Building Bridges: Forcing Hackers and

Business to “Hug it Out”

Andrew Hay, CISSP, The 451 Group

Chris Nickerson, CISSP, Lares Consulting

About

•Andrew Hay

• Senior Analyst, The 451

Group

• Analyst, Author,

Speaker, Blogger, and

more!

• Chris Nickerson

• Founder & Principal

Security Consultant,

Lares Consulting

• Red Team and Social

Engineering Expert

Change Log

• History:

• Started as an argument a discussion

at ShmooCon 2010

• Idea to turn whining discussion into a

talk from BSidesBoston 2010

• Perfected Presented again at

BSidesLasVegas in July 2010

• Perfected at SOURCE Barcelona in

November 2010

Why Talk About This?

• This talk shouldn‟t need to exist!

• But the industry obviously needs

it

• We‟re all adults (well, most of us)

• Business leaders should

understand their staff

• Employees should understand

why the business needs to do

what it does

Overview

• The View From The Trenches

• The View From The Business

• The Problems

• The Way to Fix The Problem

• Questions?

The View From

The Trenches

• Management is clueless

• They don‟t CARE about

security

• They will only do the “bare

minimum”

• They play golf and waste time

in meetings all day

The View From

The Trenches (continued)

• They don‟t respond when I

show them how important it is

• We…

• Are overworked

• Get all the blame

• Don‟t get the respect we

deserve

The View From

The Business

• Hackers don‟t have a clue

• They don‟t care about the

business

• They don‟t understand the

economic challenges

• They surf the Internet and talk

to their “friends” on {IRC,

Twitter, Newsgroups} all day

The View From

The Business

• They don‟t listen when I tell

them how dangerous it is

• We…

• Put in long hours

• Answer to the business

stakeholders

• Don‟t get the respect we

deserve

The Problems

• Pure Security vs. Business Security

• Cost vs. Completeness

• Scope vs. “Hackers Don't Have Scope”

• Downtime vs. Patch to Secure

• Feature Release vs. Secure

Development

• Compromise Disclosure vs. Potential

Financial Devastation

• Compliance vs. Security

Pure Security vs.

Business Security • View from the trenches

• Security is an ever changing

field/ not constrained by dated

academic theories

• A secure environment is the

goal but never really gonna

happen

• Its secure when it can‟t be

hacked

• It requires 24/7 support

Pure Security vs.

Business Security • View from the business

• Security is defined by the CIA

triad

• Availability (typically) trumps

Integrity and Confidentiality

• The cost of operating securely

should not be detrimental to the

company‟s bottom line

• The budget can not be

expanded just because there

are new threats

Cost vs.

Completeness • View from the trenches

• Completeness should be the

goal

• Budget should be flexible to

accommodate

• We must test ALL devices

• We must look at every level

(Network,App,Code, etc..)

• The test/testers you bought

SUCK

Cost vs.

Completeness • View from the business

• Fixed cost for project / no

wiggle room

• Budget dictates the depth, you

don‟t!

• The only thing in scope are the

machines holding (insert here)

<PCI,PHI,etc..> Data on them

• I only have to do a Web App

test OR Code review not both. It

says it right here in the

standard.

Scope vs.

“Hackers Don't Have Scope”

• View from the trenches

• Scope is a guideline / ROE may

need to be adjusted as required

• We will attack any asset that

you own. What‟s on it doesn‟t

matter.

• You must test everything on the

box/app, not just what that

dumb compliance sheet tells

you

• SE is out of scope? WHY? Real

hackers will attack our people

• View from the business

• ROE non-negotiable / paid to

adhere to scope

• We know what we want tested

and what is important for the

business

• Scope creep does not benefit

the business

• Political ramifications of

“testing” our people is a large

liability.

Scope vs.

“Hackers Don't Have Scope”

Downtime vs.

Patch to Secure • View from the trenches

• Patches need to be applied /

that‟s why they‟re released

• How much revenue will be lost if

this threat vector is exploited?

• Patching now may reduce

downtime due to breach later

• If you are worried about

installing the patch, test it first

• This is stupid, why isn‟t it

automated?

Downtime vs.

Patch to Secure • View from the business

• The business can‟t afford

downtime to patch / disrupts

business and potential for lost

revenue

• Availability is more important

than security

• We have a network firewall and

desktop AV / should be enough

• Attackers are on the outside

• We are a

Hospital/bank/Whatever, we

CAN‟T go DOWN!

Feature Release vs.

Secure Development • View from the trenches

• If we fix it now, we‟re releasing

products that are secure out of

the box / don‟t have to fix later

• Delivery timelines can shift /

they‟re just dates in MS Project

• Saving money by fixing it now.

(cite post release 100x bugfix

increase cost)

• “I won‟t put my name on this

*tantrum* *badmouth*”

• View from the business

• Delaying release may

jeopardize our GTM strategy

• Fixes can be applied in a post-

release hotfix or in the next

minor/major release

• Development & QA time cost

money / not a money maker

• May lose money by fixing it now

• Feature profits will fund future

security enhancements

Feature Release vs.

Secure Development

Compromise Disclosure vs.

Potential Financial Devastation

• View from the trenches

• It‟s our duty to report exploit

vectors to the vendors / we‟d

want others to do the same

• We got hacked, we need to tell

our customers.

• YOU are unethical if you don‟t

tell anyone

Compromise Disclosure vs.

Potential Financial Devastation

• View from the business

• Disclosing weaknesses

jeopardize our business!

• Let someone else report it to

the vendors / social

responsibility be damned!

• We‟re in business to make

money, not help the vendors fix

their problems

• We got hit but no sensitive

information was accessed

Compliance vs. Security

• View from the trenches

• Compliance IS NOT Security

• Compliance a byproduct of

being secure

• Compliance is stupid and is

someone else‟s problem

• How can one size fit all?

• How does securing 10% of our

assets and ignoring the other

90% Make us secure?

Compliance vs. Security

• View from the business

• Sometimes compliance is the

end goal / deemed „good

enough‟

• Our customers (who pay your

salary) REQUIRE us to be

certified

• Achieve compliance, security

should follow

• Not enough money for both but

higher risk of fines for not being

compliant

The Way To Fix the Problem

• Some common ground must be found

Business Hackers What we need

• Understand that…

• Hackers are intelligent people that are responsible enough to be

educated on the business and its issues

• Business has a large moving target to keep up with and need effective

direction

• Hackers are their first and last line of defense / They defend your

paycheck and require your support

• Provide executive support, understanding, and financial

backing for the security team or expect failure

• Security is just like ALL other business units, with out those things…they

will fail.

Business Needs To…

Hackers Need To…

• Learn more about the business, its operations, and how

cost plays into the decision process

• Identify the political challenges and pose their

problems/solutions in a manner that fits

• Talk in language that executives understand

• Articulate technical issues in less complex terms

• Pretend you‟re explaining to your mother

Both Need To…

• Learn respect and tolerance for the others skills and

problems

• Recognize that both camps bring valuable information

to the table / keep an open mind!

• Realize that neither camp should dictate best practices

but rather agree on best practices

• Understand that they have the same goals but start off

on opposite sides to get there.

Questions?

Ask yourself „what have I done to bridge the

gap?‟

Thank you!

Andrew Hay Senior Analyst, The 451

Group,

Enterprise Security Practice

ahay@the451group.com

http://www.the451group.com

http://twitter.com/andrewsmhay

http://www.andrewhay.ca

Chris Nickerson Founder & Principal Security

Consultant, Lares Consulting

cnickerson@laresconsulting.com

http://www.laresconsulting.com

http://twitter.com/indi303

http://exoticliability.libsyn.com/