Silicon Shecky

Infosec Practitioner

Connect

Over Complicated?

By Leave a Comment

“Any sufficiently advanced technology is indistinguishable from magic.” – Arthur C. Clarke

“Any sufficiently advanced magic is indistinguishable from technology.” – 7th Doctor (Sylvester McCoy) in Battlefield

So which do we have? Talk to people and computers is magic, is technology is both. Those of us that understand computers are wizards, magicians, technological experts. To put in terms that someone on Facebook might understand, “It’s Complicated,” and it gets more complicated every day.

I am not going to get into the usability question the way that Wendy Nather did. She does it so much better that I could. Instead lets look a bit more at how the complication has come about and why it keeps increasing.

We have a ton of “solutions” for security. As we get more granular and more “advanced” each solution is more and more targeted and creates sub verticals inside the world of making things more secure. This is the wallpaper that Wendy talks about. Each layer actually makes things less secure overall. Now, I am not saying we do not need controls and software in place. I wish I could find this clip on YouTube, but in Doctor Who back in the Tom Baker era, he opened a really electronically complex door with a bobby in. When asked why he did not use his sonic screwdriver he explained, “The more complex a thing becomes the more susceptible it is to the overlooked simple way around it.” We are headed in this direction. Think about the extra code, the more ways there are way to look at the problem. Just look at the living off the land that teams are using now to avoid detection. This doesn’t though explain how all this complication came about, just where it is all heading. So how did we get to this point?

The way I see it there are two base reasons for the increase in the complexity. The first and foremost one I think is ego. Ego drives us, and it is no inherently a bad thing, actually it can be a very good thing. It also can easily get in the way. Ego drives us at least partially to find bugs, to find new solutions, because we want that recognition, even if it is only on a subconscious level. It also drives us to start up derivative companies in an area of cybersecurity. Why? Because company A won’t listen to our solution so we strike out on our own. this can lead to the second reason, money.

Plenty of solutions start out without money in mind. Small project of love. Then we realize we might be able to recoup costs or even make a living off our labor of love, but to do that we need to bring others in that want to be a part of such a labor of love. Wait, to be able to pay them, we need money, so we either take out loans or get investors. The investors though want to see a profit, so we start making things more complex or entering into side projects that might be related to the original, because we have a name people trust. This creates the other subset that money creates. Lack of collaboration.

The lack of collaboration is easy to see in the anti-virus industry, but it exists across all the verticals. It comes from each company having its own secret sauce to their solution. That secret sauce is what makes each solution different, but also can leave blind spots in said solution. If all these vendors really had security first and foremost in mind, the would be working together in the development of the solutions. Yes this would make the solutions similar across the vertical, but considering each vendor has areas of strength that the others don’t, it creates a solution that is going to be more secure overall, that actually should not have the integration problems that we currently run into. How many times have you run into using multiple vendors items and found an incompatibility between them? I see it quite often. That incompatibility is now a security hole. There is an area that gets opened up. This creates a spot for a third vendor to come in with a solution. More cost, more complexity, more advanced technology, more wizardry.

So how do we fight back on this? Honestly the only thing I can think of is opening collaboration between each other and companies. Work together to bring the simplest, most comprehensive solutions forward. This happens occasionally when alliances and partnerships or buyouts happen. At least they try to happen until the ego gets in the way again. Still collaboration is going to be the key going forward. Many of us talk about the great community we have. We need to work together to simplify the complexity, to remove the wizards and magic, because if we can get out of being looked at in that fashion, those outside of our field will have an easier time helping keep things secure, it gives a way out of the conundrum that Wendy mentions. It is not an easy road, but then again, nothing worth doing is easy. We are the problem solvers, so let us solve this problem.