How often in your career do you have to deal with an answer being directly in front of you, or the client you are working for, but they just won’t do what it is you’re recommending?
Now, I’m not saying that there aren’t other professions (technical or otherwise) that don’t have this problem, but it is really common in information security. Let me introduce you to some scenarios to see if you find yourself nodding, saying “Yup, I been there.”
You’re a SOC (security operations center) analyst for Bigname McBigCorp. Your job is running vulnerability scanners and verifying that high risk vulnerabilities get remediated across the enterprise, but especially for internet-facing systems. Your scanners notify you that a critical vulnerability in a common web application platform that could easily result in that box getting owned. As in, RCE (Remote Code Execution). As in, POC (proof of concept) exploit code exists for said vulnerability. You present your findings, you make a plan to patch, you push your plan forward at the change control meeting, aaaaaaaand denied.
Nope, denied. Upgrading the web application platform requires rebuilding the application, requires testing, requires doing a bunch of work, and no thanks. We’ll handle it later. Do we have anything in place to ensure that we can spot this type of attack in the wild? You don’t have access to any NSM countermeasures to know whether or not signatures exist to block, or at least DETECT it , or have the ability to install host-based security solutions on the affected server(s). Oh well, you’re sure that if you notified your boss of the issue that somebody, in the appropriate group has something in place to catch this. It’d be an utter shit-show if one of our boxes got popped and this vulnerability was the initial access, discovered months later. So you keep your messages and emails that state you mentioned the vulnerability and hold on to them, as CYA (Cover your ass) material. Good thing you did, because Bigname McBigCorp got owned pretty handily and it turns out the vuln you raised a stink about was the initial access. Not only that, when the CEO got grilled on how this was allowed to happen, he threw the IT security team under the bus.
You’re a penetration tester working for Slow-6, a professional security organization that offers security assessments, or “penetration tests” among other services. You have taken a week-long gig with a large customer. You got shells. Man, did you get shells. Your report at the end of the assessment feels about as thick as a tome. The company’s CISO and GRC personnel ask for you to hurry in producing the report.
Normally, people aren’t in a hurry to hear bad news from the pentester, so in pressing your luck, you ask “What is the hurry?” Maybe they have an upcoming audit, and they need to ensure they’re in compliance with whatever rules govern their vertical on data security. Maybe they want to squeeze some staff or gear out of the security budget before the end of the quarter or fiscal year. Any of these would have been acceptable. Instead, you got the answer “We need your report so that we can sign off on it and assume the risks.” Meaning you just spent your time writing up a professional report (something the OSCP, the “gold standard” of penetration testing certifications grills you on very hard in order to pass, mind you) for fuck-all nothing. Nobody is going to read it, nobody is going to learn anything from it, if you come back, you’re likely going to find the same weaknesses.
“Doesn’t matter”, they say.
Everything is running fine, and we’re not going to rock the boat. Give us the report, collect your pay, and move on. More than a little demoralized, you do as they say, as your NDA bars you from ‘naming and shaming’ the company that treats significant risks with such brazen contempt.
An organization is sent an e-mail. The email states that hackers have stolen PII (Personally Identifiable Information)and that they’re going to dump it publicly unless their ransom of some ungodly amount of money is paid.
They attached screenshots of information pulled from several large databases as proof of their deeds. Your investigation into this incident confirms that this is a thing that happened, but you don’t know how they got in yet.
The company doesn’t care. “Pay the ransom. Nobody is to know about this. If anyone asks about paying it out, say that it was the result of a bug bounty.” You know that this is wrong, both morally, and ethically, but you’re not about to stick your neck out to lose your job over their bad decisions. After all, if the CISSP has taught you anything its that management is responsible for poor decisions.
These situations (and so many more) lead to information security professionals feeling dejected and defeated. What happens to someone when they feel like their work means nothing? Like they’re just going to face more of the same bullshit day after day? Week after week? Month after month? You start to become apathetic. What was once your passion and something you were dedicated to, body and soul, turns into a 9 to 5 gig that you merely exist at in order to pay the bills.
