How well do you think you know FUD?  Anton knows FUD.  He's sliced, diced and presented the head of FUD on a plate so we can examine it from a different angle.  If you're a FUD hater, that considers they never use FUD to "get things done", this post is especially for you :-).  Thanks Anton - great post!

By Dr. Anton Chuvakin

FUD or Fear/Uncertainty/Doubt triad seems better known than the other security triad: C-I-A.  It seems inextricably linked with security industry as well as with security technologies. After all, don’t we reach for some extra safety and security if we fear something, feel uncertain about something or doubt something?

While few CSOs and security leaders admit that they build their security programs based on FUD, below we will hypothesize that FUD is indeed a meta-level above risks, threats, vulnerabilities as well as compliance mandates. FUD’s role in security today probably overshadows the role of any other factor we know.  To put more substance into our discussion, here are some well-known examples where fear, uncertainty and doubt manifest themselves:

• Fear
• Getting compromised by attackers
• Failing an audit
• Suffering big loss
• All of the above: Failing an audit + getting hacked + being dragged into a media circus
• Uncertainty
• Keeping  a security leadership job
• “Keeping the wheels on” for security infrastructure
• In case of an incident, loss amount is uncertain
• Threats and their impact
• Doubt
• Security mission success
• Effectiveness of security measures
• Support of senior management

Further, many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management. However, FUD is risk management at its best: FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high. In other words, just like with any other risk management approach today! Big Hairy Ass Risks (BHARs) dominate both the FUD-infested security vendor materials as well as internal CSO presentations. Note that very few of the BHARs are truly imminent and thus fall out of FUD realm as there is no uncertainty about them - just like only few people develop phobias of poisonous snakes (which would be a very useful phobia to have).

In light of this, we have to accept that there are benefits of FUD – as well as risks.

The benefits of FUD stem from the above view of security which is defined as “being free from danger” or ”measures taken as a precaution” against something bad.

First, in the world we live in, FUD works! Demonstration of a BHAR followed by technology purchase or control implementation does reduce possible loss of not only due to said BHAR, but also due to other threats (if BHAR ends up being completely mythical). Such implementations often also deliver other useful things for the organization. It is worthwhile to remind that “FUD selling” applies to CISOs no less than to “enterprise software” sales people. It also applies to “fear of auditors” as well as “fear of attackers” – both drive security adoption, even if lately the former seems to be winning.

Second, keep in mind that many of the BHARs are both genuinely scary and, in fact, likely. Scaring a company into updating its anti-malware tools (despite all the concerns about their relative efficiency) or into deploying tools to collect and analyze logs is excusable, at the very least.

Third, many proclaim that people need to be naturally drawn towards doing "the right thing" after being educated about what the right thing might be and scaring people into action is not that efficient. The technical answer to such concern is a resounding “Ha-har-ha!!!”

Finally, for years FUD was used to sell insurance as well as safety features in cars and other products, legal services, to make people update their boring DR and BC plans, and other good things. Fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive, all the way down to resolving political tensions out of fear of a nuclear war…

Admittedly, Fear/Uncertainty/Doubt approach has issues as well. The key issue with FUD is its “blunt weapon” nature. It is a sledgehammer, not a sword! If you use FUD to “power through” issues, you might end up purchasing or deploying things that you need and things that you don’t.

Second, it is well-known that magic of FUD wanes if you invoke it too often. If you scare your customers or your management into taking your product or your security agenda seriously, they are almost guaranteed to stop listening to you at some point. However, if enough BHARs manifest , FUD approach will continue to be fairly productive. One can get desensitized upon hearing that "sky is falling" too often, but here is the thing: I am willing to take the risk of such "desensitization" given that sky is indeed "not quite stable."

Third, FUD power – as any other power – corrupts whoever wields it too often. If you end up scaring people into action or spreading uncertainty, you might well lose an ability to win security arguments any other way. Also, if fear is a motivation for every decision you make, checking into a mental institution is not a bad idea. You might actually be paranoid!

