An Information Security Community
Emmet Jorgensen has written an article on Infosecisland that I'd like discuss for a bit. It is about wether or not FUD only has a bad connotation or could actually do something good as well. I must say I kind of agree and at the same time strongly disagree with his stance.
I've also written about FUD in a previous article and back then my stance was this:
If it is so, that people only believe and act on what they are actually seeing, we have to show them as long as they can change their ways. And we have to do a better job at doing that. I kind of changed my opinion on FUD at least little bit.
I think sometimes a little FUD can help. Just eliminate the F and the U and the D in those three letters and replace them with a S like in "show", an E like in "educate" and an A like in "advice". If the initial motivation has to be a little shock in a controlled environment (which could at first result in some fear) than I guess this is okay.
I think I still stick to that idea. Let me comment on some things Emmet wrote, because I think this article - although I do not agree with everything in there - is a great starting point for further discussion.
Most innovations, IT or otherwise, come from necessity. Someone, somewhere (be it a business, or individual) sees a need and attempts to come up with a way to fill that need. It’s part of what makes the world go round.
FUD, whether natural or manufactured, causes a perceived necessity. (Whether that necessity is real or imagined, it doesn’t really matter, the end result is the same).
I would argue that real innovation that fueled technological advances we enjoy today did not come from FUD.
I'd rather say that the opposite is true. Fear hinders creativity and rational thinking.
A perceived necessity does not lead to real problems being solved but rather things that fall in the category of "security theatre".
The FUD caused by the cold war led to the development of the Internet, the space race (and by relation satellite communication, moon landing, etc.), stealth technology and nuclear energy to name a few.
I would argue that not uncertainty led to the development of the Internet and stealth technology but rather the opposite - the certainty that a centralized communication infrastructure could be disrupted easily and that a meshed network with adaptive routing on the other hand would be very robust. Granted, the space race is one example where uncertainty and doubt really was a driver on the political side.
But for the military there was no doubt that the other side had intercontinental missiles so they had the idea of defending against those from orbit. Well it turned out to be not such a good idea and there was at least some level of uncertainty and doubt involved in the whole process. There was definitely fear involved. But did that solve the original problem? No it did not. The problem isn't solved yet. It just happened that folks realized that a nuclear war would not be in the best interest of any nation.
Today we still struggle to enforce non-proliferation of nuclear weapons and the fear and uncertainty are still there.
Regardless of the method, the FUD created by these attacks is driving development of new products and services. Security vendors are developing new products based on a perceived necessity on the part of infosec professionals. If the FUD didn’t already exist to some degree, these products wouldn’t be in production.
Yes the FUD led to development of new products and services. None of these have solved the problem, yet. Developing products based on a perceived necessity does not help the problem.
This is like a doctor asking a patient what he thinks he should prescribe him to feel better. The patient is no expert so he doesn't know the correct answer.
This is like esoteric information security. We have got the machine that goes "bing" - it cost us a fortune so it must be good.
True, marketers are quick to play up the fear associated with these attacks. However, it is simply hyping up an already existing problem. In turn, they will attempt to offer some sort of solution to the issue at hand. The solutions and products are hit or miss, but the point is they are being developed to address real life issues.
Unfortunately they are not most of the time. The opposite is true. Suggesting there is a technical "solution" is wrong in the first place for most problems. This practice created an unhealthy perception over time, that every problem can be solved technically.
We got a data leak - let's install data leak prevention. We got an intrusion - let's install an IPS. We got a virus - let's install an AV.
Another example I had to deal with the other day: I reported that in some instances cleartext protocols and authentication are still being used from time to time, e.g. for phpMyAdmin or CMS.
If you have an IDS running in that network you get all kinds of SQLi alerts and stuff just because some idiot uses HTTP instead of HTTPS .
I don't want to see these credentials and I don't want to know them, unless I'd want to build a nice password dictionary from it - which I don't - at least not without explicit permission.
I don't want to be suspected in case of a breach that I - who already complained about being able to see those credentials - could have done some "disgruntled employee" thingy.
So management asked me if we could not just somewhat enforce that with some device like a WAF. I said that would be pointless. If I was using a WAF to enforce HTTPS on phpmyadmin for instance, the admin could very easily circumvent that.
And for what reason on earth should we do that? Just tell the admin or customer or whoever is responsible for the machine to enable HTTPS and run phpmyadmin on a different port than the website for cryin' out loud.
Install an SSL-VPN gateway with strong authentication for web-administration, if necessary and tell folks to use that. If they don't comply, put them in a sandbox, refuse to take any responsibility for the OPSEC of that system in case of a breach, refuse support.
Organizational controls instead of "magic technology".
Your job, as an Infosec Professional, is twofold:
You can be skeptical. In fact you should be to a degree. But do you research. Call it due diligence. And remember, just because it’s FUD doesn’t mean that it doesn’t have merits.
Right. But this is the exact opposite of FUD, I guess.
As stated previously, a little shock can be healthy since it can make folks aware of reality and drive them to really deal with problems at hand. But this is not FUD.
This is the classic three phases of shock, denial, acceptance. After that come awareness, problem-analysis and development of real solutions, testing, implementation (still speaking of organizational processes in the first place), operation, auditing and controlling, refinement and the cycle starts all over.
Just my 0.02$.