I often listen to talks from infosec industry leaders and especially enjoy listening to ones about offensive security and pentesting. Hearing war stories, creative break-ins attacks and "oh, SH*T!" moments (sometimes serious) are really entertaining, giving me perspective that its humans behind security and we're all indeed human.
One individual I like to listen to is John Strand from Black Hills Information Security. His training and talks provide the infosec community invaluable insights and perspectives, often pushing us as professionals. One such presentation is about "How to not suck at pentesting" at DerbyCon 2014. Yes, this talk was given over nine years ago, but the principles tips and still are very pertinent today.
John addresses the lackluster results from "puppy mill pentests" that some firms provide, usually a Nessus report with just the only critical findings highlighted. He says that if the automated scan report doesn't have any critical findings, the customer is often given a false sense of "security" that they are properly fortified with a "good job" pat on the back, which is often miles away from the truth. He talks about delving deeper than the critical level findings validating and reporting true vulnerabilities for the customer that could lead to really bad days for them.
About three quarters of the way through his talk, he says the following, that really hit home to me:
It's time to stand up and try to push back a little bit... I know that's hard, I know that's difficult, and you are going to fail. Ans as I say in almost all my presentations, you are going to fail doing the right thing. But I would rather fail doing the right thing than live my entire life doing the compliant thing. That's not something I want to go to my grave and say, "Ah, my environment is PCI compliant". That's not what we are here for. That's not the way we want to go out.
In the context of his talk, this means doing the right thing for the customer and providing a pentest engagement that will actually help them progress towards reducing their risks.
This made me think of my tenure in this field and times when doing the right thing was not popular. Sometimes we get push back and occasionally direct opposition to what we know to be right, those things that will put the organization at risk, sometimes in grave danger (as Jack Nicholson said in A Few Good Men, "Is there another kind?"). As security professionals, our purpose is to protect the entities we work for and are often passionate about what's the right way to guard the lifeblood of the business.
As a lot of us do, we push back ourselves and eventually, after orating honorable defenses that would make trial lawyers proud, we finally concede as we feel overridden. Our internal dialog exclaims, "they just don't understand!" or "you don't see what I see!", the gaping holes and eminent doom that awaits in the shadows. We just hang our heads in disgust (maybe sadness?) that the dumpster fire continues to burn despite our best efforts. We acknowledge that we've been defeated, having fought many a good fight, often leading to an non-productive, nonchalant attitude. Not only are we battling the incessant attackers, but we also are engulfed in the internal battle as well. I have no wonder why infosec professionals burn out and great, talented professionals are lost form this industry forever.
Now, that may seem like doom and gloom, worst case scenario, or just negative thinking. I want to let you know that there is a light at the end of the tunnel and there is a way to gird yourself to keep battling on.
First, as John Strand says above, you fill fail doing the right thing, but that doesn't make you or infosec program you're trying to mature a failure. You are doing your part. You are notifying the knights of the round table that there are threats to the kingdom at the gates (or are already in your courtyard!). Part of your job is to be that sentry on the tower to yell down when warning needs sounding.
Second, know that once you proclaim the warning, it's up to powers that be to decide what to do with your urgent messages to prepare and take up arms. The leaders that run your organization are the decision-makers to determine its direction. If you've done your job, you've given them all the details of what could happen, the risks, the potential outcome, and how to mitigate it, documenting it all. Part of your role is to work within those decision parameters to continue to protect the crown jewels within your sphere of influence.
Third, using creative thinking, sometimes with other teams, we can come up with ideas that may seem like a compromise, but in reality are steps towards the eventual ideal solution. It may not be the perfect armor that covers all body parts, but having a beast plate and a shield may be what you have for now, hence "better than nothing", sometimes we say. Sure, is it going to protect against all attacks? No. But the vitals are covered, withstanding the fatal blows that will surely incur quick demise.
Fourth, information security is progressive. Not progressive in the reformist definition, but rather evolving and improving. As we know there is no perfect security with digital systems except, of course, ones that are completely disconnected from any access, which leaves an unusable asset (remember that Availability thing?). As I mentioned above, maybe that breast plate and shield will stave off attackers going after the heart, but we can add armor as we move forward to avoid injuries to other areas. If a wound to an appendage maims, we can recover and heal, adding armor in a piecemeal fashion to protect against future blows. Sure, it will hurt like hell and incapacitate for a time, but infosec spending does take a temporary jump right after serious breaches, from what we've seen time and time again.
And lastly, your sanity... even though we take our roles seriously, realize that the company doesn't swing on a pendulum of you. It is a job, fight the good fight while in the ring, and look back at the successes of yesterday to fuel the fire of tomorrow. Remember why you are in this industry in the first place. Go back to that time in your mind, garnish the thoughts that started started it all. Think about how you asked questions, loved to break things apart, the thrill of discovery. Now, make it a goal to rekindle that passion somehow, whether its talking to your manager about a side work project you want to do, doing an occasional CTF, working on a certification for the fun of it or just hacking that Defcon badge you've been wanting to figure out. Just do it!
I'm not saying that these are the answers of the universe (it's 42 after all...). I do know that we're all here, trying to make a difference and generally doing the right thing...