Finally, I’d like to bring up the good old “greed vs fear” model for advancing security, last mentioned at BlackHat by one of the speakers. As “greed-based” ROI scams fail to move security ahead, the role of fear has nowhere to go but up. In other words, all of us get to pick out favorite 3 letter abbreviation – and I’d take honest FUD over insidious ROI any day…

To conclude, fighting FUD is a noble pursuit; Don Quixote thought the same about fighting windmills. Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now. After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated…

Every now and then, a vendor makes a claim about their products or services that actually gets tested.  Not by a lab with a "representative" environment, but by Blackhats in a production environment.  Read on for just such a case...  My thanks to Drazen for delivering a fudsec sledgehammer :).

By Drazen Drazic

I’ve been waiting a while for a higher profile test case and it’s finally arrived.  

Integral Energy, one of Australia’s largest energy corporations has been in a spot of bother in recent times as reported here: 

http://www.smh.com.au/technology/security/sinister-integral-energy-virus-outbreak-a-threat-to-power-grid-20091001-gdrx.html 

If all reports are correct, the critical infrastructure organisation’s networks “are protected by a Symantec security solution”.  

Now going by my last correspondence with Symantec here, they guaranteed me that their product would provide “…..proactive protection against unknown and zero day threats”.  

Being slightly dubious of these claims, I asked for confirmation of the claims and was told by the Symantec representative; “I can confirm this statement is correct”.  

Now wanting to double and triple check that they stood by their claim, (being the cynic that I am), they then re-stated the claim, albeit slightly modified the next time, but with the end message the same; “This is one of the value statements of our product which we standby but I cannot personally guarantee that anything will not happen. If you configure and install the product correctly, then we will stand by this statement”.  

Now Integral Energy may have a claim here. But I wonder if Symantec can argue the case that they only provide “…..proactive protection against unknown and zero day threats” and this being an old piece of badware, means all guarantees are null and void ;-).

Joshua Corman is the invited guest this week on fudsec.com.  This post goes pretty deep to the core, thus for maximum benefit I recommend reading at least 2 times :-).  I know Josh is looking for feedback/comment on this post so let us know your thoughts by leaving a comment.  Without further ado...thanks Josh!

By Joshua Corman [twitter]

Change is constant - and security professionals are change averse. To become partners to the business, we must have the courage to embrace and enable change. If we don't, we continue to fight the last war and remain an obstacle to the business?

“The path of the security professional is beset on all sides, by constant and turbulent change.” We find ourselves in a time of unprecedented change. The image below is currently my “one slide” I use when I talk about information security.

Cost, Complexity, and Risk have grown to unprecedented, unacceptable, unsustainable levels. Why? Well, in part, the sum total is being fueled by turbulent and accelerating rates of change across these five fronts:

1) Evolving Threat: The adversaries have shifted from Prestige, to Profit, Politics, and Prestige – and jumped from 1st gear to 5th gear – showing no signs of slowing.

2) Evolving Compliance: Compliance has eclipsed Threat as the primary driver of Security. Why? As a CIO so eloquently stated, “Josh, I might get hacked, but I will get fined.” Vendors follow the money - and the money is in compliance… Is anyone even trying to solve for our threat needs anymore?

3) Evolving Technology: Innovations like x86 Virtualization, Cloud Computing, iPhones in the workplace, and social media… barrage us at every turn. Each beneficial advance requires tremendous efforts to assure we can reap the benefits while preserving acceptable risk.

4) Evolving Economics: The global economic meltdown has slashed headcounts and cut budgets to the bone – further challenging our ability to address these sources of risk.

5) Evolving Business Needs: The changes that should affect the risk of a business are the ones that the CEO, Board of Directors, and their industries demand. Businesses are seeking ways to better collaborate with their clients and partners. They want to enter new markets or become more agile. Will security be the reason they can take these valuable risks? Or will security be the reason they cannot?

Evolving Security Professionals: What about our profession?

What is blatantly obvious to me is that “Evolution” is the headline.

What is also obvious to me is, the only thing not evolving is the good guys.

Where is our evolution?

Our population tends to be pretty risk averse. We tend to hate change. Change == Risk, right? Given that we are beset on all sides by constant and turbulent change, what does this mean for our roles?

For years we’ve been the person saying “No” to change. Can you now shift to become the agent of change? Instead of laying down on the tracks in front of the moving train, can you be the reason your company safely and selectively embraced the Cloud and its benefits to the business?

