[Infowarrior] - OpEd: The infosec industry is a fraud
Richard Forno
rforno at infowarrior.org
Wed Mar 18 12:06:54 UTC 2009
The infosec industry is a fraud
Metlstorm takes the infosec industry to task for its failures...
By metlstorm
Join the discussion 2 Comments
March 18, 2009 --
http://risky.biz/news_and_opinion/metlstorm/2009-03-18/infosec-industry-fraud
I want to believe I'm wrong; that the infosec industry isn't a fraud,
fleecing the chumps of their cash. "Surely, Metl," you say. "Surely
its not 1994 any more, you don't just NFS mount .mil boxen any more,
you don't roll with slammer or blaster or code-red. You don't get
thousands of open ports when you nmap an corporate Internet perimeter,
things are better."
Sure, maybe its not 1994AD any more. But let me posit this, which I
culpably dub Metlstorm's Assertion:
The cost of owning a corporation is a fraction of a percent of their
annual infosec spend.
Lets go with 0.1%. Can you think of any organisation you've worked
for, or on, or with, or pwned that you couldn't own for the sales
margin on a single Check Point device?
Let's assert the value of owning a corporation -- if you're any good
at the order-fulfillment bits of crime, which I'm not -- is
proportional to its market cap.
The ratio of cost-of-ownership to value-of-ownership is so low as to
have an ROI to an attacker that is nearly infinite.
Stated more concisely (unusual for me, I know); the incremental cost
to an attacker between not hacking you and hacking you is so close to
zero we have to assume they actually do.
Which means you should proceed on the assumption that your corp is
already owned.
We live in a world where our desktop machines get USB autorun worms,
where a garden or variety botnet worm owns entire Ministries of
Health, where insider attacks are commonplace, where biometrics
doesn't work, where routers are backdoored by offshore manufacturers
with various political goals, where we pay janitorial services staff
minimum wage because they've only got physical access to, well,
everything via their trivially clonable RFID proxcards running on
building management software off a crappy old NT4 box in the basement.
Ok Metl. Breathe.
You see where I'm going with this. There is no infosec industry. We're
just doomsayers who take the chumps money while they've still got it,
and when they don't we just scare the next lot senseless until someone
pays up. We don't actually improve anything.
The infosec industry is a trinity; the boxpushers (vendors), the
chumps (the users), and the doomsayers (us, the pentesters).
Boxpushers sell kit to the chumps, who've been goosed into thinking
they need it. The doomsayers occasionally pity the chumps, but are
generally stuck in io-wait, writing off the boxes being pushed as
useless, impractically complex, and that highest criticism of all;
boring.
Us doomsayers take the chump's money, then tell them in excruciating
and savage detail how much they and the boxes they got pushed suck.
And they invariably do.
When we're on a typical gig we sit around, amusing ourselves
intellectually by doing something we'd all probably just do for fun
anyway, call it work, and then tell the chumps in serious sounding
language quite how poked they are today.
There is doom. Unending grimness. Like the darkened frostbitten
forests of Ukranian blackmetal album covers.
Hell, in the case of boxpushers, they actually make it worse (Hi mail
antivirus gateways! Hi IDS consoles, hi shatter-prone desktop asset
management and patch deployment solutions, giving up localadmin like
[security researcher] Brett Moore slipped you his best Mr December
smile under the digital cyber eMistletoe.)
I ask you again -- is there any corporation you've seen where the
upper bound of cost to own them wasn't proportional to the janitor's
hourly rate? We all know, deep in our guts, that we could own anyone.
And we wouldn't be doing it with Ben Hawkes' heap technique -- that
stuff's for impressing cons and talking shit in bars, not wasting on
actual attacks. We'd just roll like it was 1994AD; and we'd win. Every
time. You know it. And how much would it cost? To own a bank, a telco,
an ISP, a critical infrastructure provider? Really, we all know the
turgid, sodden, doomladen truth.
How much would it cost?
Yeah. Exactly. Fractions, my man. Fractions of a percent.
Metlstorm is a New Zealand-based freelance security consultant. He's
created several tools including Hai2IVR, Winlockpwn and SSH_Jack. He's
also an organiser of the annual Kiwicon security conference in
Wellington, New Zealand.
More information about the Infowarrior
mailing list