Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Cybersecurity is (seemingly) pointless (Devils Advocate rant)
20 points by hdnnn on Feb 22, 2024 | hide | past | favorite | 23 comments
This title is bombastic - I know. I don't believe it 100% - but there is a little sentiment that is true. I am open to criticism, so please criticize me.

Hear me out.

I am a Cybersecurity "Professional" as one might say, so I am not just a random person ranting... I love my industry and have a passion for protecting the cyberspace.

However, when I gauge the ability of persistent threats and the resources us "good guys" have to protect against them, on a large scale it is seemingly pointless.

Side note: It's not even about a lack of resources. I think even if we had enough seats in chairs and money to go around, it still wouldn't be enough. 5 creative malicious actors can out perform 5,000 Cyber analysts + Security orchestration, automation, and response (SOAR) programs - it's not even a comparison.

We can protect a network from very specific threat vectors, like phishing e-mails or malicious downloads, which low level attackers may employ against company assets - fine. But past this, we have absolutely no way of protecting against a motivated team in a catastrophic attack.

When people talk about "protecting our infrastructure" I just don't possibly see how it can be done at a large scale.

Our only saving grace is MTTR or alternative solutions.

Take the AT&T event today as an example... (not implying it was a cyberattack).

Individual enclaves within companies may be able to do so for their sustainment, but at a societal level, there are creative ways to shut down businesses that we simply don;t have the ability to account for.

And this type of thing applies to every single country, it's the nature of the industry at the moment.

I hope I'm wrong - and I hope someone has a rebuttal!



Perhaps an analogy with other crime can help here.

Just because your store can be broken into doesn't mean you can't take measures that make it much more difficult.

It's not that security mechanisms in a store are pointless, simply because you can't defend against the most advanced criminals.

You can make things much more difficult for criminals so they'll go to another store instead. Or at least they'll have to put in more effort as well.


This is a common analogy but incorrect for software security. With software companies absolved of all liabilities for flaws in their products, it is more like the perimeter walls in your stores full of hidden holes about which you can do nothing. Random people publish information about new holes to break into your store regularly. The wall manufacturer is shamed by the public to drop patches in front of your store from time to time but does not install it. Now, in addition to running your store you have to make time to install those patches.

Even if you do all of that, there is no guarantee criminals will move to the next house since they might have knowledge of a “zero-day” hole that you or even the manufacturer does not yet know about. Or you did not get around to patching one of the new holes in your wall.

So no, this is not apples to apples.


Most of these things do not need to be public though. Whatever your existing setup is, you can build a box around it so that suspicious people are not allowed in. Then you only have the outer box to really worry about.

Of course if you want to enable people to make important decisions from their homes, you have two options, build a box around their homes too or accept that they are outside of the box and treat all of their activity as suspicious.


Which is why we are finally getting liability laws in computing, goverments and major companies are realizing how much money gets burned by security exploits.


Cybersecurity professional for 27 years here, full mitigation of risk is not the goal, being in the middle of the gazelle herd is the goal. Do enough that your organization is not attractive to those 5 innovative threat engineers.


Definitely wise - you're more of a veteran here than I am. And of course that's the standard any company/analyst should shoot for.

I'm curious how policy will shape anything outside of that standard, however. Because for a company, that philosophy (full mitigation is not the goal, risk acceptance is) is sufficient. But for civil function, it stops a little short. It's unacceptable at the policy level if major banks go offline for 48 hours - or if traffic lights stop working on major roads - or if the hospitals go offline.

I don't have a solution, either - I'm just pointing out that when Cybersecurity is talked about, it really isn't understood from this perspective. Really, all we can do is mitigate risk, BUT, there will be a time where all these vectors will be utilized (hopefully not) and when/if that happens, people will debate how we got there. It's a near-impossible thing to avoid.


Risk management still gives you the correct answers, even for civil concerns.

Lets break down what it really means to apply risk management to strategy and actions:

You think through potential outcomes of security breaches, and plot them on a likelihood/consequence grid. Then you put a lot of energy into high likelihood, high consequence items to move those concerns down on one or both of those axes, or to have detailed mitigation plans in place if there are items that truly cannot be moved.

When that is done, you move on to the 2 quadrants that require more strategic thought - high likelihood/low impact and low likelihood/high impact. Personally, I try to come up with mitigation plans for low likelihood/high impact, while trying to move the needle down on the high likelihood/low impact concerns.

