Bejtlich recently posted about an article the trainwreck of running IT as a business. I suggest reading it with his emphasized points, and then reading the original article on InfoWorld. I’m tempted to repost the entire article, just because it is that thought-provoking; a bit of a surprise for rags like InfoWorld, which makes me scared that they may find this rogue article and remove it!

Seriously, read the article. Everything below this point is really just rewording the points Bob Lewis makes and Bejtlich emphasizes.

The article is chock full of good points, and I myself am in a company where IT is mostly run as a separate business silo where my ‘customers’ are other internal employees. Of course, this turns us into a utility company who is not necessarily being innovative and ahead of the curve, but rather increasingly pressured to reduce (or chargeback) costs and keep things flawless (classic negative conditioning). This also makes us captive to the culture of “the customer is always right,” or “give them the pickle.” (We’re not children anymore; the customer is not always right, and it’s only ok to give someone a pickle when their pickle request is reasonable.”)

Likewise, we shouldn’t be fighting against the business initiatives, but that is often how it feels. And it feels that way because our internal “customers” make requests/demands of us similar to how customers make often unreasonable demands of their vendors. It’s a disconnect. Not a communication disconnect, but rather a disconnect in the concept of shared ownership that comes from being all part of one business (which is ironic considering we’re employee-owned).* If we weren’t conditioned by the business to be risk-averse, we’d likely be on top of or already doing some of their requests!

Then again, maybe this whole article’s idea about how bad “IT as a business” is, is itself a product of even more pressure on IT budgets and cost. How better to eliminate that as your pressure by putting it on the shoulders of the whole company? Or it may be saying, “Help me, help you.”

I really love this part, and it is something I live through weekly, especially with how closely I work with our internal IT and developer teams:

“Or try to explain your file and print server hosting rates. It doesn’t matter that part of that rate is full backup and off-site storage. Or as part of a clustered environment you have built-in redundancy and that ensuring the server is updated and secured appropriately is part of that cost. Their friend Joe hosts these things on the side, and it is much cheaper.”

When IT is a business, selling to its internal customers, its principal product is software that “meets requirements.” This all but ensures a less-than-optimal solution, lack of business ownership, and poor acceptance of the results.

Other IT persons (developers, largely) are notorious for this. The classic example is, “Why does storage cost so much? I can go to Best Buy and get a terabyte on an external drive for $100.”

In fact, I would go so far and say that this whole problem of being an internal customer is compounded right now with the consumerization of IT; i.e. the influx of Apple products, mobile devices, cloud-based storage (which is just an “enterprise” way of saying “on the web” for most of these services), and outside hosting/solutions. This is why we’re losing this battle suddenly: the “customers” are making the recommends demands; not IT. IT is trying to avoid more black eyes, delivered as a result of being a “separate business.” (Managerial personalities can make an impact as well, especially those who refuse to ever be wrong, even when their requirements are horrid.)

If I had to nitpick on the original article, it would be the assertion that this whole “IT as a business/chargeback” issue is not that clearly a product of the outsourcing industry. I think business largely doesn’t know how to handle IT as an integral part, so the default behavior ends up fitting the “IT as a business” model where budgets are constrained, IT managers are pressured to justify costs, so they chargeback as a way to illustrate who is costing them what. This is a top-down problem; not a sideline/outsourcing problem.

* What is even more ironic, is the effort to force more innovation into the business over the last year. While I think it is wrong to “force” innovation and make it a requirement, it is even worse to try to do so in an environment where risk-averse actions are rewarded. This is whole topic in itself…

Seems to be a bit of a renaissance of security-oriented livecd distros floating about. Somewhat exciting since the long-past days of things like Phlak, Knoppix-STD, and some other one that had some green in it, was also an acronym, and included the letter “G” somewhere…I forget.

SamuraiWTF has been updated!

SecurityOnion has been updated!

DEFT will soon be updated!

BackBox is new?

Blackbuntu is new?

For any other ideas, check the livecd menu category to the right. Yes, I’m missing some like Helix or Nullbound. I just don’t always feel right grouping [off-and-on] commercial offerings under the ‘livecd’ category. Others like Russix (wireless-oriented livecd) seem to be MIA.

Just wanted to point back to a post from Bejtlich, specifically talking about a recent Tweet of his:

Real IT/security talent will work where they make a difference, not where they reduce costs, “align w/business,” or serve other lame ends.

That doesn’t mean security shouldn’t align with business and all that jazz, but those items are not really the goal of anyone with half a good mind in security. They want to do cool things and make a difference. They’re passionate, enthusiastic about security, hacking, and defense. Who gets enthusiastic about aligning with business or reducing costs? Yes, some people do, but I think there is little intersection between those people and badass security geeks.

