Security, turns out it’s hard
Spoilers: because people
I read a post from a physical security guy who interacted with information security people at a conference about what he learned there. You should read it because it is good. And also because, like me, you’ll probably be going “wait, what? They have red teaming? Huh. They have threat landscapes?? Whaaat! They also use intelligence in an attempt to be proactive? They think our job is a science?!?!” It’s great.
Why I gathered you here today
You’re probably wondering why I am so excited that I read a thing on the Internet. I’ll tell you why. It is because I think that post strikes at the heart of something that we’re only realising too damn slowly – security is the human factor. Just like there is no perimeter, information security doesn’t end at the terminal, it includes the user and the real world.
Security is the human factor. Just like there is no perimeter, information security doesn’t end at the terminal, it includes the user and the real world.
This is something we all know, but that our frameworks and thinking doesn’t usually take into account. How many people doing infosec were interested in kompromat and disinformation before 2016? Far fewer than are now.
In physical security they have the concept “left of bang” (before the bad thing) and in information security, to be perfectly honest, we’re mostly trying to figure out ways to tell if a bad thing has happened. Yet. We can probably learn a lot from those other security fields, and maybe they can learn…how to get free wifi at hotels..? ¯\_(ツ)_/¯
There is a historical reason we got split off from the physical world. Partially because that is where the horrible day star hangs out and we hates it. But also because of some silly budgetary squabble in the 90s. No, seriously.
Story time. The CIA steals secrets, mostly through something called “HUMINT.” When computers came along, the CIA figured that they should be in charge of stealing secrets from computers because, that is literally what they do. The stealing of the secrets. For CIA, computers were just “secrets in some new packaging.”
The NSA reads other people’s messages (massive over simplification), mostly through a thing called “SIGINT.” When computers came along and started replacing radio with digital, well, for NSA this was obvious. NSA should be in charge of reading messages from computers because that is what they do. They read other people’s messages. For NSA, computers were just “other people’s messages in some new packaging.”
There is an extremely fascinating bureaucratic knife fight that happened over this but the long and the short of it is, NSA won. (By cheating and dirty tricks – the swine! – in my totally fair and unbiased opinion #TeamHUMINT!) CIA still steals secrets from computers, but mostly it’s an NSA thing.
Here’s where we, as an industry, got things so very very wrong. Instead of realising that they are both right, we just kinda replicated the NSA thinking on computers. And our industry has been suffering from it ever since. We never thought that much about the human factor except that it is impossible to keep them from clicking on things in emails.
Security is about people, not computers.
Anyway, my point is this. Both CIA and NSA are correct (and KGB, but lets not confuse things too much.) Security needs to understand and deal with the human factor, regardless of how they stick their soft vulnerable bits into terrifying threat landscapes. We’re supposed to protect them.