Your Infosec Job is not a Movie

Your Infosec Job is not a Movie

Stefan Friedli
by Stefan Friedli
time to read: 10 minutes

It has been a while since my last post. Hence, there are a lot of things I could or would like to talk about and the choice what would actually be the topic of today’s article, was a surprisingly tough one.

Since my colleagues at scip AG have done a splendid job with technical posts recently, I decided to address something that I wanted to talk about for … well, years. The significance of what I’m going to talking about hit me hard recently, as I have seen a lot of fresh, young people getting into infosec lately.

It is plain and simple: You are not in a freaking movie. I have spent the last decade in this industry. I do not claim to have it all figured out, but let me explain. Information Security, especially when it comes to offensive security services such as penetration testing, but in general has a tendency to be highly romanticized in people’s heads. Images are being constructed based on a mashup of mainstream press coverage and common entertainment tropes, commonly used in all sorts of fiction including novels, tv series and movies.

If you are a writer for anything, tropes are an amazing utility. They are devices you can rely on as being present in your audience mind. They match their expectations and make something sound reasonable, no matter if the transported information actually is.

A very good example to make this point is a trope called Kick the Dog. Essentially, the writer will let a character act casually cruel/evil to signal to the audience that it is okay to dislike this character. He will let him steal a beggar’s money from his cup, misuse his authority to make someone’s life miserable or, hence the name, kick a helpless dog. By doing so, we establish the expectations that this person, who is mean to other people/animals, is for sure a villain.

Another popular trope is probably the first rule of Hollywood: Everything is better with explosions. How many cars did blow up on your commute to work this morning? If your answer is more than zero, I hope you are well and would like to congratulate you on your exciting lifestyle. If it is, as for myself, zero: Well, you’re here with the rest of us. Why is everything exploding in Hollywood movies? Because people like explosions.

Which brings us to a critical point, before we move on: Tropes not Clichés. And they are not bad. There is nothing new under the sun is a popular saying and it is certainly true when it comes to telling stories. Tropes offer proven, easily-accessible devices to craft stories that make sense in the audience’s head. If I asked you to write down a story in the next 10 minutes, you would most likely use those devices without even knowing them.

It is my personal belief, that tropes are not exclusive to fiction. In fact, I believe that the assumptions and emotional connections that enable these constructs to work are essential to the way we collaborate and communicate in our daily lives. And I believe that information security is no exception.

For most people, infosec is about defense. It revolves around managing risks and keeping a business safe from threats. Now, what and/or who is threatening a particular business? This is where threat modelling comes in. When you are doing threat modelling with a company, you will always encounter certain patterns of assumptions that are comparable to the tropes I mentioned above. A company will almost always consider their competitors as a risk. Most likely, they will also include script kiddies at some point in their threat model, even though they will assign little danger and priority to them. And nation states, because of APT. Now, all these things make sense when you hear them, but they are not necessarily true:

These are a couple of examples within threat modelling that I frequently encounter. And I want to make this absolutely clear: There is nothing inherently wrong with planning for unlikely threats, as long as the real, imminent threats stay on top of the priority list.

A friend of mine from the Netherlands has made it a point to be prepared for a zombie apocalypse. He does not really expect a zombie apocalypse (I think…), but he felt like it’s a nice thought experiment to figure out appropriate measures to keep himself and his family safe if things should go south, with or without zombies. With a lot of his measures he covers other, unrelated but real risks. He uses zombies as a vividly imagined adversary in an imaginative dire situation. Preparing to deal with such unlikely scenarios is perfectly fine, as long as you are aware of their unlikelihood and strive to make mitigation actions as general and globally useful as possible.

Leaving threat modelling for a second, there is another great area in which we can see how tropes are being formed primarily by the infosec industry itself over the past years: Take any possible off-the-shelf product offered at RSA or another big infosec trade show and compare the real use of this product to its implied usage.

Unlike the threat examples above, I do actually think that this mentality causes actual problems that lead to actual losses. Vendors imply with great vigor, that their products will add security. With that kind of message being thrown at CISOs over and over again over a long period of time, security becomes a game of points. You start at zero. You add a firewall: 10 points. You add AV on all systems: 50 points. You buy another couple of products: 200 points. You get breached anyway: Game over, start at 0.

Security is not a game of points. It’s a game of scenarios, anticipation and clear judgment. And throwing products (and therefore money) at a problem will usually not solve it. All of these examples should show one very simple thing: Don’t assume. Ask questions. Ask them to yourself first, then ask them to others. Ask your peers, ask your partners. Don’t take answers for granted, not even your own. Try to separate fact from speculation, knowledge from assumption.

We deal with individual problems and threats in our individual, unique environment. Using common knowledge and seeking advice from people in similar environments makes sense. But after all is said and done, the decision to put all this information in perspective is left to each of us alone.

And while Hollywood can easily wow its audience with simple tropes Everything is better with Zombies/Motorcycles/Bagpipes, our industry needs to stick to the basics: Everything is better with reason.

About the Author

Stefan Friedli

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here