Doing the right thing

 

I often listen to talks from infosec industry leaders and especially enjoy listening to ones about offensive security and pentesting. Hearing war stories, creative break-ins attacks and "oh, SH*T!" moments (sometimes serious) are really entertaining, giving me perspective that its humans behind security and we're all indeed human. 

One individual I like to listen to is John Strand from Black Hills Information Security. His training and talks provide the infosec community invaluable insights and perspectives, often pushing us as professionals. One such presentation is about "How to not suck at pentesting" at DerbyCon 2014. Yes, this talk was given over nine years ago, but the principles tips and still are very pertinent today.

John addresses the lackluster results from "puppy mill pentests" that some firms provide, usually a Nessus report with just the only critical findings highlighted. He says that if the automated scan report doesn't have any critical findings, the customer is often given a false sense of "security" that they are properly fortified with a "good job" pat on the back, which is often miles away from the truth. He talks about delving deeper than the critical level findings validating and reporting true vulnerabilities for the customer that could lead to really bad days for them. 

About three quarters of the way through his talk, he says the following, that really hit home to me:

It's time to stand up and try to push back a little bit... I know that's hard, I know that's difficult, and you are going to fail. Ans as I say in almost all my presentations, you are going to fail doing the right thing. But I would rather fail doing the right thing than live my entire life doing the compliant thing. That's not something I want to go to my grave and say, "Ah, my environment is PCI compliant". That's not what we are here for. That's not the way we want to go out.

In the context of his talk, this means doing the right thing for the customer and providing a pentest engagement that will actually help them progress towards reducing their risks.

This made me think of my tenure in this field and times when doing the right thing was not popular. Sometimes we get push back and occasionally direct opposition to what we know to be right, those things that will put the organization at risk, sometimes in grave danger (as Jack Nicholson said in A Few Good Men, "Is there another kind?"). As security professionals, our purpose is to protect the entities we work for and are often passionate about what's the right way to guard the lifeblood of the business. 

As a lot of us do, we push back ourselves and eventually, after orating honorable defenses that would make trial lawyers proud, we finally concede as we feel overridden. Our internal dialog exclaims, "they just don't understand!" or "you don't see what I see!", the gaping holes and eminent doom that awaits in the shadows. We just hang our heads in disgust (maybe sadness?) that the dumpster fire continues to burn despite our best efforts. We acknowledge that we've been defeated, having fought many a good fight, often leading to an non-productive, nonchalant attitude. Not only are we battling the incessant attackers, but we also are engulfed in the internal battle as well. I have no wonder why infosec professionals burn out and great, talented professionals are lost form this industry forever.

Now, that may seem like doom and gloom, worst case scenario, or just negative thinking. I want to let you know that there is a light at the end of the tunnel and there is a way to gird yourself to keep battling on. 

First, as John Strand says above, you fill fail doing the right thing, but that doesn't make you or infosec program you're trying to mature a failure. You are doing your part. You are notifying the knights of the round table that there are threats to the kingdom at the gates (or are already in your courtyard!). Part of your job is to be that sentry on the tower to yell down when warning needs sounding. 

Second, know that once you proclaim the warning, it's up to powers that be to decide what to do with your urgent messages to prepare and take up arms. The leaders that run your organization are the decision-makers to determine its direction. If you've done your job, you've given them all the details of what could happen, the risks, the potential outcome, and how to mitigate it, documenting it all. Part of your role is to work within those decision parameters to continue to protect the crown jewels within your sphere of influence. 

Third, using creative thinking, sometimes with other teams, we can come up with ideas that may seem like a compromise, but in reality are steps towards the eventual ideal solution. It may not be the perfect armor that covers all body parts, but having a beast plate and a shield may be what you have for now, hence "better than nothing", sometimes we say. Sure, is it going to protect against all attacks? No. But the vitals are covered, withstanding the fatal blows that will surely incur quick demise. 

Fourth, information security is progressive. Not progressive in the reformist definition, but rather evolving and improving. As we know there is no perfect security with digital systems except, of course, ones that are completely disconnected from any access, which leaves an unusable asset (remember that Availability thing?). As I mentioned above, maybe that breast plate and shield will stave off attackers going after the heart, but we can add armor as we move forward to avoid injuries to other areas. If a wound to an appendage maims, we can recover and heal, adding armor in a piecemeal fashion to protect against future blows. Sure, it will hurt like hell and incapacitate for a time, but infosec spending does take a temporary jump right after serious breaches, from what we've seen time and time again. 

