What to do with "nihilists in information security"

How often in your work do you encounter a situation where the answer lies on the surface, right in front of you or your clients, but they simply will not do what you recommend to them? You can give recommendations on fixing vulnerabilities, but you cannot force them to follow. Of course, this problem also arises in other professions (technical and not only), but in information security it is especially common. Let me tell you a few stories in which you will certainly recognize yourself.

You are an analyst at an information security monitoring center in a well-known corporation. Your job is to run a scan for vulnerabilities, make sure that high-risk vulnerabilities are eliminated throughout the organization, and especially in systems with Internet access. Your scanners findin a popular platform for web applications, a critical vulnerability could result in an attacker gaining access to the mailbox. For example, when remotely executing code. Or if an exploit exists for this vulnerability. You talk about your findings, plan to install the patch, try to take the initiative at the change control meeting ... and do not achieve anything.



Your offer has been declined. Upgrading the platform requires restructuring the application, testing, a lot of work, so no, thanks. We will solve this later. Do we have anything that can help us detect such an attack? No, you do not have access to any countermeasures that allow you to understand whether there are signatures to block or at least DETECT this attack. There is also no way to install any security tools based on the host detection system on the affected servers. Are you sure that if you notify the head of this, there is someone who can do this. It will be a real scandal if one of your mailboxes is hacked and the vulnerability turns out to be the initial access discovered after a few months. Therefore, you save messages and letters in which you mentioned vulnerabilities, so that later you can use them as PVZ materials (covering your ass). It’s good that you did it, because the Well-known Corporation is hacked quite easily, and the vulnerability that caused you to make all the noise really turns out to be the initial access. In addition, when the CEO is sanding for the fact that he allowed this, he shifts all responsibility for the incident to information security officers .



You are a pentester in a company that provides security assessment and penetration testing services. You have been working with a major client for a week now. You were ready to plow. Oh, how you were ready to plow. At the end of the assignment, your thickness report can be compared to a great novel. The head of information security and risk managers ask you to hurry with the preparation of the report. Usually people are in a hurry not to hear bad news from the pentester. Therefore, relying on your luck, you ask: "What kind of rush?" Perhaps they are preparing for the upcoming audit and should make sure that they comply with all the prescribed data protection rules. Perhaps they want to reduce part of the staff or security budget at the end of the fiscal quarter. Any of the options would be acceptable. Instead, you get the answer: “We need a report to subscribe to it and take all the risks.” This means that you just spent time on a professional report (OSCP certified, the gold standard for pentesting, which, mind you, is very difficult to pass) just like that. No one is going to read it, no one will learn anything from it, and you, after returning after a while, will find all the same shortcomings.



Of all the options available, you have selected Do Nothing. “It's okay,” they said. Everything is working fine, so we are not going to rock the boat. Hand over the report, get your money and move on. In, to put it mildly, a little demoralized state, you are doing what you were told. Your non-disclosure agreement prohibits naming and censuring a company that takes such risks with such indifference.

Soon the company receives a letter stating that the hackers took possession of personal data and are going to merge it if they do not receive a ransom in the form of an outrageous amount of money. As evidence, they attach screenshots with information from several large databases. Your investigation shows that the incident really happened, but you still do not understand how they succeeded.

Companies don't care. “Buy off. No one should know about this. If someone asks, say this is the result of your bug bounty . ” You understand that this is not ethical, but you are not going to go out of your way to lose your job due to their mistakes. In the end, if the CISSP Certification taught you something, it is that the responsibility for the wrong decisions rests with the management.



A bit like Shadowrun, right? Such situations (and many others) lead to the fact that specialists in information security feel oppressed and depressed. What happens when a person feels that his work means nothing? When does he have to face the same nonsense every day? Week after week, month after month? He falls into apathy. The case, which was once his passion, to which he surrendered to his soul and body, turns into a hack from 9 to 18, which is needed only to pay bills.

You no longer feel that drive and dedication. You are no longer interested in learning about new technologies, techniques, methods, pumping up new skills, what’s the trouble? No corporation wants to bother with improving their protection, so why bother with training? You don’t want to attend conferences anymore, because they seem like an echo camera to you with constant talk about improvements and how easily all of these unauthorized access could be prevented when, damn it, we already knew about all this.



This is called burnout. So, from now on you do not care. You are no longer giving 100%. You seriously doubt the value of information security techniques. After all, we have been recklessly repeating 20 security controls for decades .. We cannot even achieve the management of patches and resources - the fundamental and most important things for security. What is actually in your infrastructure and how regularly is it updated?

OWASP top 10 has existed since at least 2010, and we continue to EVERYWHERE see SQLI vulnerabilities (SQL injection) and Command Injection vulnerabilities, especially in the Internet of Things and SOHO routers - the most widespread, vulnerable devices, which are unlikely to be patched at least once after installation.

Oh, and while we are talking about such a catastrophe as the Internet of things, which is also insanely difficult to work with, do not forget how the MIRAI botnet set up Dyn DNS servers, thereby killing half of the Internet for the whole day .

There are instructions and guidelines. The water is clean and refreshing. But, nevertheless, the horses under your care and supervision simply refuse to drink. You can’t just shoot them and send them to the slaughterhouse, so all you can do is wait and watch. You are interested in how you ended up in this situation, and are thinking about changing your occupation. But then you understand that in most professions you may encounter options for the same situations.

Especially in the field of IT:

• Sysadmins / network administrators and others often face a lack of investment in backup or infrastructure, but while the systems work and make a profit, nobody cares. In addition, despite the fact that infrastructures are profitable, IT is still regarded as a “cost item". The management doesn't give a damn. Now everything works, but we will deal with problems later.
• Programmers have to implement ugly and crappy hacks because there wasn’t enough time to release a product in which developers were at least relatively confident in terms of testing and QA. Management doesn’t care, only the terms of the project and the release of any crap that buyers will pay for are of importance.

This eternal myopia and race to the bottom give rise to apathy and nihilism, contributing to burnout. Believe me, I felt this from my own experience. The next time you come across an apathetic professional nihilist with defeatist moods, think about what led him to this.

You may ask, why am I still here if I burn out? I managed to survive this. I realized - regardless of what is happening, I still remain a well-trained and capable specialist. The decisions that other people make in response to my job well done are not my fault. It still annoys me that people can be so criminally short-sighted (and this short-sightedness affects my life), but I'm learning to live with it.

I also began to realize that I have many other things besides my profession. I have a family. Pets. Hobby. Affairs. Places I would like to visit. I need to use the time I have left to do this. I no longer live to work, I work to live.

And although I have a reasonable need to keep abreast of the latest developments in technology and security, but if I do not want to go to a conference or social media, but want to go to the cinema or go on a short trip with my wife, I can do this to do, and I have to do it.

No one will remember you or thank you for detecting a threat, reporting it, or patching it. When you are gone, no one will remember how cool your instruments were, what kind of representative of the professional elite you were. Only your friends and family will remember you and your exploits. You need to determine the most important for yourself and decide what it is really worth to devote your time to.

I devoted time to myself and my family, and as a result I took my sense of life out of the burnout period. Over time, my enthusiasm for information security returned, but with a touch of understanding how ridiculous it all is. Some people don’t like it. But this does not mean that you should either. It's just my way of dealing with stress, so don’t listen to me.