Tuesday, April 19, 2011

We are at War (part1)

**So... I am sitting here at Infosec World and listening to the crowds chatter... I am preparing my talk for thursday and decided this would be a great time to ignore responsibility and puke out what was on my mind... here ya go*

In a time where times are tight, oil/gas is on the $ rise and we are in more wars then we have ever been in at one single point and time... what could we do to help ease our pain? OOOHHH I got it! MORE WAR! Yeah! That's the ticket.

Cyber War? hahah YES. In my use of that term here (which I hate) the war is with ourselves. It is not against the "hackers" or the "Country that is attacking us" or even with the generic bad guy we all have been protecting ourselves against all these years. The war we are in is against logic. It is against reason. It is against the "rules and guidelines and best practices" that we made up. This war has a doctrine called "Compliance" and it is forcing the most impressive civil war that I have ever seen. We spend our time reading the sheets, identifying all of the "stuff" we need to do and buy... then we ready the troops. We sit them on our enterprise front lines and tell them to hold fast because the enemy is on the horizon.

On the other side, armed with a mass of paperwork and generic process, dressed in $300 suits and straight out of college... the enemy amasses. The 2 forces peer down the perimeter and sweat the first shot to be fired.


The Standards committee waives the battle flag stained in corporate checkbook ink and the tears of business owners world wide while the charge in sues. Rocketing down the battlefield with the latest terminology, Arch Angel of FUD Triumphantly echoes behind them. It cries out "We are here to help you! Don't resist. We will keep you safe from the bad guys that are coming! Join us and become part of the the standards that will save your business from the fines of your compliance gods!"

The corporate soldiers tremble in fear, knowing that the only option they have left is a life of compliance based indentured servitude or...even worse..... they face an attack... SO GREAT... SO POWERFULL... SO ENCOMPASSING... that it will crush them like an egg shell. The CxO's and managers tone the lines for impact. Letting them know that if they "pass" the initial attack.... they wont have to fight for another year. They will reap the spoils and the pride of victory and they will eternally live in the light/favor of the compliance gods. Teeth grit, eyes squinted and fingers ready... they slam together for the first real fight they have ever been in. They revert to survival mode. Lie,cheat,steal,kick,scratch,punch,gouge and even RUN.... they fight to survive. They endure more pain and instantaneous financial then they ever have in the history of their company.

Mopping their tears and bandaging their wounds with the pounds of report paper delivered in the report, they rejoyce. They have survived the battle but the war was long from over. Their reward: a small lull in externally forced work and allowed to go back to their day job... working 60 hour days turning the cogs of the infrastructure and protecting reliability of the paychecks the company.

So, what did they gain from this epic contest? A little stamp to let them know that the attack will occur again. Same time, same place, same channel.

But wait, theres more....

The executives get a special perk. The sales team on the opposing side promised them the spoils and they delivered. They get a report, a shield of honor and security, they become a shining beacon of light in an industry of companies that are non compliant and getting hacked on a regular basis.

But wait... theres more...

The biggest benefit of all. the safety blanket provided by the reams of paper trucked in at the end of the battle have given the most powerful gift of all time.


They wont go to jail for negligence. The industry won';t mock them IF they get hacked... because THEY were compliant... THEY survived the war... THEY WERE PROVEN SECURE by

THAT FIRM -> as they swiftly point out their auditor post breach.

It's their fault.

Wait... its not? WELL THEN...


Wait... its not? WELL THEN...

Its "Tim or Sally's fault!" YEAH!!!! Those terrible employees who forgot to install the patch.. or clicked the email that allowed our technology to be leaked all over the planet and invalidate security for millions of users world wide.... BASTARDS.... THEY DID THIS TO US....

*good thing we can fire them to revitalize our stock prices and get back to were we were* Whew.

But what about the real attacker? Lurking in the shadows. A gorilla warfare expert that does not hold the line of a charge. An adversary that does not announce them selves with a fanfare of clanging calculators and a blinding array of merit badge adorned bright red coats? What about them?

All that compliance, all that strife, all that training we did to get READY for their attack will surely help us... wont it? We did that because they told us the bad guys were coming... that they were attacking businesses all around us... that they were pillaging the weak and laying waste to the "insecure."

What will we do when their evil eye turns to us? Will we be ready? Will we fight with bravery and honor..... or will we perish like others so many have in the past..... or ....have they already won?

We all know or are getting to know how to fight an auditor. Compliance is TRAINING us to fight an auditor. Frankly, we are getting good at it.

We are at war people, and we are paying the very attackers that keep us up all night with worry.. because without that badge they provide.... we don't have any idea what will happen.

So saddle up the troops for the yearly audit and get ready for the lines to crash again, because by god(s) we inflict this pain because WE LOVE YOU. WE CARE...

While the sweat sheds and the tickmark legends are frantically checked... the real threat lies in wait. Reading the reports and laughing... analyzing the compliance regulations like an opposing team would analyze the the other teams "defense play book" and waiting for the opportune time to launch an attack. They may be small but the element of intelligent surprise is so powerful it will allow a small group to fight their wealthy adversary and take over a city, a state, a colony, and even the world.

Knowing that, where do we go from here?


  1. Where do we go from here?
    Learn a honest job, some for of manual labor that encompasses technical tinkering and dirty hands where the cheap suits will not now nor ever feel comfy. Some people used to call this a hobby.
    And no, I am not being sarcastic, I do it to, just to stay sane.

  2. Do external compliance requirements prepare us only to defend against audits?

    Does reporting our level(s) of compliance further expose us to better targeted attacks?

    I can't weigh judgment on whether your arguments are valid or not, but even if you prove wrong on this, and we have to hope that you do, these are critical question to have at the forefront of our dialogues.

    Thank you for this post; I'm looking forward to part 2 (and 3?).

    @~ the Hun