The ‘Compliance Only / CISSP / Minimum Viable Product / HR firewall’ infosec trapezoid of fuck

trapezoid-of-fuck

Yesterday (thurs, 3/24/16) I went on a tirade on twitter, regarding an experience I had in San Francisco during RSA week, while at a vendor party. I’ll let that whole conversation stand on it’s own, it’s over —-> here.

It spurred a TON of questions, comments, and tangential conversations, as well as the typical “I want to get into infosec and I thought the CISSP was the way to do it”.

Well, everything is sort of connected. But let me build some momentum here by starting with a few ‘sayings’ or ‘talking points’:

  • You will never succeed in a system thats DESIGNED to make you fail, in favor of perpetuating itself and the status quo.
  • You will never change a system from the inside, since they’re typically designed to withstand SPECIFICALLY change from the inside. “It worked last year, we’re not changing anything”.
  • If you want to be a hacker, and you have to ask “oh please sir, tell me how to become a hacker”, you’re never going to become a hacker. Hackers TYPICALLY are the people that analyze a thing, find a problem, and then exploit the problem. By asking, you’re demonstrating that you’re unwilling to take the time to look it up for yourself.
  • just_do_it_shia_lebouf.gif.png.webm.xps.ai.fap
  • if you tell me that I have to go get one of these certs to have the ability to complain about them, I will personally send Raymond Reddington and Bryan Mills to your house with a $2500 rimowa suitcase full of torture equipment. You’ll have a bad time.

So this concept is something that is rarely talked about because it is how people who have no clue about security maintain jobs in the security industry, and it is how companies and consulting org stay in business or stay ‘compliant’ while continually getting hacked over and over again, or turning in reports directly out of nessus/qualys with a rebranded PDF and charging $400k for the engagement.

It’s a four part fuckfest, so get your Gahllagher-style trashbag-poncho on, cuz it’s gonna get messy.

CERTIFICATIONS:

The original intention here was to have a way for people to know that someone ‘knows their shit’ without taking the time to interview them, ask them about their experiences, or otherwise interact with them at all, before rubber stamping them into a position of authority. The trouble is that when the certification places realized that this was HUGE MONEY, they tried to find ways to funnel as many people through the process as possible – especially people that are willing to pay 5 grand or so to avoid actually having any relevant experience whatsoever. Pay 5k, get a cert, look like you know shit. Wonderful.

Now, not *ALL*certs fit into this category. Just .. most of them. The CISSP and the CEH are two examples. You could be a plumber with no experience to speak of, but if you can convince 5 people or so to write you letters of recommendation, then bam – you’re in. Now you’re a plumber who’s never touched a firewall, and you’re ready to take your first CISO position.

 

COMPLIANCE ONLY SHOPS:

So compliance came into existence because places were found to be deficient in a lot of ways – like ENRON. Enron is why SOX (sarbanes oxley) exists. Look it up, you’ll see. You’ll make a face, too. There are a TON of compliance mechanisms that are designed to “demonstrate your security program (or business workflow) is up to snuff”.

Read that again. Slowly

TO DEMONSTRATE

THAT YOUR SECURITY PROGRAM

IS UP TO SNUFF

It doesn’t fucking read “do these bare-minimum steps and you wont get hacked”, does it?

Compliance is DESIGNED to be a checklist against an EXISTING SECURITY PROGRAM so that people have an idea of what their respective industry regulators are hoping to see in a company that ‘meets the guidelines’.
This is all very vague – and it’s INTENDED to be. It’s SUPPOSED to be confusing – because it creates jobs. Auditors and box checkers, people at a company to validate compliance etc.

Now I don’t claim to be an expert in any, or even a single one of these compliance mechanisms, but when you read the cliffs-notes of them all they all more or less read the same way and make the same points:

— Have some sort of security in place

— Read your fucking logs

— Have a policy so people know whats okay and what isn’t

— Check your business shit from time to time to make sure it’s solid and doesn’t have logical loopholes or problems

— Audit your security from time to time to get an idea of what your risks are (BUT NOT DEAL WITH THEM! none of these fucking things tell you what to do AFTER you get a pentest. They just want you to get one, and stop)

— then more specific stuff on HIPAA, NERC/CIP, FISMA, FINRA, SOX, PCI/DSS – because a bank doesn’t need to make sure its nuclear scada controllers are on segregated, highly monitored networks, and the hospital doesn’t need to make sure its stock trading platform complies with mandatory cashflow minimums.
At the ROOT, they’re all MOSTLY the same.
The trouble is that once these things got written they got huge and unwieldy, and places groan when they read them – as they should – this is ‘decision by committee’ and thats always an ugly mess. So what do they do? They do just the bare minimums in these regulatory statues to comply with the regulation so that they don’t get sued by the regulatory committees, or fined by the government.

