Monday, December 27, 2010

Security Douchanomics


Hopefully this decade will be the last of prevalent Security Douchanomics.  What do mean by Security Douchanomics?  It is the shortcutting of the hard work of security economics (analysis of data, discussion, trade-offs) and instead using the infosec bully pulpit to cram a simplistic reason down everyone's throat to ensure compliance.  While this strategy can work in the short-term, it is we in the infosec industry who must suffer the long-term degradation of authority and respect because this doucherie.  Worse, Security Douchanomics can foster adversarial relationships between security teams and the rest of the business.  The pronouncements seem inflated or unrealistic, the business pushes back, and everybody loses.

Some, like hyper-FUDding to sell security (koff, koff, APT)  is one glaring example of Security Douchanomics.  But there are more subtle, more institutionalized, more palatable douchtastic examples out there. 

Specific examples:

   1. Flatly denying that some new technology as insecure without discussing nuances, trade-offs, or specific risks. (Cloud has been popular for this)

   2. Flatly declaring a technology as obsolete and insecure because it is old without discussing nuances trade-offs, or specific risks. (Windows XP has been popular for this)

   3. Flatly declaring ANY technology as "secure" or" insecure" without discussing nuances, trade-offs, or specific risks (or what "secure" means in the particular context)

   4. Arbitrarily high-risk ratings for nearly any vulnerability or audit exception found.  Sometimes I think this done to make the assessors look good (see how badass I am that I found this super-s3kr1t 0-day hole that can pwnzr you?)   Of course, this makes the defenders look bad and then they usually push back leading to adversarial cycle of pain that is common to Security Douchanomics.

   5. Blindly enforcing best practices as if these one-size fits-all (and in many instances, cargo cult processes) are the answer to the entire world's security ills, regardless of cost or prove effectiveness,

   6. Using misleading/confusing graphics or statistics to convey risk metrics to a non-technical audience.  My favorite is the vulnerability scan that shows huge bar graphs with counts of "low" vulnerabilities, which usually are things like "server is listening on port 80" and "Scanner has identified site running Apache."  But bigger is worser, right? (see #4)

   7. Specious security reasoning.  My favorite: "If a person has financial problems, they would be very motivated to steal from the company, so we can't hire anyone with bad credit checks."  Uh huh, so can we please talk about implementing least privilege then?
I'm sure there are plenty I'm missing. These are just what came to my mind this morning. Feel free to add your own or comment on mine.

I'd like to think that most of the time that Security Douchanomics comes from ignorance or laziness rather than intentional misdirection.  And for most of this decade, Security Douchanomics have been as effective as anything else (that is to say, pretty ineffective but it was the only tool many people had).  But for whatever the causes, the end result is the same.  And to those security practitioners who fall victim to Security Douchanomics instead of doing your homework: you need to set up your game and do better.  We as an industry deserve better.

4 comments:

304geek said...

8. Security product vendors with "the last solution that you will ever need". One size fits all :-).

And statistics (see #6) to prove it.

weaselchicken said...

Hmm, how about incredibly convoluted security ROI calculations?

When was the last time someone used ROI to justify using Generally Accepted Accounting Principles? I suppose if asked, I could produce an ROI for using GAAP that compares it to the cost of dealing with an IRS audit or SEC sanctions - but nobody asks me to.

Managment should hire good infosec people to explain actual risk to you in terms they can understand, then act if the explained risk is higher (or lower) than they would like. Asking the security team to prove a ROI for mitigating risk is clearly douchanomics.

Anonymous said...

"Hmm, how about incredibly convoluted security ROI calculations? "

Hmm, how about incredibly SIMPLE security ROI calculations?


These are usually even more douche-like

Anonymous said...

What about the management douches who live by "its always been that way" and refuse to take serious threats seriously. (and no, not level 1 findings from vulnerability scans).