▼3 Paradigm Shifts That Can Improve Security in 2016▼
○ ○ ○
CSO/CISO Insight (2015 Year in Review)
MISCELLANEOUS WRITINGS | 2015 EDITION | VOLUME 81
○ ○ ○
Many affiliated with the Security industry are trying to have their cake and eat it too. Unable to see past their ideologies, everybody's an expert. The definition of “everybody” is itself laughable.
Data theft, leaks, leakers (i.e., thieves) are glorified at the expense of ideological anti-government positions that say the NSA et al. are a legitimate target of hate and skepticism. Meanwhile, Apple, which plays a hypocritical game pretending to stand up to the U.S. government while pandering to a morally bankrupt regime; helping feed ignorance, oppression and jingoism (a global security threat) in China — like Edward Snowden in, and from Russia these days — is put on a pedestal.
Yet no one connects the dots. Many of these Apple fans, who often lack strategic international perspective to appreciate just how politics, geopolitics, which they hate and deem irrelevant to InfoSec, as well as strategy and other non-technical factors actually is inseparable to their binary idea of what Security or InfoSec is, not realizing how abysmally naïve that position is.
And this status quo only generates more insecurity. Because they only talk to themselves.
You can't be the same person who has a problem with ISIS and yet thinks its clown time when there's a data breach followed by a massive leak. Because guess what both threat actors have in common: instability and anarchy.
I have yet to see ONE so-called Information Security “guru”, hacker and/or “thought leader” make a very vocal and strong case against indiscriminate data leaks/dumps or serious vulnerability disclosures. ONE.
As I told a commenter and subsequent Twitter follower who rightly said, “not sure Anonymous is a serious player in all this” following my tweeting of this article regarding how the Anonymous “war on ISIS” actually interfered with law enforcement investigations: “I never assumed or said that”, I said. “But, MANY #Hackers and so-called “#Security Pros” aren't either. Because #Anarchy is NOT a #Solution.” Telling me “cat's out of the bag” and nothing can be done about the bad guys using Crypto is not a solution. Choosing to neglect news sources or InfoSec voices, solutions or ideas at odds with your political beliefs doesn't make you a pragmatic, strategically-oriented InfoSec practitioner.
When you're a “serious player” in InfoSec, you consistently and verifiably are, and MUST remain linked to solutions. Here,
Jenny Radcliff's wish above, courtesy of Tripwire, Inc. resonate:
“If I had one wish for the infosec community this holiday season, it would be that we get back to basics and remember who and what we are working to protect. It’s very easy to be distracted in the infosec industry and forget what is important, so less words and more actions going forward are necessary to step up to the task in hand. We provide a service, and people have no choice but to trust in us much of the time. I think it’s important we don’t forget that as a community and work hard to justify that trust.”
Whatever the NSA or your choice of political party or leader did or does to irk you, the destabilizing effects on people who HAVE a life, work, and responsibilities to fulfill following 0-Days, exploits and other know-hows leaked/dumped as a result of someone committing an act of Felony and other cybercrimes and misdemeanors, is no laughing matter.
Unless you're grossly ethically challenged.
Yet we've created a norm where Galen Marsh is guilty of illegally accessing and conspiring to misappropriate data. But Edward Snowden, despite committing worse crimes under the same law and sheltered by a President known for persistently undermining the U.S., is a “hero”.
So much of a hero in fact, that even CNN's Laurie Segall throws him into the mix as her report glorifies Moxie Marlinspike for his mystique and contributions to Crypto.
There's nothing wrong with WhatApp, or being big on privacy.
The problem begins when programmers, InfoSec practitioners and podcasters arrogantly begin to believe they are experienced world-renowned, strategists, National Security experts, Foreign Policy experts, and Global Security experts.
Frank Herbert in Heretics of Dune couldn't have said it better: “Humans live best when each has his place, when each knows where he belongs in the scheme of things.” And if you think this is a nod to China, you haven't seen key highly controversial articles by the author. Old, recent, or unvarnished.
