It has been a while since my last post. Hence, there are a lot of things I could or would like to talk about and the choice what would actually be the topic of today’s article, was a surprisingly tough one.

Since my colleagues at scip AG have done a splendid job with technical posts recently, I decided to address something that I wanted to talk about for … well, years. The significance of what I’m going to talking about hit me hard recently, as I have seen a lot of fresh, young people getting into infosec lately.

It is plain and simple: You are not in a freaking movie. I have spent the last decade in this industry. I do not claim to have it all figured out, but let me explain. Information Security, especially when it comes to offensive security services such as penetration testing, but in general has a tendency to be highly romanticized in people’s heads. Images are being constructed based on a mashup of mainstream press coverage and common entertainment tropes, commonly used in all sorts of fiction including novels, tv series and movies.

If you are a writer for anything, tropes are an amazing utility. They are devices you can rely on as being present in your audience mind. They match their expectations and make something sound reasonable, no matter if the transported information actually is.

A very good example to make this point is a trope called Kick the Dog. Essentially, the writer will let a character act casually cruel/evil to signal to the audience that it is okay to dislike this character. He will let him steal a beggar’s money from his cup, misuse his authority to make someone’s life miserable or, hence the name, kick a helpless dog. By doing so, we establish the expectations that this person, who is mean to other people/animals, is for sure a villain.

Another popular trope is probably the first rule of Hollywood: Everything is better with explosions. How many cars did blow up on your commute to work this morning? If your answer is more than zero, I hope you are well and would like to congratulate you on your exciting lifestyle. If it is, as for myself, zero: Well, you’re here with the rest of us. Why is everything exploding in Hollywood movies? Because people like explosions.

Which brings us to a critical point, before we move on: Tropes not Clichés. And they are not bad. There is nothing new under the sun is a popular saying and it is certainly true when it comes to telling stories. Tropes offer proven, easily-accessible devices to craft stories that make sense in the audience’s head. If I asked you to write down a story in the next 10 minutes, you would most likely use those devices without even knowing them.

It is my personal belief, that tropes are not exclusive to fiction. In fact, I believe that the assumptions and emotional connections that enable these constructs to work are essential to the way we collaborate and communicate in our daily lives. And I believe that information security is no exception.

For most people, infosec is about defense. It revolves around managing risks and keeping a business safe from threats. Now, what and/or who is threatening a particular business? This is where threat modelling comes in. When you are doing threat modelling with a company, you will always encounter certain patterns of assumptions that are comparable to the tropes I mentioned above. A company will almost always consider their competitors as a risk. Most likely, they will also include script kiddies at some point in their threat model, even though they will assign little danger and priority to them. And nation states, because of APT. Now, all these things make sense when you hear them, but they are not necessarily true:

• Your competitors might have no interest in harming you if they are well-positioned on the market themselves and would require to invest resources in order to harm you and gain only a small benefit. Or, they are too busy running a business to bother with thinking about how to attack you.
• The term script kiddie has been used deprecatory for ages, but does – in my personal opinion – not actually qualify as an accurate threat agent. When people use the term in threat modelling, they are imagining bored high-school kids who run db_autopwn against your network. On the other hand, running LOIC with a couple of hundred other people to initiate a DDoS attack requires considerably less know-how and can be devastating to your infrastructure if you do not consider it a potential risk.
• Nation states. My favourite, but I will try to keep this brief and refrain from ranting where possible: Yes, governments know that computers exist and they will utilize their potential if the possibility arises and the ends justify the means. But reading Chinese government-sponsored hacking in a threat model for a small business selling custom-made packaging materials to local companies who are, themselves, probably not exactly HVT’s to the Chinese government just seems a bit imprecise. It’s like worrying about the door lock in your apartment because you secretly assume the US Marine Corps is going to invade to take away your 60” TV. Which is possible, but let’s be honest, very unlikely.

These are a couple of examples within threat modelling that I frequently encounter. And I want to make this absolutely clear: There is nothing inherently wrong with planning for unlikely threats, as long as the real, imminent threats stay on top of the priority list.

A friend of mine from the Netherlands has made it a point to be prepared for a zombie apocalypse. He does not really expect a zombie apocalypse (I think…), but he felt like it’s a nice thought experiment to figure out appropriate measures to keep himself and his family safe if things should go south, with or without zombies. With a lot of his measures he covers other, unrelated but real risks. He uses zombies as a vividly imagined adversary in an imaginative dire situation. Preparing to deal with such unlikely scenarios is perfectly fine, as long as you are aware of their unlikelihood and strive to make mitigation actions as general and globally useful as possible.

Leaving threat modelling for a second, there is another great area in which we can see how tropes are being formed primarily by the infosec industry itself over the past years: Take any possible off-the-shelf product offered at RSA or another big infosec trade show and compare the real use of this product to its implied usage.

• Firewalls are an amazing example. Everybody loves firewalls. And everybody buys them, preferably in bulk. When Sony was hit by a massive attack against its PlayStation Network (PSN) back in 2011, a press conference was held where Kazuo Hirai stated that they are actually working on mitigating the breach, in which 77’000’000+ accounts were compromised. In a letter to U.S. lawmakers, they stated that they added more firewalls to their network to improve the security. Because for people who don’t know what a firewall is, what it is supposed to do and what it actually does in most environments – which is, depressingly often, performing NAT and forward ports 80 and 443 –, adding more firewalls means adding more security.
• Anti-Virus (AV) products have been a pet peeve of mine for ages. And the misconceptions revolving around it are essentially following the same pattern as with firewalls above: They are somehow perceived as some sort of silver bullet for a problem that is not really defined. Countless administrators have been forced to install AV software on perfectly fine-running systems without direct potential exposure to known malware, resulting in those systems being exposed due to vulnerabilities in the antivirus software’s agents running on said system. That’s a worst case scenario, obviously – the more frequent problem is a ton of false positives and the AV hogging system resources for no specific reason. Do not get me wrong: AV is fine, if applied with moderation and where it actually makes sense.

Unlike the threat examples above, I do actually think that this mentality causes actual problems that lead to actual losses. Vendors imply with great vigor, that their products will add security. With that kind of message being thrown at CISOs over and over again over a long period of time, security becomes a game of points. You start at zero. You add a firewall: 10 points. You add AV on all systems: 50 points. You buy another couple of products: 200 points. You get breached anyway: Game over, start at 0.

Security is not a game of points. It’s a game of scenarios, anticipation and clear judgment. And throwing products (and therefore money) at a problem will usually not solve it. All of these examples should show one very simple thing: Don’t assume. Ask questions. Ask them to yourself first, then ask them to others. Ask your peers, ask your partners. Don’t take answers for granted, not even your own. Try to separate fact from speculation, knowledge from assumption.

We deal with individual problems and threats in our individual, unique environment. Using common knowledge and seeking advice from people in similar environments makes sense. But after all is said and done, the decision to put all this information in perspective is left to each of us alone.

And while Hollywood can easily wow its audience with simple tropes Everything is better with Zombies/Motorcycles/Bagpipes, our industry needs to stick to the basics: Everything is better with reason.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• http://news.cnet.com/8301-31021_3-20058950-260.html
• https://www.youtube.com/watch?v=dJxj1mou03M