Cyclical

There was a new Intel flaw announced this week dealing with Floating Point Calculations and Math processing. You would think it would take longer than 24 years for Intel to have another Floating Point issue.

Now, I am not saying it is the same type of flaw, but the general public won’t understand that, at least those that remember the 1994 flaw. Back then it was actual mathematics that failed. This time is is the registers that can have data swiped from them. It got me thinking about security and security flaws.

Last year EternalBlue was announced. It reminded me of the days of code red in the way it wormed around using old flaws. We keep seeing cross site scripting, cross site forgery, SQL injection and others go in and out of style. How cyclical is security and why does it seem to be so?

The answer may be as simple as we can only focus on so much at once. We see attacks of a certain style happening, we learn about them, learn how to defend them and forget about other types of attacks that are not really being used. We figure our governance on how to prevent them is still being heeded, so we lose sight, until that style of attack becomes hot again. Same is true about flaws. In our fast paced, need it now, first to market society something has to give. A human can only do so much. Yes, we have tools that should find what we call the low hanging fruit, the items we are not focusing our direct energy on, but these are only tools, and if we ignore the reports they generate, we miss out.

The other way we miss out on the reports generated is with too much noise in those reports. This is one of the biggest flaws I see. You get a tool, and it generates so much noise that it becomes useless. We only have so many eyes and so much time so we just naturally start dismissing everything. It does not matter if the tools are meant to find bugs in code, security holes or monitor for security events, we get false positive fatigue. We have to make exceptions on top of it all in order to allow our companies to do their work and make the money so they can pay us and we can stay employed. Tools are supposed to help with all of that, and by tools I mean software and hardware. The issue there comes in that nothing is a one size fits all.

The tools leave us with a couple other problems. They become too unwieldy to manage or tune, or just a bad, do not allow the granularity to tune them as needed. It takes time, time away from us doing other things that are important, such as going through the latest scans, checking hardening standards, learning about the equipment we have. Instead what was though of as a 6 month deployment turns into a 2-3 year deployment. By the time the deployment is done there are new tools that are being used, perhaps even in your environment that cause the same tuning problem.

We burn out from it all. You might think this could be handled by hiring more of us, by getting more people into the field. That is only part of the answer though. The other part is understanding what level we really need people in. Where we need more people is in the “entry level” analyst type roles. Companies are crying about the shortage of mid to high level people out there, but if they focused on bringing in more of the entry level, they could groom those people to move up and have more eyes on those noisy logs and reports. Give those analysts a chance to learn in their position so they can take the next step. Instead we have fewer eyes on the problem. This is not even taking into account the culture that drives so many away from our field. The sexist, racist, elitist situations that drive some very smart and capable people away. Yes we have a pretty strong community but our field is not just our community that talks to each other, and even there we have issues. Those issues keep cycling back around from how we treat people with not as much knowledge, to how we treat people who look at problems differently, and even how we treat people we disagree with. The sexism is not cyclical, it is a constant. It use to be cyclical though, at least how and when it was brought up. I fear how constant it is makes it become background noise to many, when it should not, but that is for a post and discussion of its own.

So the question is how do we break from this vicious set of cycles? Some thoughts have been proposed about, such as focusing on generating more entry level positions and then mentoring people up through the tuning projects you have. Outside of that, better made tools, that allow us to do what we want with them. Ones that have the granularity and the ability to be easily tuned for noise. We need to learn from the past and realize that just because something is not being used widely now, does not mean it will not be in the future again. There are only so many ways to do things, and while that can be a large number, we are lazy, and will go back to the simplest way we can find.

Finally, we need to stop thinking we are better than each other and other people. We say that people are the biggest security hole. Just remember that we are part of that hole just as much as the secretary, or the neophyte in the field or the CEO. We are fighting from inside the hole and holes are normally circles.