Singapore's Founding Father Lee Kuan Yew rightly, I believe, assessed: “China can draw on a talent pool of 1.3 billion people, but the United States can draw on a talent pool of 7 billion and recombine them in a diverse culture that enhances creativity in a way that ethnic Han nationalism cannot.” Because guess what, in a more GENUINELY diverse (security-minded) culture, people who didn't grow up playing video games, being well-connected and therefore having to hustle, DO HAVE a problem with some (grown-up) script kiddie's hacking exploits disrupting their day.
On the other hand, the one problem with Lee Kuan Yew's insight was, and remains it's disconnect with the reality on the ground. And here,
Tony Martin's thoughts above, courtesy of Tripwire, Inc. resonates:
“In 2016, my one wish would be a recognition that good security people come from a variety of backgrounds and fields, [including] economics, business, sociology and risk management. If we expand our idea of what it means to be 'in security,' embrace new ideas and different types of people, we will be able to face new challenges head-on.”
Unfortunately, for an industry that lacks diversity, and when it talks about diversity, whines about the fact that only 10% of women are InfoSec pros, we have a long way to go before being capable of addressing the bigger issue of complete diversity.
We have an industry that has a rogue employee problem. An industry dominated — yeah, I said it because my head is buried not in sand but data and hard facts — by #WhitePrivilege. An industry that lacks the ability to see Data Breaches from a different angle, and actually, unbeknownst to it, OKs the mischief likely to worsen in 2016.
So-called Security gurus, pros, journalists and podcasters with all the media attention and power to positively shape opinion are more ideologically concerned with staying on some hacktivist/Snowden/Anti-NSA/Anti-U.S. Government bandwagon, obsessed with “the government is trying to take my freedom away” or “encryption” way. And while we're busy wasting time and undermining each other in the useless debates, the more pragmatic Mainland Chinese are eating our lunch one APT at a time same way ISIS and the more deadly Boko Haram are mastering the art of evading counterterrorism through Crypto and whatever else Snowden foolishly divulged, not to a consortium of responsible, conscientious hackers, but every Tom, Mary and Al Qaeda.
Why are we OK with teaching — by failing to strongly denounce their narcissistic public shaming and urges and antics — that miscreants and psychopaths who hack patients, Hello Kitty, VTech, children's data or even Hacking Team, are correct to NEXT, indiscriminately dump the data online. No matter how many lives and livelihoods this destroys. And here, Ashley Madison is no different.
After all we've normalized such acts, haven't we?
We didn't attempt to change the status quo in 2015, did we?
Cheryl Biswas, again courtesy of Tripwire, Inc. above shares my wish:
“My wish for all of us...to draw a bigger circle around our orbit. So that we can bring in more people who can share our passion and calling to be here. Be with diverse backgrounds and unconventional experience. [To] help grow our strengths where we don't yet reach.”
It is not enough to pay lip service to the fact that Security is multifaceted, nebulous and complex. The fundamentals of great Tech Support is mastering the art of diagnosis.
The problem begins with wrong diagnosis across the board. An approach to Security, based on counterproductive assumptions — addressed above — that ONLY truly diverse InfoSec teams across industries would flag. And, refuse to normalize. One of them being the cultural issue of what is or isn't “normal”. As in, ethical.
Albert Einstein said: “When I have one week to solve a seemingly impossible problem, I spend six days defining the problem. Then the solution becomes obvious.”
Yet guess who's doing all the diagnoses: An echo chamber of ideologically-driven often homogeneous cliques, —across industries and media. An echo chamber with a false sense of what constitutes Security.
And while mainstream media and journalists can be rightly accused of often frightening audiences and sensationalizing security incidents, podcasters are among the worst offenders. Circular reasoning that is in fact no different from that of the Security layman who can't wrap their heads around my and many pros' Security Rule ①.
Immersion may not be your thing. Perhaps looking down on Tech Support is? But guess what, there is a way to be a true InfoSec & Security leader/problem solver. And if you're not sure, may I exhort you — in case Einstein didn't inspire you enough — to see how The Dog Whisperer does Advanced Problem Solving. Because what happens when everybody wrongly believes they're an expert?
Below: The powerful unscripted answer from my 2013 blog False Sense of Security: Illustrated