Security: what do we really value ?

It seems that breaches in information security along with ransomware and other malware attacks are openly ‘celebrated’ by those who stand to gain the most. What saddens me about that fact is that while we can easily celebrate those who ethically crack software, the real heroes go unheralded and under appreciated. Nation States seems all too willing these days to invest in the cracker who can break into systems, and this should be disquieting to say the least.

There are rich rewards available to those who can find vulnerabilities in software, to ‘expose’ the problems (hopefully before they are widely shared) in software that affect the underpinnings of our daily lives. Just ask any bug bounty program recipient what drives them do the work. The bigger the issue, the larger the payout. They have a strong financial imperative to do such work and thankfully, they do it well.

It strikes me as oddly out of balance with what we need to secure systems though. When do the good guys that have to do the hard work of securing the systems actually get the appreciation they deserve? What is their ‘contest prize’ for preventing issues from occurring ? Where si the X-prize for preventing, stopping or mitigating attacks? Do we properly incentivize those who have to do that work, or are we only going to pay people to break into systems rather than securing them?

Please understand, I think those bug bounty programs are necessary and important. I would never advocate against that work, as it is a must in today’s world. However, where I think we miss the boat is in the necessity to build a vulnerability-driven model without building out the same for defense mechanisms and systems. The real unsung heroes (and often underpaid as well) are those that everyday respond and prevent the problems that otherwise disrupt and possibly destroy businesses, reputations and yes, lives.

It’s one thing to prove you can break into a system, quite another to prevent, defend and/or mitigate attacks. Imagine BugCrowd, HackerOne, Synack, Cobalt or others, but instead for defense. I don’t mean new software or devices so much as a prize for using devices, methods and systems to respond to active attacks.

There is a BlackHat convention and celebration, but what if there were three teams actually charged with an actual attack in a simulated environment. One team to setup a network and its systems, one to attack, and one to defend. Each year, the networkers could setup to a current standard, the attackers and defenders would have a set amount of time to run their plays and the regular attendees could be users on the systems. The system would have randomized emails and browsing (simulated) to setup traffic flows and then the two competing teams would collaborate to uncover or avoid the other. Each would have to either protect or defend the system. One key piece of evidence would have to be extracted (proof) or prevented from being gathered to ‘win’ the game.

If you really wanted to make it interesting, you could reverse the roles for each team after a round of play. This would force teams to be creative, show a bit of knowledge in both offense and defense in order to win the game. This would require creative thinking and make the system teach quite a bit more than just “breaking into” systems.

Know that sounds like a bit, but it would likely be far more useful than just paying a prize to ‘break in’ to systems. That requires a single failure in security and while it sounds glamorous, it isn’t the desired outcome of what we should want from systems and security. It only takes a can of spray paint to tag a wall. Painting a mural is far more difficult, as there has to be an artistic vision. It would seem to me that each operator should be as versed in defense as much as offense in order to bring the team together. A healthy balance of styles and knowledge should be required in order to ensure you’re doing what can be done.

Just some random thoughts from a guy on the current state of where we’re at in the software field. It seems that the headlines will be the attention grabbing break ins, vulnerabilities and other mishaps, but the real unsung heroes who prevent such efforts on a daily basis drudge along, often underfunded and unheralded. We should be building a better future with more security for systems with all the enthusiasm we seem to have to spare for attackers.

Have a nice day. Don’t worry, be happy.