THEY DO THE BARE MINIMUM THEN STOP.

this is not why compliance exists.

this is why compliance isn’t security.

 

MINIMUM VIABLE PRODUCT:

If you spend any time in a shop that produces something: software, hardware, a widget, a product – you’ll have probably heard this term. It means “the bare minimum functional shit you need to make this thing go and be sellable in the market”.

This is why there are tens of millions of horribly insecure webcams, firewalls, watches, toilets, and other things connected directly to the internet, and it’s the core of why myself and other security researchers who ‘find random shit online’ have it so easy – because people build a thing, and once that thing is immediately viable as a product, it goes to the market (ever play an EA game? play any of the battlefields? tell me those were ‘legitimately solid’ on day 1. I dare you). Conceptually it’s easy, but it falls inline with the rest of the momentum here – doing the bare minimum and trying to get away with it for the sake of making money. Because making money is the point – not security. Security often “gets in the way” of making money – at least if you ask the sales folk. But I bet diginotar tells a different story.

 

HR FIREWALL:

You’ve probably seen job postings for people that have 10 years of ruby experience, or 10 years of go programming experience. It’s not a secret that job listings which come from an HR department are all sorts of broken and are routinely flying blind and solo through the jungle of bonkers. They ask for a CS degree, a CISSP and 5 years of experience to sit in a SOC an stare at an ELK stack or QRadar and literally press a button or send an email when a light goes red.

The intention here is to weed out shitty candidates. THERE ARE MANY. I’ve interviewed people who claimed they were redhat experts and didn’t know simple yum command lines. I’ve interviewed security people who “read the nmap book a while ago” and couldn’t tell me where to download kali linux. I’ve talked to networking engineers that told me about “UDP SESSIONS”.

The reason HR puts these absurd requirements into job listings is because they think it will cause people who don’t know their shit to avoid the job listing – WELL IT DOES THE FUCKING OPPOSITE – and it makes shit a lot worse for everybody.

Now, we have absurd job listings asking for absurd requirements, and places (like isc2 and the ec-concil) willing to ratify ANYBODY as ‘good enough’ if they pony up the cash.

Now we have HR departments who aren’t technical people, publishing job postings full of terms and acronyms they don’t understand, for hiring managers that very likely also do not understand what they want or even need, to get applicants who see these requirements and find out they can “just buy them” to get the job.

It’s creating hoops to jump through, for the sake of having hoops, in the false belief that jumping through these hoops makes you “better” somehow.
And it creates a market for places to give you “cheat codes” on how to jump through hoops.

And once  you get the job? There isn’t a single fucking hoop. And there’s no jumping. You sit and look at a display, or you curate a 25,000 word deep corporate policy on a confluence page.

And you paid 5k for a bootcamp, went through 7 interviews over 4 days, and moved to another city for it.
good. fucking. job.

 

So put these all together: Certs, the HR firewall, minimum viable product, and compliance-only “security departments”. What do you get?

HR publishes an unrealistic, absurd and laughable job description, designed to weed out bad possible candidates, but does nothing to tell legit one what they *ACTUALLY NEED* in a candidate, which leads to hiring employees that don’t know shit about security, who then work in a security department which does zero ACTUAL security – only preens and grooms the policy in the wiki, until the auditors come around, wherein they rush to get a 3rd party pentest done, then they edit the pentest report so that it matches the policy closely enough to avoid getting sued or fined this year. THEN, they are free to move on to releasing a product that has zero security considerations and was rushed out the door by a pushy sales/marketing department, because the quarterly figures are dipping and if the company stock doesn’t do well enough, the company doesn’t meet it’s figures and the stock drops, and there are bad articles written in the financial times the following week. This can lead to layoffs, or outsourcing of various departments.

 

That sounds MOTHERFUCKING SHITTY, doesn’t it?

Do you want to work in a place like that?

Is that your idea of a good time, or “doing security”?

Will you feel like you’re “making a difference”?

It’s a dog and pony show to make sure the people that have all the money and control don’t lose “unrealized gains” in the end. It’s smoke and mirrors to please auditors.

Non technical staff, making shit up in a policy to appease non technical auditors.

And you’re arguing with me on twitter over the value of the CISSP and the CEH in this scenario.

 

sigh.

 

For those of you who think the above is “utter bullshit”, do not despair. You can literally avoid it all. I’ll show you how!

