innismir.net

Haven’t been on the train lately so this is a bit old, but Chris Gates (@carnal0wnage) and Richard Bejtlich (@TaoSecurity) started an interesting discussion in the comments section of one of Richard’s postings regarding who is to blame when a security incident occurs. Richard was talking about SHODAN, the new AI being deployed to the  TriOptimum Corporation’s new Citadel space station… er… No… Wait.. Wrong SHODAN… The spiffy little searchable database that was recently put up containing portscans and banners of various computers across the Internet. While discussing the morality of such a database, Chris made an interesting statement:

again we take the responsibility of securing devices and systems away from responsible party (the admins and owners) and blame the bad guys with the “think of the children” argument.

why dont we start blaming the jackasses for allowing theirselves to be hacked and not the bad guys who do it. can you really blame the guy that steals the “whatever” out of the unlocked car? really?

This easily carries over into the cyber war arena. lets stop pointing our fingers at the guys breaking in and instead point our fingers at the organization who allowed it to happen.

Wow. I understand where Chris is coming from. When an breach occurs, it’s often followed up by incident handlers like Chris or myself looking at the server and muttering “What in God’s name were they thinking?” As someone who, for the increasingly-rare insightful commentary, still listens to Off The Hook on my iPod every week, I hear statements similar to Chris’ a lot. Every time some company gets attacked and releases a statement “Teh H@x0rz did it!” they rail on the company and blame them for having insecure computers in the first place.

It doesn’t matter if the admin decided to toss Windows 2000 without any service packs on the Internet. Yes, he or she was stupid, probably violated about twenty different policies, and should be given fifty lashings with a wet noodle. There would not have been an issue if the silly script kiddie from Eastern Estonia didn’t compromise the box.

Another interesting thing about the “Blame the Admins!” advocates were that they seemed to be guilty of the same things that the Admins were. They were blaming someone else. Admins were blaming the attacker while the security guy blames the admin. When someone gets compromised at my job, I’ve failed as the security person. It’s partially my fault.

• Why didn’t I notice traffic going to computer?
• How did I not notice when that computer went online?
• What didn’t I do to make sure that computer wasn’t part of the patch cycle/AV/IPS/IDS etc?

We can make excuses all day, blame the admins, blame our tools, blame the lack of support from business owners, the issue is that are we men, or women, enough to say that the buck stops with us and we missed something along the way. Do we fall back into our regular routine after the crisis passes or do we try to take steps to ensure that we aren’t caught with our pants down again?

While I am not saying the admins or the maintainers of the data are completely blameless during an incident, I think Chris’s and OTH’s statements reveal a very scary shift in thinking regarding InfoSec. We are essentially saying that we’ve lost not only the battle, but the war, and we are being overrun. We’re admitting that we can no longer protect endpoints and that it’s a crap shoot if you go out onto the network. But don’t blame us if you get compromised, it’s your own damn fault.