And lastly, your sanity... even though we take our roles seriously, realize that the company doesn't swing on a pendulum of you. It is a job, fight the good fight while in the ring, and look back at the successes of yesterday to fuel the fire of tomorrow. Remember why you are in this industry in the first place. Go back to that time in your mind, garnish the thoughts that started started it all. Think about how you asked questions, loved to break things apart, the thrill of discovery. Now, make it a goal to rekindle that passion somehow, whether its talking to your manager about a side work project you want to do, doing an occasional CTF, working on a certification for the fun of it or just hacking that Defcon badge you've been wanting to figure out. Just do it! 

I'm not saying that these are the answers of the universe (it's 42 after all...). I do know that we're all here, trying to make a difference and generally doing the right thing...

Why I go to DEFCON

What is DEFCON? 

DEFCON is the world's largest hacker conference held in desert Las Vegas every year in blazing-hot August. Seasoned hackers, beginner hackers, security professionals and individuals from three-letter government agencies all attend (the latter in disguise). This event has gotten so big that it usually encompasses a large conference center and areas of three major casino hotels. It's awesome!

What is there to do at DEFCON?

You name it. If it has to do with hacking, you can probably experience it. Each of the bullets below ends with a "etc." because there is so much to do. 

• Presentations: DEFCON Talks, SkyTalks, & Village presentations, etc.

• Villages: IoT, Car Hacking, Lockpick, Social Engineering, etc

• Challenges: Capture The Flag (CTF), forensics, crypto, etc.

• Contests: Sheep Hunt, Lockpicking, Mystery Box, etc.

DEFCON spans over three to four days, depending on how many extra-curricular activities you participate in. Doing it all is physically impossible. It's best to get on the DEFCON website for the current or past years and see what talks, villages and activities are interesting to you and formulate a game plan for while you're there. 

• Want to learn how to hack a Tesla? Make sure you hit up the Car Hacking Village.

• Interested in gaining breaking-and-entering skills? Lock Picking Village and contests may be right up your alley.

• Ever wondered how secure our country's voting machines are? Go to the Voting Machine Hacking Village and talks. You'll be very surprised.

• Curious about those payment systems like point-of-sale machines, ATMs or bitcoin wallets? Payment Village and presentations may fascinate you.

• Have you always wanted to learn to solder a cool project? Head over to the Hardware Hacking and Soldering area to instructions and tips.

So, why do I go to DEFCON?

I go for a couple of reasons...

First, I learn so much. I've learned how to be a better defender from attending and hanging out at the Blue Team Village. Some of the challenges that I've done were oriented around finding bad guys that are either banging at your network's door or one who have snuck in, hiding in the woodwork for the perfect moment to take your jewels. Learning these attack methods have helped me fortify defenses for the companies I have worked for and to slow the criminals down (anyone who has worked in information security long enough know that there is no perfect security). 

One of the fun things to watch in the Blue Team area is the Wall of Sheep. The Wall of Sheep is an interactive demonstration of what can happen when network users let their guard down. The Blue Team Village guys passively watching network traffic, looking for evidence of users logging into email, web sites, or other network services without the protection of encryption. Those they find get put on the Wall of Sheep board as a good-natured reminder that a malicious person could do the same thing they did ... with far less friendly consequences.

Second, I enjoy meeting up with friends and hanging out. We're all busy professionals with life demands and sometimes this is the only time to get away and reconnect. I've met cool people, had job interviews with potential employers, sat and laughed with old friends over dinner and in the hallways of DEFCON. The people I've met have been amazing, especially when you learn what they do and don't do for a living.

Finally, information security work can get stressing and frustrating at times. DEFCON is that opportunity to get away and experience again why I got into this industry in the first place. I love being a hacker and fighting bad ones in the technical realm. 

Offensive, Defensive... I love both. Break and be broken, it's all part of the hacker ecosystem. It's a truly different world that not many truly understand. 

So... go to DEFCON. Make it a yearly pilgrimage. 

I do. I'm addicted. I'm a DEFCON junkie...