Leave it to Freshman to be at the right place, at the right time, with a hammer with which to hit the nail on the head. If you don’t know what I’m referring to check out these two posts on so-called security ratings companies and their services. Go ahead, I’ll wait.
Its 2019, and while I shouldn’t be surprised at this sort of nonsense, I am. What really baffles me is that I’m not sure at which point I’m more surprised:
- That there are people out there who think header scraping or other passive means, absent sufficient context, is data worth selling for the purported purpose.
- That there are people who think such a service is worth buying; their desperation to address third-party risk overcoming their good sense, or their sheer ignorance at how the software and the Internet works illustrating how woefully intellectually inadequate they are.
- That the victims, er, subjects of these shenanigans aren’t filing more libel suites or reporting attempted extortion to the police.
This is only the latest bit of tom-foolery that’s being perpetuated in the name of “security” and/or “compliance” (not a dirty word, by the way). Just like “next generation” anything or anyone who in the last five years has attached blockchain, artificial intelligence, machine learning, or quantum to their product or service without, you know, actually doing any of those things properly and with good reason…
- Next Generation: The same s*** we’ve been doing, only with a few incremental improvements, none of which justifies the price increase.
- Blockchain: We’ve got great DBAs, but we needed to raise a new round of financing.
- AI: What we tell investors we’ve got; really, it’s a bunch of Ph.Ds. in the back room rocking a spreadsheet that we make colorful graphs from.
- ML: What we tell technical people we’re doing because we know they won’t believe we’re doing AI; really, it’s a bunch of Ph.Ds. in the back room rocking a spreadsheet that we make colorful graphs from.
The nonsense doesn’t even need to be that sophisticated. Case in point: privacy outfits that want to charge you to search the spooky dark web to find your personal information. A: It’s there, I guarantee it, no charge; B: So what? Its not like you can take it down.
Improving someone’s security posture, whether a corporation or an individual, requires none of the above things. It doesn’t get exponentially better the more money you spend or the more “advanced” the technology you use. You can become a harder target by doing a bunch of stuff that costs nothing:
- Use a password manager
- Update your software
- Make regular backups and keep them off-line
- Implement two-factor authentication
- Implement full disk encryption
The list goes on. It’s a whole lot of fundamental sys-admin-y grunt work, not sexy security fun time. No, it doesn’t make one immune from pwnage, but neither is that the case if one had spent $250M dollars. In fact, doing the simple stuff doesn’t increase the attack surface, nor does it radically introduce more potentially vulnerable code or hardware into the equation.
An enterprise of any size needs heavier-weight options on top of the fundamentals, but there are things that do good and there is everything else. Antivirus gets a bad rap, but it serves a good purpose in that it allows you (over-worked, under-resourced) to focus on the extra-ordinary. Firewalls don’t catch everything, but they catch a lot. Intrusion preventions systems don’t always, but they do often. If you had none of these things your day would get worse. A lot worse. Die at your desk worse. There is a need for sound solutions, even if they are not perfect.
Having said that, it’s not enough to be championing or cheerleading the good, we need to be shaming the bad. You have to help call out the charlatans. You have to point out how the edge case Johnny Expert is talking about is just that, and may not apply to anyone other than, well, someone operating at the edge (context is important). You have got to put yourself out there, even if it is just a little bit (a ‘like’ or ‘share’ costs nothing and takes effectively no time), because if you don’t someone is going to buy that trash and think they’re secure/compliant. They won’t be. They’ve been fooled. Ripped off. They’re operating with a false sense of security, which is probably worse that being ignorant of the current state of their enterprise. When you think things are OK, you’re prone to do more risky things, things you wouldn’t think of doing if you knew you were insecure or non-compliant.
This is not a call to form a lynch mob. What you can tell from some vendor’s web site might make you think one thing when they’re doing another. Everyone deserves a chance to respond to charges, and clarify and amplify their remarks, but if the response to questions is hand-wavy, “proprietary” magic: caveat emptor.
If you’re not willing to make some noise, you’re passively supporting bad – or at least questionable – behavior. You’re might not be doing wrong, but you’re not doing all the right you can. Standing on the fence, waiting to pile on after the vanguard breaks through, banking on the credit of others. Like the citizens of Lago in High Plans Drifter, you want someone else to do your dirty – or in this case noisy – work for you.
Well, if you’ve seen the movie, you know how that turned out.
