G E T T I N G T H E J O B D O N E
Do ethics get in the way of security professionals?
The information security industry as a whole is enjoying its time in the spotlight with a raised profile in the boardroom as well as in the public eye – the pressures of keeping up with the fast pace of innovation and expectations of security can weigh heavily on security professionals. We took a look at how security
Section 1 - Executive summary
1.1 Introduction
Ethics and values are only meaningful when one can hold onto them at times where they are inconvenient to the individual. Whilst we believe the information security industry is largely made up of ethical
individuals, there is a significant amount of pressure they are subjected to owing to the spotlight they find themselves under every time a breach occurs.
1.2 Key Findings
›
›
Over half of security professionals utilize hacker forums or associate with black hats to keep abreast of the latest threats and technologies.›
›
Most believe the CISO (Chief information security officer) should be ultimately accountable for a breach.›
›
Security breaches are used as leverage to increase security budgets.›
›
20% of respondents have witnessed a company hide or cover up a breach.1.3 Methodology and Scope
This report is based on the professional experience of the author (a former security consultant and industry analyst), in conjunction with a user survey conducted at the RSA USA conference 2015 gathered from 1107 responses. Secondary research was collected from security industry practitioner opinions. Demographic data of survey respondents was not collected; however we feel that the number of
respondents does allow for significant discussion. The participants were all attendees at the conference and were not prompted for their answers nor was any clarification provided about the terms used or definitions.
This report was written by Javvad Malik, Security Advocate, AlienVault. Any questions about the methodology should be addressed to him at [email protected].
Section 2
A question of ethics
Ethics can be defined as a system of moral principles. More specifically for a group of professionals, it can be recognized as rules of conduct. In many ways information security as a profession emerged out from the hacking scene that introduced new activities into the mainstream, which subsequently led legal practitioners to create new laws and acts to distinguish what activities are acceptable.
The community itself has sought to self-regulate and identify to a degree by loosely applying the tags of black, white or grey hats as a means of differentiating between the bad, good and questionable respectively. The difference between each primarily being defined by intent of the actor and permission obtained or sought. However, in recent years information security has risen to prominence across the globe. News sites are plastered with articles of breaches and attacks on an almost daily basis ranging from distributed denial of services (DDoS), theft of credit cards, personally identifiable information (PII) or corporate intellectual property, all the way through to countries developing ‘cyber weapons’.
The good news for professionals is that all these factors combine to give information security a much higher profile and voice within an organization. The downside is that with additional profile come expectations and pressures. In an immature industry, which still isn’t fully understood – that could mean corners need to be cut such as bypassing change management procedures to fix issues or sharing administrative accounts. Do the ends justify the means? When a professional’s job and reputation is on the line – that question can become quite difficult to answer without including a long list of caveats.
Section 3 - The Questions
Survey participants were asked:
1. Do you ever visit hacker forums or associate with black hats in order to learn about the security you need?
2. You’ve found a major vulnerability on a company’s system or website, do you:
a. Privately disclose to them b. Publicly fully disclose
c. Publicly disclose without releasing details d. Sell on the black market
e. Claim a bug bounty f. Tell your friends g. Do nothing
3. Who should take the fall when a company suffers a major breach?
a. CEO b. CIO c. CISO d. VP of IT e. Board of Directors f. Auditors
4. TV’s, refrigerators and other internet connected devices
a. Are a violation of privacy and a disgrace to humanity b. The next step in technological evolution
c. Need privacy regulation
d. Are ok if you have nothing to hide
e. Are not a concern for the security industry
5. Your company suffers a breach – what course of action is best
a. If nobody knows, just keep quiet
b. Tell the regulator, pay the fine and move on
c. Use the event to convince the board to give you the security budget you need d. Go to the media and brag about how you “told them so”
6. When an auditor arrives in your area…
a. You are open, honest and co-operative
b. You are co-operative and polite, but try to steer them away from the bodies c. They are wasting your time so you ignore them as much as possible
d. You throw them a bone and disclose a gap, and in exchange they leave you alone. A win-win!
Section 3.1 - Come to the Dark Side
Information security is a fast moving field. Threats against companies are in a constant state of flux and adapt in response to defenses that are put up. As such, practitioners need access to relevant information. Visiting black hat forums or associating with people engaged in activities that may not always be
completely legal depending on where and how this is carried out. Although some companies and security memberships explicitly forbid such interactions – we found over half of respondents relied on black hat sources to improve their security knowledge.
This raises some interesting points and merits further discussion. Anecdotal conversations and evidence supports the fact that many professionals believe that until one understands the enemy and objectives, adequate defences cannot be constructed.
It could also be inferred that support from within the security industry on emerging threats and attacks isn’t sufficient or freely available to professionals looking to access information in a timely manner.
52.5% 51.3% 50.0% 48.8% 47.5% 46.3%
Do you ever visit hacker forums or associate with
blackhats in order to learn about the security you need?
51.9%
Yes
No
Section 3.2 - To Disclose or Not to Disclose, That is the Question
Vulnerability disclosure is a topic that has been getting its fair share of media attention in recent months. Google and Microsoft had a very public squabble when Google disclosed vulnerabilities prior to Microsoft releasing a fix.
Large companies may be able to tirade back and forth; it is a different story for many individuals. Whilst the majority of participants stated their first course of action would be to privately disclose a vulnerability to the affected company, history has shown that not all companies are quick to respond. In some cases the individual reporting the vulnerability has been threatened with legal action. Where that has not been possible, many conferences have cancelled talks due to pressure from vendors or manufacturers.
10.7% of respondents would tell their friends or sell the details on the black market compare with just 5.5% opting to claim a bug bounty.
Perhaps a more startling observation is the 9.5% of respondents that would opt to do nothing upon finding a vulnerability. This would indicate that these security professionals would feel that the process of disclosing a vulnerability is too arduous to complete. It raises the question whether companies could be doing more to facilitate easier disclosure - or if intermediaries such as bug bounty organizations can assist individuals navigate the process even where a formal program does not exist.
The survey did not give the opportunity for multiple answers to be selected and many researchers we spoke to later stated that whilst private disclosure was the preferred route to take, if no action was seen to be taken within a certain time period they would take the vulnerability public.
You’ve found a major vulnerability on a company’s system
or website do you:
0% 17.5% 35.0% 52.5% 70.0%
Privately disclose to them Publicly fully disclose Publicly disclose without releasing details Sell on the black market Claim a bug bounty Tell your friends Do nothing 61.7% 12.0% 9.8% 2.5% 5.5% 8.2% 9.5%
Section 3.3 - The Fall Guy
A breach at a company often degenerates into a blame-game of who should be held accountable.
Security executives often bemoan the fact that their warnings are often not heeded and that security is all about balancing risk.
Despite that, over a third of respondents at 38.8% believe the CISO should be the fall guy in the event of an incident occurring. At around the 25% mark, CEO, CIO and VP of IT were deemed to be equally accountable.
Interestingly, 10% of people believe auditors should be held accountable. Although we didn’t specify the type of auditor - a number of people mentioned QSA’s should be held accountable where breaches occur on systems that are within the scope of PCI DSS.
Who should take the fall when a company suffers
a major data breach?
0%
10.0%
20.0%
30.0%
40.0%
CEO
CIO
CISO
VP of IT
Board of Directors
Auditors
23.9% 26.4% 38.8% 23.9% 9.2% 10.2%Section 3.4 - The Security of Internet Things
As more devices become connected, the internet of things (IoT) has been making headlines in recent months with researchers keen to demonstrate vulnerabilities that exist in everything from home automation systems to refrigerator to cars to TV’s and everything in between.
Most respondents felt that this was merely a next step in ever-evolving technology landscape - but 36% believed that more regulation was needed to ensure the privacy of users. We’ve seen privacy take an increased focus within the security domain, so it is not unsurprising that many respondents felt that increased regulation would assist in being able to implement tighter controls.
On the other side of the spectrum, 11% are concerned about privacy - believing that many products are in direct violation of individuals’ privacy and regulation will be ineffective. Balancing out this view was the 9% who believed in the viewpoint that invasion of privacy should only concern those with something to hide. The final 9% believed that the Internet of things is not the concern of the security industry.
We kept the scope of the question somewhat narrow primarily around privacy as have been illustrated by recent issues concerning smart TV’s and the like. However, some of the more pressing issues we’ll likely see around IoT devices will be around limitations such as inability to deploy updates, lack of monitoring capabilities and ensuring adequate segregation.
TV’s, refrigerators and other internet connected devices:
0% 12.5% 25.0% 37.5% 50.0%
Are a violation of privacy and disgrace to humanity The next step in technological evolution Need privacy regulation Are ok if you have nothing to hide Are not a concern for the security industry
11.3%
44.0% 36.0%
9.0% 8.9%
Section 3.5 - We’ve been breached captain!
One of the commonly accepted mantras within the information security industry has become, “it’s not a matter of if you get breached, but when.”
However, knowing a breach may occur and knowing what to do in the aftermath of a breach are two very different things.
Two thirds of respondents would use a breach as an opportunity to convince the board or their executives to approve additional security budget, whilst a quarter would pay a fine and move on, accepting as a general part of business.
This provides an interesting perspective into the mechanics of most organizations. Despite the raised profile of security, it still takes an incident to obtain budgets and raise security. The inability of security professionals to communicate up the business chain is a well-discussed issue and relying on breaches to raise visibility to the board shows that it is not changing anytime soon.
9% of respondents said they would keep quiet and not disclose any details of a breach whilst 6.6% stated they would gladly brag to the media about how their security advice that could have prevented the breach was not listened to.
Your company suffers a breach - what course of action is best?
0% 17.5% 35.0% 52.5% 70.0% If nobody knows, just keep quiet
Tell the regulator, pay the fine and move on Use the event to convince the board to give you the security budget you need Go to the media and brag about how you ‘told them so’
9.0%
25.7%
66.8% 6.6%
Section 3.6 - The Auditor Cometh
Security professionals can at times have a love-hate relationship with auditors. Receiving a poor audit review could throw a monkey wrench in a security strategy. Although the majority of participants favoured an open, honest and co-operative approach with auditors - 20% did admit to trying to steer auditors away from any major gaps.
7% of respondents felt that all audits were a wasted effort and not worth investing any time and effort in.
Some practitioners we spoke to stated that they viewed an audit report as a powerful tool in gaining approval for projects. One warned that a red (bad) audit doesn’t look good as it implies the security team is ineffective, whereas a green (good) audit means that the security team is adequately funded and resource. The trick, we were told – was to maintain fifty shades of amber where executives would believe things weren’t bad, but they could certainly be improved.
When an auditor arrives in your area...
0% 17.5% 35.0% 52.5% 70.0%
You are open, honest and cooperative You are cooperative and polite, but try to steer them away from the bodies They are wasting your time so you ignore them as much as possible You throw them a bone and disclose a gap, and in exchange they leave you alone. A win-win!
68.2% 20.3%
7.3% 7.1%
Section 3.7 - A Game of Hide and Seek
In the competitive nature of the technology world, the time and effort it could take to recover from a breach can be significant. Particularly where sensitive data is involved.
Only 58% of respondents were confident that a company they had worked on had never covered up a breach. 22% being not sure and 20% claiming that they had been part of or witnessed a cover-up. On the surface, covering up a breach appears to be an inexcusable act. After all, customers,
shareholders and partners are put at risk whenever a breach occurs. But on the other hand, under certain circumstances, people can tend to make decisions that are not always the right - or maybe without fully understanding the impact of their actions. After all, if a breach occurs in a forest and no-one is around to see it - did it really happen?
75.0%
60.0%
45.0%
30.0%
15.0%
0%
Have you worked at a company that has suffered
a breach and hidden it?
Yes
No
I’m Not Sure
20.5%
58.0%
Section 4 - Conclusions
Information security is still a comparatively immature industry that has been thrust into the forefront of many discussions at personal, corporate and governmental levels. This has led to many security professionals having to make up the play book as they go along, evidenced by inconsistent security disclosure practices as well as the ever-changing and complex legal path to navigate.
Burnout amongst security professionals has been discussed for sometime within the community as well as the need to find a better work/life balance.
However, perhaps the most telling trend that emerges from between the lines is that enterprises of all sizes need to provide a better support framework for individuals with information security responsibilities. Be this better access to training, networking opportunities with peers and not trying to find scapegoats in times of incidents.
Most organizations are coming round to the belief that along a long enough time scale, a security incident or exposure in their product is inevitable. Therefore, the culture should be one that accepts, fixes and moves along when they do occur. Otherwise security professionals will find themselves under more pressure to cut corners and bend rules in order to keep the show on the road.
About AlienVault
AlienVault’s mission is to enable organizations with limited resources to accelerate and simplify their ability to detect and respond to the growing landscape of cyber threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by threat intelligence from AlienVault Labs and the AlienVault Open Threat Exchange—the world’s largest crowd-sourced threat intelligence network — AlienVault USM delivers a unified, simple and affordable solution for threat detection, incident response and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield & Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures.
AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification