Tough Love
Disclaimer: This gorgeous rant did not come from me, this is the genius that is @da_667. Tony likes to make excellent points on things, then dismiss them just as fast as rantings of a lunatic. It's my job as his friend to tell him when he deserves to be heard. The other reason I'm posting this is, the comment had 28 likes. Which means at least 28 other people agreed with this nonsense.
So, with permission, I'm posting this in blog form. I've edited out OP's Twitter handle because I don't want you degenerates ragging on him. He's since deleted the post which shows me he knows he mad Dad angry.
Enjoy.
Yes, I fucked up the screenshot. Nobody's perfect.
BOI
I wasn't going to rant on this, but fuck it I have an audience.
*sits at the campfire, watching the fire crackle, watching the embers smolder. The shitposter has a thousand yard stare. As though nobody took his bait.*
I was there in this dudes position. Ten years ago. Why is security so terrible. What the actual fuck have all of you been doing? Why are the seniors so disgruntled? Why aren't you trying harder?
They tell you ignorance is bliss. That not knowing makes you better off. Over the years, my experience with the inner works of security, though limited by and far compared to my peers makes me feel like the first time I read The Jungle.
Everyone is happy to eat the meat and taste the sausage, nobody wants to know how its actually made.
You wanna know security hasn't progressed in the last 40 years? It's because we've been trotting in fucking circles for decades.
You want to know the real root cause? Why we will never "solve" security? It's because we can't even get beyond the basic steps of the top 20 security controls. People are so busy jerking off to their next-gen, ML/AI, pen-testing automated attack platform will make you secure.
SECURE WHAT? YOU DON'T EVEN KNOW WHAT THE FUCK IS ON YOUR NETWORK.
Everyone was so fucking busy with moving fast enabling business and being able to push to prod in the blink of an eye and the flash of a credit card to azure/aws/GCP, that security wasn't even a twinkle in anyones eye.
Real-world example: Marketing team stands of a website/server/database with client information in the cloud for whatever fucking reason. The site becomes compromised because it's running an ancient version of Drupal or WordPress or lord fucking knows what.
Marketing: "Hey our site got hacked some dudes are asking for buttcoin or some shit. We have client data on this site"
The Noble SOC: what fucking site? What the fuck is this? who had purchase authority WHO THE FUCK WAS GOING TO LET US KNOW THIS WAS A THING?!
Other real-world examples include terabytes of data in S3 buckets that people left for the entire goddamn world to grab.
Minion 1: "Don't you think we should limit permissions to this massive bucket if disk storage?"
Minion 2: "Dude the app works for RWX for everyone. Thats someone else's problem."
Let me dial it back further because it looks like I'm blaming cloud for security problems. And before some higher-up cloud engineer shits on my parade, that is not the case. So we need to dial it back a little bit.
So. A popular tactic for tracing criminal networks that LEO uses is the concept of follow the money. The TL;DR is to follow where the money is being spent, or generated or provided and you'll find the bigger fish. In a fucked up kind of way "Follow the money" logic works for explaining why information security is so shit. And real LEO/CT people are probably going to eviscerate me for my definition of follow the money.
Think about it though. Why does that IoT device have such shit security? Because it didn't pass QA, because they didn't bother with QA, because the stakeholders said that was too expensive. "Fuck it, ship it" won, and the device got launched.
Why did Equifax get breached? Someone did risk analysis, decided that patching would require shitloads of oppex hours and money, and said "nah, we're not patching it. We're going to just accept the risk and say we'll 'monitor' it" and then never actually follow through.
Because, if it's a compliance finding, it's probably cheaper for them to accept the fine than it'd be for them to fucking fix it or replace it.
I mean, hell, the people "on high" who are allegedly responsible if shit goes down had advance warning and they just fucking bailed, stammered in front of congress, got yelled at and made off like bandits. There are no consequences, and the only thing companies give a flying fuck about is the bottom line.
We work for or secure companies who are all in a race to the bottom either to be absolved of risk (which doesn't fucking work) or to put in the least amount of effort to check the checkboxes and say "YAH WE TOTES SECURE" when those compliance guidelines, they know FULL AND WELL are meant to be a starting point and not the motherfucking endgame.
"oh we're legally obligated to get a penetration test quarterly. Hey, pen-tester, hurry the fuck up we need that report so we can just accept the risk on all your findings." 🤷
"Yeah, all of that work put into going into IDS mode? It's too hard. Fuck that noise. Passive mode it is."
Doesn't matter that you spent months working on escalation procedures, architecting it, tuning it, or that the network runs critical infrastructure, FUCKIN YOLO.
"Hey, maybe our vital monitors and/or insulin pumps should be on a segmented VLAN that is near-impossible to reach remotely-"
"lol nah, fuck that. Thats work. Drop it on the flatnet with the multi-million dollar MRI machine that runs windows NT."
Just like how hackers and pen-testers don't flourish and do exceptionally difficult hacks unless its their only way in (path of least resistance) businesses don't spend more than they absolutely have to to enable business.
"Yo, the security on this site is FUCKED. someone could cough on our website with sqlmap and get a shell."
"Is it still working?"
"Yes--"
"Don't fuckin' care, lol."
Path of least resistance. Follow the money.
Then, when shit gets breached, and they have to pay fucking huge fines and/or face having to close their business or merge/get acquired, they're gonna blame the security team for not doing enough. congrats. You're a fall guy. I seriously hope you kept a paper trail and CYA.
(BTW, I have absolutely nothing against the person who asked the question initially I'm just saying there is a lot of baggage to that loaded question.)
I don't have a soundcloud, donate to rural tech fund or any number of tech initiatives to help those who want to get into tech and don't know that they'll become magical girl witches in the process.