It's time to tell clients the truth
The hackers-turned-activists known as LulzSec have impacted security – whether for good or bad is still to be seen. One of these impacts is proof that the security industry as a whole has failed.
LulzSec's victims were companies that did everything right, with firewalls, anti-virus, and everything else the cybersecurity industry has to offer.
“Security is the only industry where the customer is not always right.”
– David Maynor is co-founder and CTO of Errata Security
As an employee of many security firms (products, services, penetration testing), I have watched how marketing and sales pitches fail to address what hackers really do. Hackers like LulzSec use the simplest techniques to break in, yet vendors want to sell customers expensive products for abstract, complex or future threats.
This is the security industry's fault because we repeat what a customer wants to hear. No customer wants to hear that they have a problem that buying a product can't solve. No customer wants to hear that they have to make tradeoffs, such as cutting off employee (and executive) access to Facebook. What customers want to hear is that they can solve any problem by simply writing out a purchase order. And we in the security industry are all too happy to accept the purchase order for our devices, software and services.
I don't want my message to be lost in translation: Security is the only industry where the customer is not always right.
I am guilty of this. During a pen test, I have changed what I do in order to make my customers more comfortable, where “comfortable” means not having any results that might upset them. In my pen test reports, I invariably write at the top, “The overall security of the company is good,” whereas in the rest of the report I describe the many flaws showing security to be bad. I do this because my customers, the ones paying me money, insist on this so that the report does not frighten upper management.
In one engagement, I found a fatal flaw in the way all desktops and laptops were deployed in a 50,000-employee company. The security controls it had in place were fundamentally flawed. But, the person responsible was promoted to CTO based on the perceived success of that deployment. Instead of admitting a problem and fixing it, the rules of testing were changed until the findings were no longer included in the report.
I protested at every step, but ultimately went along with the changes. To do otherwise would result in being labeled an uncooperative tester, or worse, being accused of unethical hacking.
During pen tests, I almost always hack the website using the SQL injection web app vulnerability. Yet, customers claim that it is not a problem because they use web app scanners and web app firewalls to protect themselves against SQL injection. We then have long meetings and discussions about how I could find vulnerabilities the scanners couldn't and how I could have bypassed the firewalls. The customer thought they had the problem solved – people's careers were made on solving the problem – and I am powerless to convince them that the problem actually isn't solved. Actually having broken in, just like a hacker would have, is not enough to convince them.This need to satisfy customers shields them against the threats of the real world, like LulzSec. Vendors and customers are responsible. Until we as an industry start telling clients the hard truth, the industry will continue to fail. Until the clients of the security industry start realizing there is no easy answer, the industry will continue to fail.
My name is David Maynor. I'm a member of the cybersecurity industry. I don't know how to fix this, but I apologize for my contribution to this failure.
David Maynor is co-founder and CTO of Atlanta-based Errata Security. Rob Graham, the company's co-founder and CEO, contributed to this piece.