why their ideas were stupid and would never work. This isn't a good use of time. It's the help or shut up concept. We're not patient, we don't want to engage, we just want to prove why we're right and get back to doing nothing. Don't be this person, if you don't have constructive feedback listen instead of talking. Bad ideas generally self destruct during discussion, and discussion makes good ideas great.

Has bluntly telling someone their idea is stupid ever actually worked? I bet in almost every instance they double down and never will listen to you again. This is how bad ideas become bad projects.

How do I be more patient?

Being more patient isn't all that hard in theory, but it's really hard if you're used to proving everyone wrong all the time. You just have to learn to listen. It sounds simple but for most security people it's going to be really hard, one of the hardest things you'll ever do. Let's cover some examples.

A new way to classify security flaws is proposed, you think it's dumb. Do you
  1. Tell them why they're wrong
  2. Argue over why your way is better (even though you don't really have a way)
  3. Sit there and listen, even though it feels like your insides want to jump out and start yelling
The correct answer is #3. It's really hard to listen to someone else speak if you think they're wrong. There are few feeling of satisfaction like completely destroying someone's idea because it wasn't thought all the way through. This is why nobody likes you.

You find a remote execution flaw in some code a coworker wrote. Do you
  1. Make sure everyone knows they did this and push to revoke their git access
  2. Tell them how stupid they are and demand they fix the problem without any help
  3. Teach them how to fix the problem, listening to what they say while they're trying to learn
#1 and #2 are pretty much the way things work today. It's sort of sad when you really think about it.

If you just sit and listen, people will talk. Most people don't like silence. If you say nothing, they will say something. In the above example, the person you listen to will start to talk about why they did what they did. That will give you what you need to teach them what they need to know. This is how you gain wisdom. We are smart, we are not wise.

Listening is powerful. Patience is listening. Next time you're talking to someone, no matter what the topic is, just sit and listen. Make a point not to speak. You'll learn things you never dreamt of, and you'll build trust. Listening is more powerful than talking, every time.

Join the conversation, hit me up on twitter, I'm @joshbressers