If you get all that done, you either have corrected or mitigated everything other than low likelihood/low impact, and you are likely in a "good enough" state, where you can breathe a bit easier and just work on incremental improvements.

All that being said, corporate vs. civil doesn't change your process - what it changes is the "impact" axis. Different data, same approach.


It is like what they say: You don’t need to outrun the hunters, you just need to outrun your fellow dodos. It is not like they will bring their friends to eat more mouth-watering dodos until they eat you all.

There is only, what, 600% year-over-year growth in cyberattacks every year for the last 10 years? With exponential growth that slow you can keep outrunning them for like, 5-10 more years until there are enough hunters to eat you all.


Skewed analogy: black hats are keen to attack everyone, even other black hats. It's different with human hunters and dodos.


"5 creative malicious actors can out perform 5,000 Cyber analysts + Security orchestration, automation, and response (SOAR) programs - it's not even a comparison."

Hi. I'm a Principal Security Consultant, former Red Teamer and Red Team Manager.

I completely sympathize with your position but I do think it's a resource issue. A really good defense (one that can detect and react quickly) only has to win once, just like the attackers. Sure, it'll take a while to clean up the mess afterwards, but one detection is the beginning of the end if it's a good one.

You need talented senior people who are good at working together on a purple basis to build the defense to that point. Lots of people say the cybersecurity skills gap isn't real, but at that level, it is. Even Fortune 500s struggle to meet that maturity level, let alone smaller orgs.

Is it realistic to try to lift smaller orgs above that security poverty line? I dunno. I'm sort of agnostic on the future of AI, but if that works out, I think the current pain will ease significantly.


My opinion: Security is only a concept; You can lock a door, but it can be broken into; or like the lines on a road - They are suggestive, nothing stops you from crossing over, even barriers can be crossed given speed or size.

With that, I see cyber security as an auditor and/or teaching field. =D


I thought about this and wanted to ask if other people who had similar thoughts.

I think that web is broken and needs to be fixed.

To buy something I need to part with some information that is useful only for the process of buying something (name, adress, credit card etc). After the goods change hands the company needs a part of this for their accounting and taxes. All my info should be anonymous and encrypted.

But this is not the case. Companies keep my info uencrypted because its easy to do and leak it when someone breaks in. This happens again and again.

I should own all my data and store it locally and only send it to a website if I want to buy something. Profiles stores should not be used.

So we need standards for how to store information and who is supposed to store what and how.

So your comment about cyber security made me think that its pointless, as we are trying to put out fires instead of fix a broken design which allows the fires to start in the first place.


The world regime as it stands prefers efficiency to justice. The cybersecurity industry is this regime's "hat tip" to justice, without incurring the full expense of it. If a trespasser is caught on my property, fiddling with my door handles, lock-pick in-hand, there will be consequences, since that scenario had already been addressed and codified by a much earlier regime, with a different value system. If a trespasser is caught trying to brute-force my SSH, and I notify their cloud provider, the response will be something ranging from a temporary block to nothing at all--and more often the latter than the former.

Ken Thompson underlined the crux of it it back in '84 with his "Reflections on Trusting Trust"[0]. People chattered, but it was effectively ignored. All of the nessus scans, rustifications, yubikeys in the world aren't going to solve the fundamental problem, which is lawlessness. When it all breaks catastrophically, this will change. Actual cyber-security will increase, but we will be presented with a different set of problems, which may be worse than the ones we already have.

What is worse? The occasional Mossad hack, or the impenetrable digital despotism of FAANG walled-gardens, but with even bigger moats built on either federal regulation or better technology? From what I've seen, the appstore has screwed ordinary people much harder than east euro hackermans would ever dream of. If the problem were solved purely with engineering, the jailbreakings of geohot and bunnie never would have happened. If the problem were solved via regulation, geohot and bunnie would be rotting in jail like Assange. In other words, be careful what you wish for.

[0] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...


The solution used by the aircraft industry is to document, investigate, and mitigate to build a common defense against failures. This is the way operating systems like SunOS were developed and hardened. That ended with the move to commodity PC's. Critical infrastructure computing could adopt this approach to harden systems. Some companies already do this internally, but it should become more widespread. The language/OS/server architecture/flavor-of-the-day is a really poor approach to security (though arguably good for invention). It makes it harder to change things, but it _builds_ security over time.


