Building Bridges: Forcing Hackers and Business to “Hug it Out” – Andrew Hay, Chris Nickerson
Started as a discussion from Shmoocon 2010 – Hackers and business, who’s responsible for what
Nobody wants to accept responsibility
There’s the stereotypical black t-shirt who are too cool to talk to business
There’s the business who just want to protect their business and don’t know what to do
It’s a fight that’s been brewing for a while and both sides really want to meet the other.
This talk shouldn’t exist… but the industry obviously needs it!
- The problems
- The view from the trenches
- The view from the business
- The way to fix this problem
The view from the trenches
– Management is clueless
– They don’t care about security
– They will only do the “bare minimum”
– They play golf and waste time in meetings all day
– They don’t respond when I show them how important it is
Security guys are overworked, get all the blame and don’t get the respect we deserve
The view from the business
– Hackers don’t have a clue
– They don’t care about the business
– They don’t understand the economic challenges and regulations
– They surf the internet all day
– The don’t listen when I tell them how dangerous it is
The business work long hours, don’t get the respect they deserve
Pure Security vs. Business Security
The business is responsible for operating as a business.
The hackers are screaming they can get into boxes
A secure environment is the goal, but this will never happen –> utopian view
As a business person, availability will usually trump anything else. If the systems go down, it’s a big problem.
Availability is king!
The cost of secure operation could be detrimental to the bottom line –> Budgets are fixed, scope is fixed. Business doesn’t like it when you come to them with unannounced costs.
Shell a box vs disruption
Shell == Game Over
Security people can’t validate their findings without exploiting systems
To business, shell means nothing. How does it link to business impact?
There’s a huge difference with the level of responsibility between a hacker (pentester, etc…) and the guys running the business. We say “you must” without thinking who’s really in-charge and responsible for making those choices.
Business doesn’t understand what exploitation or popping a box is. If they think you might take it down then you’ll get delegated to the dev environment to test.
If an exploit is required to validate, we’ll skip that test
Cost vs Completeness
Security guys always want a free scope. When business say they want a system tested, they have a focus. Who are we to complain that we’re only focusing on 2% of the environment.
Having the mindset that everything has to be tested doesn’t work all the time.
Testing on every level isn’t always whats needed.
Rules for engagement are built from a lack of business understanding… sometimes. This doesn’t mean they’ll change however.
Security people aren’t giving business cases for other things that could or should be tested. Testing everything at once might also not be the best plan. Take things one-step at a time.
“You need to do this because if you don’t you’re stupid” –> not such a good way to convince somebody!
Budget and compliance dictates whats needed or wanted. PCI only needs specific tests. Educate the business that this isn’t always best.
Scope vs Hackers don’t have a scope
As security people we always hide behind this excuse. If you want that, quit and become a blackhat.
“Scope is a guideline… I’m gonna test it all” –> Taking down a productive AS/400 isn’t a good thing if it’s not in scope. Business downtime == money
SE is out of scope? WHY? Real hackers will attack our people –> Do you know what effect this kind of test has? Maybe the company doesn’t need this organizational and legal issue. SE isn’t always easy and clean from the business standpoint.
Business doesn’t always know whats best for them… if they did, they’d already have secured it
Scope creep does not benefit the business –> testing systems outside of scope causes business issues.
Political ramifications of SE is too much for a business to handle sometimes
Downtime vs Patch to secure
It’s just a patch, install it already!
How much revenue will be lost if this threat vector is exploited!
Patching now may reduce downtime due to a breach later
If you’re worried about installing a patch, test it first
This is stupid, why isn’t it automated? –> Hacker “I could script that”
Downtime isn’t an option –> WAF or other inline patching –> Put a band-aid on it
But we’ve got a Firewall and AV
Attackers are on the outside –> Users on the inside have all the info.. aren’t they a threat ?
We’re a hospital/bank/whatever… we CAN’T go DOWN! –> Not just a technical issue, it’s a reputation issue. Always available!
Feature Release vs Secure Development
It needs to be secure vs it needs to be released
If we fix it now, we’re releasing a secure system and don’t have to fix it later
Delivery timelines can shift
Saving money by fixing now (cite post release 100x bugfix increase cost)
I won’t put my name on THAT <insert tantrum here>
Delaying the release may jeopardize our Go To Market strategy
Fixes can be applied post release –> Hotfix, next minor release –> Hope nobody finds that vuln before the patch is out!
Development & QA time costs money
May lose money by fixing it now –> Loose customers, loose deals
Feature profits fund future development and also security enhancements –> ones it sells we’ll secure it
Compromise Disclosure vs Potential financial devastation
We should be open and tell our customers
It’s our duty to report flaws to vendors and the public
This could jeopardize future and current business –> no business, no security, no job!
Let somebody else report it
We’re in business to make money not report vulnerabilities
We got hit, but nothing sensitive was accessed –> SURE 😉
Compliance vs Security
Compliance is NOT security!
Compliance should be a by-product of being secure
Compliance is stupid and somebody else problem
Compliance initiatives fund security products and tests –> need to test to achieve a tick in the right box
Our customers require us to be certified… not secure
Achieve compliance and security should follow! –> isn’t this the wrong way around?
Not enough money for both… business has to be compliant!
The way to fix the problem
Business want it all neat and pretty…. hackers want the real info no matter how messy it is!
Business needs to
- Hackers are intelligent people who are responsible enough to be educated on the business and it’s issues
- Business has a large moving target to keep up with and need effective direction
- Hackers are their first and last line of defence / They defend your paycheck and require your support
- Getting the understanding
The business keeps moving and the workload to keep up with new threats, systems and technologies is a big issue. Business also don’t want to be the one up till 4am dealing with system security. If it’s working then nobody cares…. no win situation!
Hackers need to
- Learn more about the business, it’s opportunities and how cost plays into the decision process
- Identify the political challenges and pose their problems/solutions in a manner that fits
- Talk in a language that business understands
- Mimic terms used by business
- Cut down on the techno babble
Both need to
- Learn to respect and tolerate the others skills and problems
- Recognize that both camps bring value
- Realize that neither camp should dictate best practices but rather agree on best practice
- Understand that they have the same goals but start off on different opposite sides to get there
Ask yourself what you’ve done to bridge the gap between security and management?