The Corollary of Fear, Uncertainty and Doubt - False Reassurance
This week, geek reporter Carl Brooks does a turn on the fudsec catwalk. Carl worked in the trenches for 10 years as an IT consultant/administrator before switching careers. Here he argues that FUD is less about security, and more about shills selling security to suckers. He has a point - maybe it's time to "rebrand" fudsec: "Shills and Suckers"? Thanks Carl!
By Carl Brooks
I’m here to join the long chain of security-minded IT people to straighten out some of the bugaboos of security- where it lies, where you should start looking, and why people really need, at the very least, to understand what to worry about.
I’m no security professional. I’m a middling-to-fair sysadmin with plenty of run-of-the-mill small network experience, but I worked for people to whom computers might as well have been crystal balls and CAT5e was something I named my pets because I was weird. So like many of my ilk, I was the temple guardian for lots and lots and lots of users who trusted everything they read in an email or thought Microsoft ISA was a real firewall because it said so on the box. This is heart of the problem. Computers are commoditized, networks are commoditized, IT overall comes in a box that you buy off the shelf. Its not news that any old sap can get themselves a full fledged network of computing resources with a call to Dell and a trip to Best Buy. On the way comes fear, uncertainty and doubt about all the things that can go wrong, all the threats out there -- and 99% of them are bogus -- just sales pitches to cram another product in your box or your building or your brain. Bought a server? The Dell fella sure was helpful, huh? He even said you should get up and running with that antivirus server trial on there, roll it out to all your computers, keep your employees safe! Never mind that you don't know what your router is for - it's got a firewall, says so on the box. Why, without a firewall, you're screwed like a slow ape by a fast gorilla! And backups!!!! Holy DAT, Batman, you need a backup! Yes, plug it in. Phew. Done. That's the problem, kids. Every user in the world is convinced they need security features, not security procedures. They KNOW this. It's drilled in. tell a manager antivirus is a bow, not the present, or tell him managing backups will take more than one trip, and you've got five heads. He knows he's supposed to be afraid, but you aren't presenting the answers he's primed for. That’s what FUD is for- shape someone's worry, and you've shaped their answer. This is why, for the purposes of security, there is only one answer- someone, somewhere, has to know what the fuck is going on with your IT. That responsibility is the only answer to buying 'solutions', because they can, and do, go horribly wrong. It's the corollary of fear, uncertainty and doubt - false reassurance and false confidence lead to consequences you don't understand. As always, security devolves to fundamentals - and they're usually forgotten after all the dots on the planning chart are connected. Real security is the afterthought until it’s a necessity. Its more common than not that nobody really knows what’s going on in their organization. That is always the real headache around security. It’s almost NEVER a technical problem.Now, here’s a real security problem or two, by way of example:
Back when I worked for a living, we ran ‘outsourced IT’ for small businesses; we also ran a thriving emergency room for computing disasters.
One day we get a server with a failed RAID 5 array, delivered by a guy who pretends he has no idea why he is there. We call the boss, find out he wants the RAID fixed and the data back. Unfortunately, the array has been destroyed despite having two perfectly fine hard drives.
Oh, dear. We naturally ask Mr. Shrugs-a-Lot what led to this turn of events we eventually determine, no thanks to Mr Now-Sweating-Bullets, that he had called his “computer guy” who, over the phone, had tried to help him diagnose and repair a failed disk in a hotswap RAID5 array. Hotswap!!!. “Computer guy" doesn’t know what on God’s green earth he is doing, so he calls Dell support on his other phone, while relaying instructions to Mr Now-Gripped-with-Icy-Terror. Guess what Dell told them to do. To sum up, my boss worked through the weekend, made a nice fat fee and I had a frank talk with the client company's president. That’s a security problem, people. But, you say, they didn’t know any better, clearly this doesn’t happen in organizations that use process and compliance and have IT staff. Oh, really? Ok, one day, in runs a dude we’d never seen before, carrying a circa 1998 whitebox tower. This is in 2006-ish. He is in a panic. He works for a security company, the kind that sits in gatehouses with badges on. It is, naturally, a disaster- failed mainboard, rapidly failing hard drive, years of environmental exposure, frankly worthless. It’s a loss. More panic. Many cell phone calls, hands waving, and treading circles in the workshop. Turns out there is no replacement for this machine, no backups and no way to reconstruct the configurations. Windows 98, naturally, with some custom app some nameless developer came up with a long time ago, no docs, no contacts, nothing. They are royally fucked; this is the thing onsite they need to do their job. Well, we perform the specialty of IT all over the world, and pull something out of our asses, locate a chassis and gear that supports this slop, image the drive to a new one, etc. Off they go, the security folks with their repaired and functional piece of poop. What was it for?It was the sole repository of photo ID and entry and exit badge verification data, including all the photos and employee records, for a single point of entry at a very, very, very large aerospace weapons manufacturer.
We did a little work for that “security company” subsequently. Anyone want to guess the admin password on their NETGEAR firewall? Don’t bother, you can look it up.
Now THAT, ladies and gentlemen, is a security problem.
