I wrote this months ago but I guess I forgot to publish it. Maybe I wanted to proof it more? Who knows, but here it is. Any non-bullet points that are bolded were added by me just now.
The mess that was the 2010 Shmoocon podcaster’s meet-up audio is available. I totally could use not hearing Paul “shhh” on a mic ever again! The talking was pretty crazy and all over the place, even disrespectful (hey beer was involved so it’s forgivable), but I feel like they did touch on some extremely important questions. Questions I’d love to hear them discuss again in a more refined situation (arguably, a podcaster’s meetup is more party than panel, however!)
There are no correct answers to these topics! That is probably why opinions in these discussions can be very passionate and even violent! Sometimes in certain properly bounded contexts, there are correct answers, but mostly not.
(Late update: Personally, the more I listen to Chris Nickerson, the more I appreciate his frank opinions and where he has his head. It’s in the right place, and while I know he can have an acerbic sense of humor to some people, he’s increasingly one of those voices worth listening to if he tells you something.)
1. exploit vs not exploit – I’m not sure this topic was given its fair due, but I’m not sure everyone was on the same page in the discussion anyway. Andy Willingham gave this the once-over already in a blog post. The topic brings up good questions on what you do on a test and what is actually meaningful. I notice I didn’t really weigh in on this topic, and honestly the view from the fence is fine for me and probably reflects both my security and operations sides.
2. SMB vs large enterprise – There is a big gap that is hopefully becoming less the elephant in the corner and more one of the usual voices in the conversation. The world of the SMB in security is dramatically different from that of an enterprise or a city-state-nation. Approaches that work for large enterprises can be ridiculous for SMBs, and vice-versa. I think it matters that this came up multiple times. This still needs to come up, and the topic deserves a month of posts in itself.
3. properly presenting findings/recommends to a business – I’m finding it hard to word this topic, but it really runs the gamut of how you present security to an organization. And this digs at a very sensitive topic: security aligning to the business. I sympathize with all sides to this discussion. You could give the security teams and CSO their highly technical reports and let them distill it down to what is relevent. Or you could align yourself with the business and report your findings directly to someone like the CEO, in the CEO’s terms. Honestly, maybe pen-test teams need to have both capabilities and have that project manager/lead who is the one that acts as a temporary CSO in the absence of one. This is a great topic, by the way, and I think really demonstrates the art and the versatility today’s security experts need to have; both the technical chops and the strategic chops and the ability to know when to use each.
4. “good enough security” – I think it was Mick from Pauldotcom that brought this up, and it didn’t get enough treatment, although I think this is also just as passionately divisive a topic as any. When you accept that there is no ultimately “secure” state, or there is no “win” in security, then you really do subscribe to some form of “good enough security.” Where that proper line is drawn is really the art of risk management, and that line is probably far lower for SMBs than large enterprises. Security pros these days have to be able to get into the mode where it’s not just about violently defending every little insecurity, but about recognizing each issue as part of the whole. Bad password policy? Fix it!! Outdated SSLv2 cipher on an internal app that is 5 years old used by one team? Consider letting it slide. (Side note: This is where lack of real security chops can bite many people in the ass. It is inevitable that non-tech people will look at issues presented and demand fixes for each one, even the “low” priotity ones. This creates wasted effort and inefficiency…and so on.)
5. privacy differences between europe and the us – I thought this was an excellent question by Nickerson to spark some conversation on a topic I hadn’t really dwelled on before. Because Europe has a different emphasis on privacy for people, they have an entirely different mindset in regards to security in organizations. Not saying it’s all good, but the difference can be useful.
6. listening to internal security experts vs paying someone outside the company to say the same damn thing – Good point on this topic, and I think every penetration tester or consultant or third party needs to not just work to align with the business and talk in a way the CxO understands, but also empower and support those internal persons who make security happen. Recognize and empower (and not undermine!) the talented security folks out there. Build networks, exchange advice, encourage; don’t have an antagonistic relationship with them, plop down some mysterious report on a CxO’s desk, then walk away briskly. Try to change the way the CxO views her internal support staff so that we can Get Shit Done. But yes, it really, really sucks when a CxO pays top dollar to get a report that says the exact same thing I may have been saying for years.
If there’s any topic I’d love to have brought up because it fits with this motley crew of passionate voices, I’d have asked opinions on MSSPs vs internal staff, both for large enterprises but also SMBs.