Gawker recently had an issue that exposed the security of their web code (and overall posture) as crap. Not surprising. Reading the >comments to an article about it on The Register also yields no surprises.

There are plenty of managers and others who don’t understand the consequences and risks of not paying proper respects to security. They truly do need educated.

But there are others who *do* understand the risks, and who *still* make decisions that leave security lacking. This is what I call the big security gamble. And it is just a matter of the risk a company wants to accept, or at least put off until such a time (if ever) that something does happen. See, it’s that “if ever” part that really starts the shoving matches. In security, we really should be talking about the inevitability of an incident. But human nature won’t necessarily accept that inevitability. You really might be able to go for many, many years without suffering (or at least knowing you suffered) an incident. Kinda like not having car insurance and yet still driving…

It’s hard to argue that deadlines should be pushed in order to get security done right, especially when a product may be new and no one even knows if it is viable yet or going to succeed at all! What comes first, the product (and resultant revenues) or security spend? [I like to also say, to head off a natural line of argument: which comes first, learning how to assign a variable or learning how to assign a properly bounded and verified variable?] Of course, once it does succeed, that inertia of ignoring security is hard to turn around until something bad happens…

The fact is, economics will trump security. Hell, economics trumps *safety* even (though few people like to talk about that). This is life.

That sounds exceedingly defeatist and cynical, and in a way it is. But it really, really helps keep a security geek sane by coming to terms with reality every now and then. That won’t stop me from always giving the ideal suggestions when asked for, or trying to gain as much security ground as possible when given the chance. Or strive for doing security correct in the first place.

If I got pissed off at everyone who had a security incident or lapse or who didn’t cover every hole and feasible issue, I’d be pissed off at everyone. Granted, there is negligence and stupidity…but….you get my drift, I’m sure.

I have made my opinions on honeypots known, and while I think they’re fun and useful to those who have the time or focus on analyzing attackers and their tools (I can’t stress enough that there *are* orgs that *should* be using honeypots [like F-Secure!]), they’re just not useful to most organizations (in fact, almost all, if you ask me).

So I was a little skeptical when listening to Exotic Liability #70 and Lenny Zeltser came on and the topic of his recent blog post about honeypots came up (skip to 56:30). Chris Nickerson gave excellent reasons against bothering with honeypots. That could have been me talking, almost word for word. Researchers love honeypots, but that’s part of the problem where researchers sometimes just don’t get what really gives value to an organization *right now* in their security posture when they have limited resources (not grants or research funding).

But Lenny made one interesting observation about giving your talented staff a honeypot to play with otherwise they may get bored and quit the organization for somewhere more exciting. I think that’s an interesting point, but probably not one that will matter too much. First, not many orgs have honeypots, so it’s not like a lack of a honeypot to play with is something that a staff member can go to another org that has them. Second, if sec staff is bored, something is wrong. I can’t imagine that any real security pro is ever bored. Frustrated and disheartened, yes. But truly bored? Never. Truly, never.

Lenny’s article makes a bit more sense when you dismiss the idea of putting honeypots out on the public internet, which Lizzie helped expose in the interview. Then you’re really just using honeypots as another internal tripwire (or for those with the time and talent, a way to examine attacks). Honestly, I’d still suggest putting more of other tripwires in the environment. Just like Chris says, I can’t think of any situation where I would ever suggest a company try out a honeypot in their environment. There are far, far, far too many other things that can be done.

(In economics, this is called opportunity cost.)

Next, Lenny’s article mentioned that really honeypots are just for mature security programs. But how many executives and even middle managers will *think* they have a mature security program? Then hear about honeypots and how infosec researchers said honeypots are useful, then made that a new project or outright purchase? I really don’t think anyone should think about honeypots until outside infosec professionals “certify” their programs as mature *and* they have some vested reason to analyze attackers and their tools (i.e. you research and then sell security). It’s important to make sure that an outside entity labels you as “mature.”

Lenny also mentioned the idea that an IPS could, instead of just preventing the attack, to actually pretend that the attack will work and entice more interaction with the attacker. This is also interesting, but really does break down once you analyze it with any experience in security teams in real organizations. First, the level of sophistication in that IPS/IDS or whatever tool would have to be huge in order to entice anything except very specific scripted events. Second, why bother? I would rather my IDS/IPS present me with packet captures on what it alarms on, and not bother with enticing those attacks and giving me even more captures. And so on…it’s an interesting idea, but way too sophisticated for any of these companies or boxes that try to be “turnkey” or automated. This still all comes back down to talented staff, as usual, anyway.

Oh look, a user-supplied content vuln in Twitter! It’s cute that Twitter attempts to validate the uploading of jpg files into a user profile, but not gif.

ChrisJohnRiley presents prn-2-me, a tool to MITM print job submissions (no, not porn-2-me). Legitimate uses? Maybe log what people print out?