  • If you have zero security experience, but are currently a dev, a sysadmin, a netadmin or in another technical role, and are interested in moving into a security role, it’s actually pretty easy. Keep doing what you’re doing, and start going to the community conferences. Not huge ones like comdex/blackhat/rsa, the little ones near you. showmecon, shakacon, shmoocon, toorcon, derbycon, bsides, layerone, hushcon (ask twitter, there are tons of these) – the cons attended by “the doers”. The people that do the things – that make the tools – that present at cons on neat topics. There are very few “doers” in the community – stick close to them and you’ll absorb A TON.
  • Most people in the community are super happy to share – so jump in, make some friends, and ask questions. Don’t ask  “how do I get started”, it’s too broad – pick a specific topic and drill into it. “How do I start reversing malware?” “How do I do a pentest?” “How do I write shellcode?” – start with the ingredients, follow what seems fun/cool, and after you have 2-3 of those you’ll have an idea of what you want to do. Security is pretty broad, and there is more than just ‘redteam and blueteam’ to it. Get you hands dirty.
  • Asking “what certs should I get” tells me “I want to be part of the problem. I like that shitty shit shit scenario you described above, and I want to live that dream!” – to which I say ‘holy shit, you made it this far in this post? you must be SUPER HIGH.’. Certs will definitely get you jobs – but just not interesting ones or ones you want or like. They get you jobs where the business leaders need to be compliant and “have to have at least one CISSP on staff” to meet some bullshit goal – they don’t want you because of you, your personality, your skills, or your experience – they need a person so sit in a chair wearing a hat that says “I HAVE A CISSP” so that they can point at you and say “see? we have a guy who has that”. If thats the job that you WANT, then fine – I can’t help you, but most people that do security LIKE WHAT THEY DO and I literally can’t think of a shitter job to be in than “a guy who has a cert because the business needed a guy who has a cert”.
  • If the job title requires a cert, avoid it. Period. If the company wants a jr pentester, or a soc analyst or an entry level job, you don’t need a cert – no matter what they fucking say. It means THEY DON’T KNOW WHAT THEY WANT OR NEED. If they INSIST THAT YOU DO it means they do not understand the job or what it’s supposed to be, which spells “you’re gonna have a bad time”. If the people hiring you have no fucking idea what it takes to do the job, even at a high level, that’s a massive indicator that the job will be shitty and you will be miserable.
  • If you think you need a cert to get a job, you’re looking at the wrong jobs. Doctors and Lawyers, PHDs, rocket scientists – those people NEED degrees. Science doesn’t change in 3 months. The law doesn’t change overnight because someone found an exploit. What we do as hackers is SUPER FLUID, and we ROUTINELY are the ones that are quoted in college curriculums, the news, blogs, and publications. To be a hacker or work in security you need EXPERIENCE. Anybody that tells you different is either trying to get you into a compliance role, or simply doesn’t have the experience enough themselves to understand.
  • If you think you need to get a cert to make HR happy, you will be miserable if you get the job. Hacker jobs aren’t about obeying company policy and obeying HR. You’re probably in the wrong field. If you want to be a mindless robot that just obeys your boss for a living, I hear OPM and Sony are hiring.
  • if you hack “getting the job” you will be rewarded for it. Hacking the job means getting the job without going through HR. This can be done several ways:
    • Meeting the hiring manager at a con, or anywhere else, and having a conversation outside of work. This basically serves as a casual interview.
    • Being selected for a job based on your hobby, your previous work, your experience, code on github, conference presentation, or social media contributions (legit ones, not just ranting).
    • Being the author of a tool.
    • doing a rad research project.
    • TL;DR – if you do awesome shit, the job will come to you, not the other way around. Do not presume that you have to get a job first to do awesome shit. If you “become interesting”, people/money/influence/etc will come to you.
    • Doing awesome shit, having videos of you presenting at cons, releasing tools and code and all of that stuff is WAY WAY WAY MORE VALUABLE to a legitimate security practice than any cert. You are showing the world what you can do WITH EVIDENCE – not because you paid isc2 or whoever 5 grand to “tell the world you’re legit”.

 

This system dies if you don’t feed it. This is the reason that we hear squealings from the government and large corps about “not enough qualified people”- there are organizations that have successfully ‘done all the things’ with compliance and can do it with their eyes shut – but they still get the fuck hacked out of them on a regular basis – and nobody they interview can do the things they need done to protect the place. Here’s why:

Because HR posts bullshit

Bullshit walks through the door, takes the job

Bullshit copy/pastes a vague, worthless policy from the internet into confluence

Auditors come to audit the bullshit, and its found to be ‘not so stinky’

Bullshit is released into the wild, and gets hacked to fuck.

People see that bullshit got hacked, decide they need an expert, and ask HR to post a job listing.

20 GOTO 10.

Rinse and repeat.