I see no signs that change is slowing. In fact, the signs are that change is accelerating. I’m pretty sure many of us will not make the required changes.

Many of you won’t want the job as our roles continue to morph – half of you are already unhappy. Those who continue to be at odds with the business may be asked to leave. For those who are capable of evolving, what are you waiting for?

We cannot continue to take backwards looking, static approaches to an ever changing, dynamic problem space. It is a fundamental mismatch. It clearly isn’t working now – and is only going to get worse. And no, static PCI rules are not going to save you. When the next major breach was *also* PCI compliant, should we be surprised? Would Einstein find you insane?

To date, there has been a stunning lack of evolution on our part. Change happens. Those who adapt, thrive. Those who fail to adapt… perish. Natural selection may help to thin the herd. Are you fit? Or unfit? Would Darwin be proud?

Most of my work over the last few years has been to challenge conventional wisdom. We need to get to the marrow of the things which prevent us from being more agile and aligned with that which matters most. We need to get past reacting to the last war and start strategizing for the next one. We started Information Security with Signature AV and Firewalls. Can you name *one* security control we’ve retired? Are we keeping pace?

The best of us love a challenge and thrive on this kind of change. There is a lot of latent talent in this industry. Now is the time turn that potential into kinetic energy. Or we could continue to whine about PCI ruining risk management…

Improvise! Adapt! Overcome!

Learn to play Chess – you have incredibly talented and strategic adversaries.

Study USAF Colonel John Boyd’s brilliant OODA Loop. Observe, Orient, Decide, Act [repeat].

If you are feeling a lack of purpose, read LTC Dave Grossman’s On Sheep, Wolves, and Sheepdogs. Where are our Cyber-Sheepdogs?

My good friend Eric Hanselman once said, “We need the courage to sacrifice the past on the altar of change”.

Do you have that courage?

Do you hire security consultants?  Perhaps you are one...  Wim from Belgium is this weeks guest and fires torpedoes into what some consultants today consider as 'established practice'.  As with many things in life, just because everyone else is doing it, doesn't mean you have to follow.  It all comes down to how you define value.  Value for your customer or some deluded sense of self-value hinged on the "latest and greatest" vendor.

By Wim Remes

I enjoyed reading Balazs' post a few weeks ago and what he was telling us was nothing but the truth.  I would like to expand on the subject and maybe wake up a few more dogs while rattling the cage.  That's what we are here for.

Sure, we see customers every week coming to us because they have a particular problem and they think they need a point solution for that.  Do you see what the key word is there?  Right, it is "think".  They call us, to consult them in their choice.  Now, consulting has changed a lot in the past years.  Where we actually built solutions from the ground up about a decade ago, we are now led by marketers and companies with a big budget which have build an ecosystem around them of silver, gold and platinum partners who are rewarded when they sell those specific solutions, wait, I mean products.  In the process, they have actually dumbed down the consultants that were once bright and inventive people by feeding them product-specific certifications.  Nowadays, you rarely find a "perimeter" specialist. You will find tons $vendorname certified engineers though. 

You, as a customer can act against this trend. How? 

By stating your problem clearly followed by a deafening silence. 

Why?

Because this way, you'll know what you're partner is about.  If he starts throwing marketese at you, you will know he learned this from going through a bunch of white papers and computer-based trainings and someone was probably holding his hand while he clicked on a,b,c or d for the multiple choice exam. 

The partner you are looking for will solve your problem, depending on the complexity of it, combining several point solutions, tied together to actually improve your security posture. He will combine well-known and lesser-known commercial products and won't hold back to integrate open source products. What is most important though, he will have a clear answer to every question you ask and he will know which part of the new infrastructure fits which purpose.  Also, as his solution will probably not exactly be what you had in mind, he will do his best to explain why he made surprising choices.  

I hope to see an rise in the number of consultants, or whatever you call yourself, that return to the beautiful art that is information security.  Not by adding another certification to their wishlist but by starting to offer real solutions for real problems.  Thinking out of the box is not a trend, it is what separates the men from the boys and that, my friends, is what our customers are looking for:  Real men creating real solutions to solve real problems.