Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


WHY WE ARE STILL SITTING DUCKS

You know what I find strange? That we still have so many information security problems. No, I mean it, there are no real new threats. Yes, the threats are being used in new and different ways, but fundamentally there is nothing really new, so I have to ask myself why the problem seems to get worse each week. Let me try to answer this by drawing an analogy between IT security practitioners and medical doctors, and as such I mean the people in each profession who know what they are doing. The reason I do this is because there are great similarities between the human body reacting to and dealing with threats, and the way a network does.

Lets start with a basic problem. when you think you are sick, you go to a doctor, and he tells you what to do to get better. When you follow his directions you get better. If you do not, you get worse. If he says "Do not eat apples or you will be sick", and you go and eat apples, then guess what? You will get sick, and anyone you complain to would tell you that you should have listened. And you know what else? The doctor does not care whether you like apples or not, or whether you have eaten them your whole life, he will still tell you to give them up. So why when an IT security person tells a company to do something, why do they think it is open to negotiation? Why do they think just because they have done something for a long time that that means that the recommendation does not apply to them? And why when they do not listen, and something goes wrong -as it will-, do they try to blame people other then themselves? This is the first problem then, that the people who are responsible for making security happen, think that they know better than the "doctor".

Next lets look at another problem. I don't know about you, but if I am getting ready to go into surgery, I do not tell the doctor "Listen up you quack, I expect you to do good job and to do it quickly. I am not paying for more than one hour and you better not use too many medical supplies because I will not pay for it. now hurry up four-eyes." I think that something like that would be ... shall we say ... sheer bloody stupidity. But yet there are companies where the IT staff are openly mocked or spoken down too. Recognize any of them .. "Geek", "Nerd", "Button pusher", "Propeller Head" and I am not even going into the rude or vulgar ones. Now I am sure that there are companies where IT is treated properly, unfortunately I have yet to see one or hear of one. So what you ask. I believe that there is no such thing as a marketing company, or a sales company, or any other type of company. They are all IT companies that do something else, such as an IT company that does marketing. How can I say this you ask, simple. Take any modern business, rip out the cables and machines and see how long that business lasts. So why do companies so reliant on this infrastructure belittle those who maintain it? Especially when much like a doctor again, a company's IT staff does not need to actually do anything wrong to cause damage, they just have to not do the best job they can. This then is the second problem, that the people who need the "treatment" think they do not need to treat the "doctor" with any normal respect.

Lets stick with the treatment idea to discuss the next problem. If I need brain surgery, I am not going to go to the local vet and ask him to operate because he is cheaper, in fact I am not even going to ask a recent medical graduate. I happen to be rather partial to my grey matter functioning properly. So, I am going to find a brain surgeon who does what I need done, and who does it well. I do not care if he is more expensive then the vet, I would rather pay a bit more, then end up with an involuntary lobotomy. Again I ask, why then do businesses decide on using the cheapest possible labour. Either they think that any IT person can do any IT job equally well, or they do not value their IT infrastructure. You know what, I am not sure which  is worst. But more then that, lets turn it round, say a company has a good IT resource, one who is performing the required duties well, why then do many companies feel the need to pay them the lowest possible salary, very often justified with "I can get <insert name of graduate/cousin/mechanic here> to do this job for half your salary"? Strange as it may seem, you get what you pay for. If my brain surgeon says "If you want I can use a second hand scalpel for the operation if you want to save some money", I will very politely tell him to go right ahead and use a new one. To quote Jon "Maddog" Hall, I am not paying the surgeon for the amount of time he spends on the operation, but rather because he knows where to cut. This is the third problem, the people who need the "treatment" want the "back-street" price.

These are the reasons I think why we still have IT security problems. Simply because businesses refuse to listen to the professionals. Because the business always thinks it knows better, because IT security professionals have to compromise. We are told we must play nice, not rock the boat. We are told to play the game, or that we do not understand the company. And as long as this carries on we will never have secure networks. As long as untrained people can call the shots, we will always have problems. And the cost of this situation is getting higher, for while the threats haven't changed, the stakes are higher. More and more attacks are motivated by criminal intent. We can no longer afford to bandage the problems, we need corrective surgery.

Harsh? Undeserved? Try this, find a company that has a draconian firewall and anti-virus policy, and see how many information security problems they have as opposed to a company that has less restrictive policies. I will guarantee that there will be a visible difference. I have personally worked in both types of environment, and can testify to the difference. Like it or not the net is not a friendly place, and a company's network is not some magical island of peace and calm. Peace and calm like that can only come with work and vigilance. Much like our bodies, when it is cold we dress warm so as not to catch a cold, it's common sense after all. No-one likes eating veggies but we do it because we know it is good for us. I find it strange we do not apply such common sense in the business world.

What do we do to fix it? Just listen to the experts, but how to fix the business's attitude? I do not know, really I do not. But I am about to say something that I am sure lots of people will disagree with and if you want to try and convince me otherwise please contact me and try. Until I change my mind though, let me go out on a limb here and say this. If the company you work for..
Then you will never be able to properly secure their network or do your job. You will be constantly fighting and compromising your suggestions and sometimes even your ethics. You will always be a sitting duck. So try your best, do your work to the best of your ability and if you get the chance to go to a business not suffering from these three aliments, then move. Trust me your work and life will get a lot more fulfilling.