How to deal with “nihilists in information security”

How often in your work do you encounter a situation where the answer lies on the surface, right in front of you or your clients, but they simply will not do what you recommend to them? You can make recommendations on how to fix vulnerabilities, but you cannot force them to follow. Of course, this problem arises in other professions (technical and not only), but in information security it is especially common. Let me tell you a few stories in which you will certainly recognize yourself.

You are an analyst at the Information Security Monitoring Center in a well-known corporation. Your job is to run a scan for vulnerabilities, make sure that high-risk vulnerabilities are eliminated throughout the organization, and especially in systems with Internet access. Your scanners find a critical vulnerability in the popular web application platform , as a result of which an attacker can gain access to the box. For example, with remote code execution. Or if an exploit exists for this vulnerability. You talk about your findings, plan the installation of the patch, try to take the initiative at a meeting on the control of change ... and do not achieve anything.
')


Your offer has been rejected. Upgrading the platform requires rebuilding the application, testing, a lot of work, so no, thanks. We will solve it later. Do we have anything that can help us detect such an attack? No, you do not have access to any countermeasures to see if there are signatures to block or even DETECTION of this attack. It is also not possible to install any security tools based on the host detection system on the affected servers. Are you sure that if you notify the manager, there will be someone who can do it. It will be a real scandal if one of your mailboxes is cracked and the vulnerability turns out to be the initial access, discovered several months later . Therefore, you save messages and letters in which you mentioned vulnerabilities in order to later use them as PVZ materials (covering your ass). It's good that you did it, because the Known Corporation is hacked fairly easily, and the vulnerability, because of which you made all the noise, really turns out to be the initial access. In addition, when the CEO pesochat for what he allowed, he shifts the responsibility for the incident to information security officers .



You are a pentester in a security assessment and penetration testing company. You have been working with a large client for a week now. You were ready to plow up. Oh, how you were ready to plow up. At the end of the assignment, your thickness report can be compared to a great novel. The head of information security and risk managers ask you to hurry up with the preparation of the report. Usually people are not in a hurry to hear the bad news from the pentester. Therefore, relying on your luck, you ask: "What kind of rush?". They may be preparing for an upcoming audit and should make sure that they comply with all prescribed data protection rules. Perhaps they want to cut some of the staff or a security budget at the end of the fiscal quarter. Any of the options would be acceptable. Instead, you get the answer: "We need a report to subscribe to it and take all the risks." This means that you have just spent time on a professional report (using the OSCP certificate, the gold standard of pentesting, which, notice, is very difficult to pass) just like that. No one is going to read it, no one will learn about anything from it, and you, returning after a while, will find all the same flaws.



Of all the options available, you chose "Do nothing." “It's okay,” they said. Everything is working fine, so we are not going to rock the boat. Hand over the report, receive the money and go further. In a mildly demoralized state, to say the least, you do what you have been told. Your non-disclosure agreement prohibits you to name and blame the company, which with such indifference treats significant risks.

Soon the company receives a letter stating that hackers have taken possession of personal data and are going to merge it if they do not receive a ransom in the form of an outrageous amount of money. As proof, they apply screenshots of information from several large databases. Your investigation shows that the incident did occur, but you still do not understand how they succeeded.

Companies don't care. “Pay off. No one should know about it. If someone asks, say that this is the result of your bug bounty . ” You understand that this is not ethical, but you are not going to go out of your way to lose your job due to their mistakes. In the end, if the CISSP Certification taught you something, it is that management is responsible for the wrong decisions.



A bit like Shadowrun, isn't it? Such situations (and many others) lead to the fact that specialists in information security feel depressed and depressed. What happens when a person feels that his work means nothing? When does he have to deal with the same nonsense every day? Week by week, month by month? He falls into apathy. The work that once was his passion, to which he surrendered his body and soul, turns into hack from 9 to 18, which is needed only to pay bills.

You no longer feel the drive and dedication to their work. You are no longer interested in learning about new technologies, techniques, methods, pumping new skills, what are these efforts for? No corporation wants to bother with improving their defense, so why should you bother with learning? You no longer want to attend conferences, because they seem to you to be an echo camera with constant conversations about improvements and how it was easy to prevent all these unauthorized accesses when we, damn it, already knew about all this.



This is called burnout. So, from now on you don't care. You are no longer 100% laid out. You seriously doubt the value of information security methods. In the end, we have thoughtlessly repeated 20 security controls for decades. We can't even manage patch and resource management — the most fundamental and security-critical things. What is actually in your infrastructure and how regularly is it updated?

The top 10 OWASP has existed at least since 2010, and we still EVERYWHERE see SQLI vulnerabilities (SQL injection) and Command Injection vulnerabilities, especially on the Internet of things and SOHO routers - the most widespread, vulnerable devices which are unlikely to be patched at least once after installation.

Oh, and while we are talking about such a catastrophe as the Internet of things, which is also extremely difficult to work with, do not forget about how the MIRAI botnet put DNS servers to Dyn, thereby killing half of the Internet for the whole day .

There are manuals and guides. The water is clean and refreshing. But, nevertheless, the horses under your care and supervision simply refuse to drink. You can't just shoot them and send them to the slaughterhouse, so all you can do is wait and watch what happens. You wonder how you got into this situation at all, and think about changing your occupation. But then you realize that in most professions you may encounter variants of the same situations.

Especially in the field of IT:

• Sysadmins / network administrators and others often face a lack of investment in backup or infrastructure, but as long as the systems are working and bring profit, nobody cares. In addition, despite the fact that infrastructures bring profit, IT is still seen as a “cost item”. Management does not care. Now everything is working, and we will deal with the problems later.
• Programmers have to introduce ugly and crappy hacks, because not enough time has been allocated to release a product in which developers were at least relatively confident in terms of testing and QA. Management doesn’t care, only the timing of the project’s implementation and the release of any shit that buyers will pay for are important.

This eternal myopia and race to the bottom give rise to apathy and nihilism, contributing to burnout. Believe me, I felt it on my own experience. The next time you come across an apathetic nihilist professional with defeatist moods, think about what led him to this.

You ask, why am I still here if I am burnt out? I managed to survive it. I understood - regardless of what is happening, I still remain a well-trained and capable specialist. The decisions that other people make in response to a job well done by me are not my fault. It still annoys me that people can be so criminally short-sighted (and this short-sightedness affects my life), but I'm learning to live with it.

I also began to realize that I have many other things besides my profession. I have a family. Pets. Hobby. Cause Places to visit. I need to use the time I have to do it. I no longer live to work, I work to live.

And although I have a reasonable need to keep abreast of the latest developments in technology and security, but if I do not want to go to a conference or a social network wool, but I want to go to the movies or go on a little trip with my wife, I can do and i have to do it.

No one will remember or thank you for detecting a threat, reporting it, or patching it. When you are gone, no one will remember how cool your tools were, what professional elite you were, Only your friends and family will remember you and your exploits. You need to determine for yourself the most important thing and decide what you really should spend your time on.

I devoted time to myself and my family, and as a result I brought out my meaning of life from the burnout period. Over time, my enthusiasm for information security returned, but with a touch of understanding how ridiculous it all was. Some people don't like this. But this does not mean that you should too. It's just my way of dealing with stress, so you can stop listening to me.