Wednesday, May 23, 2012
Running from your Information Security Program
Running… I hate that shit. I just hate it. It is not because I can’t do it. It is not because I am too fat, or not strong enough or lazy. Mind you, I am no Adonis but I am fit for most of the tasks I must complete. So why do we run? Most of the time, it is so that we can breathe better, become stronger, have more endurance, and lose weight. We also run for an endorphin rush. Running IS pretty cool when I look at it that way. I get all these “health” benefits and get high at the same time. Not a bad way to spend time, but I still hate it. I think that I don’t like running because I have no real reason to do it. I don’t find myself having to get to the grocery store on foot or get to work faster while walking. I have never been a situation where I had to get away from an attacking human or animal. I have never had to run from cops, parents, authority or anyone/thing else. For the most part, running is only something that I would do if I decided to take it up as a hobby. ( Well, this one time I ran for about 10 miles in the middle of Tennessee farm land, but that’s a WHOLE different story)
Anyway, what’s the point of all this? I have been looking at my job over the last 15 years and all of the talks given, lessons learned, articles written, projects done and days gone by and they all have one thing in common. They are all some type of training. They aren’t sport and they sure as heck aren’t leisure so being categorized as training seems to fit the bill. With that in mind, I look back at running and think “Oh, running is training…. Isn’t it?” Of course! Everyone who is ‘’training” or “getting in shape” is going running. They relate it directly to how fit you are. If you can run faster and longer, you are commonly seen as “more fit” than someone else. But what does running train you for? Answer: to run. Crazy huh? Does it make you more fit overall…. Sure. If you are a UFC fighter, does it make you a better fighter? Well, there is a way to make the excuse that it does but only in a specific way. It is a cardio workout that helps you build endurance. That endurance gets translated into improved breathing and the ability to stave off lactic acid buildup as well as a few other things. But does it REALLY get you ready to roll with someone for 5 rounds? HELL NO! It sure helps, but the only thing that gets you ready to roll for 5 rounds… is ROLLING 5 ROUNDS! If you train to roll for 15 rounds, when it comes time to roll 5 you are gonna be the freshest person in the ring. I know all of you running fans are going to make excuses about why the benefits extend but the fact is, if you are training to fight….and you are running as your main source, all you will be is better at running away than the other person. This applies to other areas of life as well.
Have you ever heard people use the example of being chased by a bear? “If you are being chased by a bear, you don’t have to be faster than the bear you have to be faster than the person running with you.” Sounds good in theory and gets an acknowledging chuckle out of everyone you say it to but its BULLSHIT. How about this? “If you are running from a bear, you aren’t prepared.” Oh no! What do you say to that, me clever adage person? If I was in a situation where I thought I was going to be chased by bears on a regular basis, I sure as hell wouldn’t go running to get ready for my encounter. The fact is, a bear can outrun all of us. With that in mind, running is totally useless. So what DO you do? Well, I think that if I was in a place that had tons of bears that loved to chase and kill humans I would figure out a plan that WORKED. Did you know that there are people all over the world (the ones I have met are in Russia and some of the wildest cats I have EVER met) that HUNT bears. Not only do the hunt them, they go out into the woods with 1 thing, a big ass knife. Seriously! I met this dude victor when I was on a Risk Assessment. He was the head of the warehouse. He was fairly normal looking. He was bigger guy, maybe 6.2ft and 250 or so but he was not some monster. When I first met him, you could see it in his eyes, he was broken in a very special way. We were talking about some shipping processes in his office when I noticed this string of what looked like saber tooth tiger teeth. I don’t think I looked at him more than 2x for the first 30 min because I was staring at this string. Finally he says “You like my trophy necklace?” So we got on the topic of hunting. Some of the craziest stuff I had ever heard came next. He told me about growing up as a young man and the group of hunters he has went with for years. There is a specific name for the “sport” but I am on a flight and can’t look it up. Anyway, this group of guys hunts BEARS! I thought that was pretty hardcore because there are some huge Russian bears but he went a bit more into detail. He explained the ceremony they went through and how they rolled out into the forest, shirtless with a giant knife (can’t remember the name but it was a specific type) and that was the weapon of choice. They also had another tool. Over the generations of people who hunted this way, they found that the best way to attack the bear was not to surprise them and jump from the trees but to stand directly in front of it. As the bear stands up, they place a long stick with a u shaped end under its muzzle. Once the stick is in place, the bear isn’t able to bring its body down. Not only does the bear have to fight from a position of disadvantage, but its own weight is starting to crush them as well. This brilliant tactic leverages the knowledge of the situation, the landscape of the attack AND the strengths and weaknesses of the attacker. In a position that requires me to attack AND defend on a regular basis there is something that is so elegant in the methods simplicity. People planning to fight a bear would be likely to have a much more complex plan, but these folks have done it time and time again with a technique that just works. The more and more I imagined the act, the more I was amazed. I can’t even begin to imagine into the mental fortitude it must take to grab the knife, shed your clothes and trounce into the forest looking for a bear to kill. I wouldn’t even make it out of the house. But, what is there to be learned by this act of heroic bravery ( or insanity)?
Let’s apply this back to security. I feel like we spend a TON of time running as an industry. So many people are operating on the security principal of “We can’t be LAST but we can’t afford to be first” that the industry looks to be slowing down as a whole. Maybe it isn’t slowing down, but it feels like the gap is getting wider. I think this is shown over and over again with the growth of successful attack/loss we are having year over year. I am not trying to be all doom and gloom but it’s what I see when I take an honest look at the picture. It is no discredit to the hundreds of thousands of people working hard to fix it, but it is a comment on the overall vision (or lack thereof). If the method of outrunning the companies that were “slower” or “less secure” than us worked, why do so many massive organizations get owned every year? The fact is, there is more than one bear and there are way more than 1 other person running. When I look at it in that context, I have to think of it less like a footrace and more like a gladiator in the coliseum. The bears come from every direction, and its every person for themselves. Run or don’t, the bear is coming after you when IT wants to. You have no choice and the more you run will only make you weaker. (Makes me think of the Sniper joke “ Don’t try and run, you will just die tired”) So why do we continue to half ass the security programs to just be a little better than the next guy? It doesn’t matter. Your ability to defend as well as your competitors is irrelevant (unless your sales team is using it as a brand differentiator and then you are either pot committed to be a stone cold badass in security * or a liar*). What IS important is knowing how you will react when it happens. Preparation is the key to the game. If you are building the program to BE attacked, you will have some idea what you are in for. If you are building it to pass an audit and thwart the skills of the indigenous compliance auditor, you may want to put your head between your legs and pucker.
In reality, its a DR game. U prep with DR by doing testing and learning from where it does not go as planned in the test.... Same goes with security. Except, most of the people out there prep for getting hacked by filling out some silly form or running some scan. /me shakes head It just doesn't make any sense.
Ill write more about prep later…. Just wanted to post this up after watching the bear comments and program commentary of @securityninja @marcwickenden @wimremes @daveshackleford on twitter today.
Oh yea.... think this sums it up:
Posted by Nickerson at 4:37 PM