This reminded me of Security Absurdity (from 2006!).

https://noameppel.com/SecurityAbsurdity.pdf


The solution is very simple: Everything on a computer or network needs to be transparent to the user. Not one byte can be hidden from the user.

The problem is that the instant a Microsoft Windows PC comes online, it transmits a much of obfuscated packets, some of which relate to Windows licensing authentication.


In terms of national cybersecurity, having a good offense is a good defense.


+1

I would argue offense and defense are part of the same sports game. Soccer is a good analogy. Can you play pass?

J


The problem has a good solution, but getting people to adopt it is unlikely to happen. It is to simply adopt systems which are not based on ambient authority, and simply use the least privilege possible to accomplish a task. This has been known since the 1970s, when we learned it in the US in response to issues during the Viet Nam conflict.

The closest analogy I can give to the state of things right now is to imagine our current power grid with absolutely NO fuses or circuit breakers. Instead of assuming that a circuit somewhere could be compromised, we've invested millions of human lifetimes being very careful about what we connect to the grid. Houses and businesses would routinely burn to the ground, power outages would be commonplace across all scales, any time a circuit fault developed, anywhere.

Instead of giving every device plugged into every outlet everywhere full access to all the power available on the grid, we use circuit protection. You're not going to be able to power a factory from a single 120V single phase outlet, but you can do useful work with it. Thanks to fuses, circuit breakers, and the like, you can effectively use any outlet in your home for almost any conceivable use, without worry. The same is obviously not true for computers, and running programs, although it used to be true!

Back in the early days of computing, we had systems which didn't have a single persistent mass storage. Because we booted off of removable and write-protectable media, it was possible to have a "known good" boot image, and make copies of it. It was always possible to bring the system up in a known good state. It was always known what disks were at risk for corruption, as they were the ones in the disk drives without write protection. You couldn't corrupt disks that weren't in the drives. Sanity was easy to preserve, and we routinely purchased tons of software and just tried it out without a worry.

Thanks to hard drives, and now SSDs that can't be write protected, we'll never be that safe again. Especially when our operating systems can't enforce write protection on even their own code.

We can fix it, but my personal estimate of when that would happen is about passed now.... I figured it would be about 2025, but these days I'm not sure it'll ever happen at all.

Edit/Append - Apparently there are forensic USB3 bridges which could be used to make your media actually read-only. They aren't cheap, though. That's half the problem, the other half is in the OS, and the Genode project (a Capabilities based Operating System) is going to spend 2024 focusing on usability, so a solution might actually be at hand.


To allay your fears somewhat: personally, I assume the government has advanced capabilities unknown to civilians.


Back in my day we used to call it "IT security", and nobody gave a poop about this. Then hack after hack after hack, costing $bn and people woke up to the need of IT security and IT audit.

But hey, nobody wants to admit that they fell asleep on the wheel. Then suddenly "IT security" was dead and "Cybersecurity" was born.

I get your feelings. Some organizations have the wisdom to give the CISO a chair on the big table, and some others prefer the quick buck at the risk of the big disaster. There is no correct answer on this. Their company = their choice. We can only chose to not-shop-from or not-work there.

Don't think of infrastructure as "one big thing". Consider that it was being secured one-asset-at-a-time. So, one server = 1 server hardening = Farm/WLAN+Firewall+IPS+IDS+Vuln+PenTest. And then you automate. One of my favorite mottos are "set it and forget it" (but set it right, automate the tasks and review schedulers and results thoroughly).

So yes.. it can be done, good and well, it can add value/reduce risk.


I think CISA.gov is doing a great job of protecting the public.

They have a lot of influence with Congress, and they know hacking can be stopped by experts, technology, and good habits.

I would recommend you check them out :)

CISA.gov


Cybersecurity has two sides: business and tech. It is invaluable to the business side, particularly in terms of making risks and threats legible, demanding mitigation and insurance strategies, compliance and certification.

Cybersecurity on the tech side, for most firms, is laughable. It indeed follows the herd model, where no one ever got fired for following "best practices", like forced password rotation every two weeks with no password reuse and absurd character requirements.

It takes a firm like Google to innovate with BeyondCorp / ZeroTrust initiatives and innovations. The rest of us are waiting for npm update to finish while CrowdStrike is consuming half the CPU of our MacBook Airs.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: