CYBER FESTO
Sign in Subscribe
Cyber Festo

No Such Thing

Doug Meier

10 min read
No Such Thing
Photo by Tom Barrett / Unsplash

Col Jessup: You want answers?!
LTJG Kaffee: I want the truth!
Col Jessup: You can't handle the truth!

We've been lying. There is no such thing as Security. There never was. There never will be. There is no sanctuary from risk.  Security is an acceptable level of uncertainty we can live with for the time being. How secure are we? Considering the number of successful attacks suffered and the number of security solutions offered, not very. The most relied-upon method of Security is the oldest – security in numbers, playing the odds. Third party security solutions present a risk paradox – security solutions that solve security problems create more security risk. The devil's dictionary definition of Security is "a condition that exists when your cyberinsurance policy premiums are paid in full." Management views the security program pragmatically, as cost not revenue, as a team prepared to respond and recover from an incident they didn't prevent. Security does not "make the number go up." No amount of technology can guarantee security. Security is at best an informed opinion based on incomplete information, variables, unknowns. It is humans, not machines, practicing the various forms of security intelligence gathering and analysis, who improve our chances of Security. Hacking requires mostly imagination, curiosity, and determination, not a degree or a title or someone else's permission.

...

Security. Often promised, rarely achieved. 

Of all the technology professions, Security is probably the most poorly described, most poorly positioned to succeed, and the only one sabotaged by the unrealistic expectations of its own purpose.

If this concept, Security, is achievable, wouldn’t the sheer number and variety of threats be decreasing due to our efforts, not increasing in spite of them? If Security is a destination, the operations teams wouldn’t be suffering from permanent alert fatigue while trying to reach it. If Security is actually a thing, then surely one of the thousands of security vendors exhibiting at thousands of security conferences held each year would have conquered and eliminated all possible threats, permanently, as they’ve been promising for decades. 

Security. What it is depends on who is talking about it. 

Taught in an online curriculum, Security is a set of principles for protecting Confidentiality, Integrity, Availability (CIA) of data. Security the noun may be presented as a framework for managing identity and logical access – as in Authentication, Authorization, and Accounting (AAA). 

Security can also be approached from the perspective of domains. The Center for Information Security (CIS) specifies 18 domains, the Certified Information Systems Security Professional (CISSP) certification specifies eight domains, the Cloud Security Alliance (CSA) framework for devsecops specifies six domains, and the Cloud Security Maturity Model (SANS Institute) focuses on eight domains.

To lay persons, Security is often conveyed – with varying degrees of success – as pillars. The type and number of pillars conveyed depends on which regulatory compliance regime or governing body is doing the conveying. The department of defense (DoD) specifies three pillars – people, processes, and technology. The National Institute of Science and Technology (NIST) specifies six – govern, identify, protect, detect, respond, and recover. The governing body of public accountants (AICPA) specifies five –  security, confidentiality, availability, file integrity, and privacy.

Meanwhile, inside the actual, visceral security trenches known as the SOC (Security Operations Center), principles, frameworks, domains, and pillars aren’t of much practical use. What matters to the SOC team is the array of colors on their security monitoring dashboard – primarily red, yellow, and green, but also orange, blue, and gray. The colors are the visual coping mechanism that drives the reality of the work, and the work is mainly about making the reds and yellows, the critical and urgent alerts, go away.

In 1962, before the term security became intertwined with the term Internet, Arnold Wolfers, a US national security specialist, wrote that "Security, in an objective sense, measures the absence of threats to acquired value, in a subjective sense, the absence of fear that such values will be attacked."

This pre-Internet definition stands the test of time, with two caveats. Today’s yardstick for measuring objective and subjective security risk is the persistent, pervasive presence, not absence, of threats and fears.The other difference is that the risks no longer stand still long enough to overcome. Security risk mutates, transforms into new forms before we can address the previous form.

How secure are we? The answer is a pendulum swinging between a sense of well being and a sense of impending doom, between What, me worry? and crushing anxiety. The honest answer is, It depends.

It depends on what we know and what we don’t know, on what is under and what is outside our control, on what is happening now and on what comes next. For all we know, a critical admin account may be compromised, and sensitive data may be exfiltrated. Bad actors may be inside the network, moving laterally or just listening and waiting. 

Another honest answer is that security solutions often aren’t. Just as firewalls may be known as fireholes, security solutions may also be known as security problems. Technical solutions that successfully solve technical problems also create new exposures and risks – et Voila! – new problems to solve.

Security solutioning presents a risk paradox. When we add another vendor to the security tech stack to treat a specific risk, we also add to the third-party risk surface, and raise the likelihood of a third-party data breach outside our immediate control. We invite the risk of interoperability issues with other security systems, and the risk of security technical debt and obsolescence,

In 2019, a widely-used networking monitoring and management application, Solarwinds, disclosed that their software had for many months been delivering malicious code to customers' networking and security systems, via regular software updates. The hackers responsible for the attack were able to spy on Solarwinds' global customer base, undetected, targeting US government agencies and major tech firms for secondary attacks.

Our security technology stack is part of the supply-chain risk problem we're trying to solve. No matter how much security solutioning we spin up – in the form of endpoint monitoring, vulnerability scanning, anti-virus software, threat intelligence, threat modeling, packet analysis, code analysis, perimeter security, and much more – our adversaries are just as dedicated to proving they can make the solutions work against us.

The oldest form of security is security in numbers, the dubious achievement of not being faster than the bear, just faster than the person the bear is about to devour. Winning at security in numbers is about doing the basic stuff like timely system patching and timely user account terminations. Other people's lack of basic security is a risk advantage that the relatively secure can rely on. Companies with poor cyber hygiene are five times more likely to suffer a data breach. Companies without a consistent security awareness training program are 40 percent more likely to suffer a high-impact business email compromise. People who use two-step authentication to secure their online accounts are 99 percent less likely to suffer an account breach.

So let us be thankful for the highly risk-tolerant in our midst – they allow us to avoid the bear. In their reckless and unaware way, the individuals and corporations and governments who store their passwords in the clear, share login credentials, don't back up their data, naively approve fraudulent requests to reroute wire transfers, repeatedly click on weaponized email links – these insecure souls keep the rest of us out of harm’s immediate path.

If there is such a thing as a silver bullet for security risk, it's not the security program, it's the cybersecurity insurance premiums, paid in full. Imagine a catastrophic security event where customer data is breached and available on the dark web, or systems are hijacked and offline, held for ransom, or both at once. The heroic initial incident triage by the first responders, and the all-hands-on-deck recovery and restore efforts of the Computer Security Incident Response Team (CSIRT), decide when systems can be restored, and data recovered, and business operations resumed. Kudos to the first responders and the CSIRT team. But when system accounts are hijacked, and data encrypted and held for ransom, then the true silver bullet is the terms of the business interruption and privacy liability coverage in our cyberinsurance premiums.

It's the Certificate of Insurance that will keep people paid and the business running. 

However we want to define and envision Security as a mission, it can't prevent worst case scenarios from happening. To date no security team has been able to go back in time and prevent a successful ransomware attack that occurred last Tuesday.

How does management view security? That’s what really matters. The answer is, management views security pragmatically. Management supports the security program verbally, as long as it’s not inconvenient to the main objective, which is profit, not security, In those occasional times when a security incident needs to be disclosed, management becomes highly and briefly focused on funding the security program.

Under normal conditions, when no security incidents are in progress, management suspects that Security is a problem that should have already been solved, a cost center not a profit center. Off the record, management will express disappointment that the so-called Security team hasn't achieved the state of imperviousness to risk that management expected to see years ago, while grudgingly approving the bill for renewing the Security Information and Event Management (SIEM) system that keeps all those security people running after alerts.

...

The word “team” is easily imagined: people working together to solve problems. The Accounting team is paying invoices and billing customers. The Engineering team is developing, testing, and releasing software. The HR team is recruiting, hiring, and training employees. The desktop support team is assisting users with software and hardware issues. The network team is managing switches and firewalls. It's easy to imagine all these teams providing something tangible. 

When management imagines the Security team at work, they see fog. They see people wearing cyberhoodies doing some kind of IT, not sure what. 

Let’s be real. Your security program probably doesn’t:

  • Develop, integrate, test, release product 
  • Generate leads and close deals 
  • Develop strategic partnerships and alliances
  • Settle lawsuits, complete Mergers and Acquisitions
  • Rollout a new human resources or customer relationship management system
  • Migrate on-premise enterprise applications and workloads to the cloud
  • Make sure payroll is met and vendors paid
  • Relocate offices

Unfortunately for the long-term viability of the Security program in the organization, maintaining a strong defensive posture that allows us to react well, and detective capabilities that allow us to anticipate well, do not add value to the bottom line. To the board and investors, what the Security team delivers is mostly abstract, vague.

Security does not “make the number go up.” 

When there’s an actual breach, management is often disappointed that the security team can’t just Ctrl-Z the Undo feature that puts everything back to the way it was. Isn’t that the point of all the security apparatus the company is paying for?

The supply chain attack that the security operations team sidestepped with its timely patching potentially saved the company millions of dollars and untold reputational damage… potentially. Avoiding negative consequences is a theoretical, not a real return on investment. Negative consequences avoided, risks averted, bullets dodged, can’t be taken to the bank. 

What customers, clients, and the board of directors really want is certainty. All we can give them instead is an acceptable level of uncertainty that we can live with for the time being.

Not only do the targets move too fast for certainty, there is also the problem of too many targets – user accounts, data stores, supply chains, data centers, firewalls, switches, servers, software, and so much patching patching patching, and more patching, and the magnetic lock on the office front door that keeps sticking open. We can patch servers to block a known exploit in the virtual desktop environment, but we can’t guarantee that any server is 100 percent safe from exploitation going forward.

Digitally, we live and work in a state of perpetual suspicion about data security and confidentiality, the result decades of security breaches and increasingly sophisticated attacks, and personal experience,

In this environment of persistent distrust, the starting point for third party business relationships has become interrogation. An acceptable response to the how secure are you? question has to come from a qualified third-party, not from us. Customers and partners demand the assurance of a security audit report by a CPA firm, or a network penetration test report by a white hat security firm.

How secure are you going to be? Customers want proof that the Security program exists and is governed well. Are there humans accountable for prioritizing and managing security risks? Is there a discernable program strategy, tactically sound, guiding security operations? Promises and best intentions don't count, a completed 300-quetion security questionnaire and accompanying due diligence in the form of policies and audit reports does.

Our secureness lies in the eyes of the beholders, the assessors and auditors examining the business artifacts of our IT security program, Those third parties challenging us to prove we follow our change management, logical access management, user management, device management policies and processes over time.

...

There is no such thing as security, but there is security research, aka hacking.

Hacking has always been useful. Nation states, warring factions, business competitors, professional baseball teams – all hackers by nature.

Reasons for hacking vary, depending on objectives:

  • Benign investigation – for instance, a graduate student at Carnegie Mellon pursuing a master's degree in Information Security
  • Active defensive and protection – for instance, the security operations center protecting a health care firm
  • Criminal activity and chaos – for instance, a Russian cybercrime corporation orchestrating ransomware attacks and influencing election outcomes in other countries. Or an American government operation eliminating

It doesn't matter which hat a hacker wears – black, grey, or white – or if they change hats later. The methods remain the same. Whether the motivation is ethical, quasi-ethical, or unethical, it requires intelligence gathering, or intel – open source intel (OSINT), closed-source intel (CSINT), human intel (HUMINT), signals intel (SIGINT), image intel (IMINT), or any other "INT".

The modern concept of hacking goes back at least to the 1960s, and unauthorized access of mainframe computers to disrupt networks and conduct industrial espionage. The concept of a hacking counter-culture goes back at least to "phone phreaking" in the 1970s, and phreakers exploiting vulnerabilities in analog telephone company systems for fun. Among other accomplishments, the notorious phreaker Kevin Mitnick wiretapped and monitored his FBI pursuers (Ghost on the Wire, 2011). The concept of an on-line hacking community goes back at least to the 1980s, and dial-up modems, and Bulletin Board Systems (BBSs) dedicated to security and technology topics. Bulletin boards were the original social network for hacker knowledge sharing and collaboration.

Hacking has always paralleled what we refer to as security, has always driven the innovation on display at security trade shows.

There are many "hacker bibles," beginning with 2600: The Hacker Quarterly, in continuous publication since 1984. 2600's longevity is a reminder that security research doesn't require a college degree or someone else's permission. It doesn't require a title or a company badge. It doesn't require an altruistic purpose. It only requires basic computer skills, imagination, curiosity, and desire to understand more. The last page of 2600 includes a list of in-person Hacker meetings across the US and around the globe.

..

CYBER FESTO | copyright Doug Meier, All Rights Reserved, 2026

Sign up for more like this.

Enter your email
Subscribe
copyright