You no longer feel the drive and passion you used to. You don’t want to learn about new tech, new techniques, new methods, or new tradecraft, because why bother? No corporation wants to bother with actually bettering their security posture, so why bother with the passion to learn more and keep up with the latest? You don’t want to go to trade conferences anymore because you feel like its an echo chamber where we’re constantly being told to do better and how these mega breaches were so easily preventable, when we already fucking knew that.
So you don’t care anymore. You don’t put in your 100% anymore. You sincerely doubt the worth of information security practices. After all, we’ve been parroting the same 20 security controls for decades, and we can’t even get past patch and asset management, some of the most important, and foundational concepts for good security — What is actually in your environment, and has it been kept up to date?
The OWASP top 10 has been around since at least 2010, and we still see sqli (SQL injection) and command injection vulnerabilities EVERYWHERE, especially in IoT devices and SOHO routers, the most widely deployed, vulnerable devices that are the least likely to ever be patched again once deployed.
Oh, and while we’re talking about the absolute dumpster fire that is IoT, here’s a reminder that the MIRAI botnet took down dyn’s DNS servers and killed half the internet for a day last year.
The guidance is out there. The water is clean and plentiful. And yet, the horses under your care and guidance refuse to drink. You can’t shoot them and ship them off to the glue factory, so all you can do is watch and wait. You wonder how you got into this situation, and if maybe a career change might be a good idea, but then you realize that most professions experience variations of the same thing. Especially information technology professions:
IT/Sysadmin/Netadmin: not enough investment into backups or infrastructure, but they don’t care so long as it runs and results in profits. Also, in spite of the infrastructure providing revenue, IT is still seen as a “cost center”. Management doesn’t care. Its running now, that's a problem we can deal with later.
Dev/Programmer: Having to implement ugly, shitty hacks all the time, because your project isn’t being given enough time to actually ship out a product that you can be relatively confident in, from a testing and QA standpoint. Management doesn’t care. only the project timeline and shipping shit that customers will buy matters. (see also — that other article I wrote about “Rick”, and how power players are left to rot.)
This constant race to the bottom and shortsightedness is what breeds apathy and nihilism. It is the fuel that fosters burnouts. Trust me, I speak from experience. So the next time you ask a professional to stop being so defeatist/apathetic/nihilistic about security, stop and think about what brought them there in the first place.
You may be asking, if I have experience with burnout, then why am I still here? I managed to come back from the brink. I realized that no matter what happens to the horses, that I am still a well-trained and capable professional. That the decisions that other people made in response to the good and professional work I have done is not my fault. It still irks me that people can be so criminally shortsighted (and that their short-sightedness can affect my life) but I’m learning to live with it.
I also came to realize that I am more than my profession. I have a family. Pets. Hobbies. Things to do. Places I want to see. And only so much time left on this earth to do it. I don’t live to work anymore, I work to live.
And while I have a reasonable responsibility to keep up on the latest happenings in technology and security, if I don’t want to go to a conference or I want to take a break from social media to go to the movies or take a small vacation with my wife, that I can, and I should do that.
Nobody is going to remember you or thank you for finding, reporting and/or patching that vulnerability. Nobody will remember how awesome your tools are, or how leet your 0days are after you’re dead. Your friends, family, and loved ones will be the ones to remember you and your exploits (no pun intended). Its up to you to figure out what matters to you and what is worth dedicating time to.
I took time for myself and my family, and in so doing, came out of burnout with more to live for. In time, my enthusiasm for information security returned, but tinged with pointing out how utterly ridiculous it all is (e.g. shitposting). Some people don’t like that. You don’t have to. This is how I’m coping, and you’re more than welcome to not listen to me.
Edit: I would like to thank “hacks4pancakes” for sharing her list of information security topics. I was inspired by that list to write about this topic.