They found that they have a problem, and they UTTERLY REFUSE to solve it. They insist on miring themselves into this cycle because it’s what they know, and they refuse to let outside folks in. The military has shit pay and requires clearance, big business requires ivy league education and degrees or roots in a wealthy family/community, large industry requires certifications that are irrelevant – NONE OF THEM put a person down in front of metasploitable and say ‘get me a shell’. NONE OF THEM put people on front of a cisco switch and say ‘put port 12 on vlan 2, and give vlan 2 an ip of 10.10.10.1’.

They all rely on certs to tell them who can do shit and who can’t because, and I shit you not: THEY SIMPLY CANT BE TROUBLED TO DO IT THEMSELVES.

People have heard me say in the past “If you don’t give a fuck about your own security, then nobody will give a fuck for you”. This is the embodiment of that sentiment. These are people who do not give a fuck about security, trying to hire people to give a fuck FOR THEM, hiring the wrong people which perpetuates the problem.

OR, they hire the RIGHT people, but because the system is designed to perpetuate itself and not actually solve any problems, the right people cannot get a foothold into a budget, they cannot hire talented subordinates, they cannot institute change in policy, and therefore they cannot effect any change whatsoever – so they quit. The cycle repeats yet again. It’s like the election cycle for senators, congress people, and the president. They spend the ENTIRETY of their first term doing NOTHING but trying to get re-elected. It’s exactly the same routine. They spend all their time trying to get the same budget, avoid fines, and stave off auditors and NOTHING ELSE.

It’s like that fucking plant from little shop of horrors, Audrey II. Every time a new person gets a CISSP, or a CEH – every time an ex pentester takes a job doing compliance – all I hear in my head is FEED ME SEYMOUR!

The way to fix this is ugly, but it’s the only way I have been able to come up with: Let them fend for themselves.

It sounds shitty, but it’s the truth. If these people refuse to acknowledge that their own refusal to ‘do something different to fix the problem’ is what’s CAUSING the problem and there’s nothing we can do to change their minds – even watch them be publicly burned at the stake like sony or ashley madison. Let them get hacked, let companies implode, let them wither on the vine. It’ll serve as a warning to others of “what happens if you willfully ignore security in favor of compliance”.

Focus your energy on people and companies that DO CARE and you’ll have a truly welcoming experience and grow as a person and in your career. Take the time to find out WHO IT IS YOU’RE WORKING FOR before taking the job. Don’t take the job just for the money (that makes you part of the problem). Research the place you want to go work, they’ll respect you for it, and you’ll have a much MUCH better time for it, while avoiding the shitshow shops I described earlier.

Otherwise you’ll end up just another CISSP/CEH, part of the problem, perpetuating the trapezoid of fuck.

 

5 thoughts on “The ‘Compliance Only / CISSP / Minimum Viable Product / HR firewall’ infosec trapezoid of fuck

  1. Good article, and fitting considering I receive the materials for and begin studying for the OSCP certification later this evening.

    I’m currently in IT audit and have plenty of experience going in to “audit the bullshit to ensure its not so stinky” (lol). I recently acquired my CISA certification at the recommendation of my organization, and found it to be a pretty absurd experience. I essentially had to memorize ISACA’s way of doing things (which usually has nothing to do with real life), then vomit out their inaccurate ramblings in the form of a poorly written multiple choice test, hoping that they drop enough questions and curve the scores enough so I don’t have to pay $800 for a retake. Well I did pass and can honestly say I didn’t learn much.

    Since I began my professional career 3 years ago I have been attempting to acquire the skills to pivot into a more security focused role (specifically pen testing). Our organization does some pen testing sprinkled in among all of the more boring compliance stuff, so that has been great experience. I’ve have also tried to be a sponge and absorb all that I can in the form of conferences (couple of Defcon attendances), bug bounty write ups, articles, blog posts, my own research, etc. It seems that the topic of IT security is so broad and vast that its difficult to take in or know where to start, which I think is the appeal of these certifications that promise this “well rounded” knowledge of IT security as a whole.

    After my terrible CISA experience, I wanted to find something that wasn’t a joke but gave me some structure and guidance regarding the IT security topics I’m interested in. From research I have done, the OSCP appears to be the exception to the rule when it comes to security certifications. I would be interested to hear your thoughts and/or experiences on the cert. If you think its worth getting, or if it perpetuates the “trapezoid of fuck” you speak about above.

  2. I have the OSCP. I found it “fucking amazing”.
    The final is (or was, I did mine in 2009) – they give you vpn into a lab with a bunch of machines, and you have to shell them to get points.

    YOU HAVE TO HACK SHIT TO PASS.
    Not a multiple choice test, not a written exam… shells. You gotta get shells and you gotta exfil data.

    Those sorts of certs and testing are the best kind because they make you DO STUFF. There are a small number of them in the wild, I’m most familiar with the cisco ones (the CCIE exam is fucking insane) since before infosec I was a systems architect and I did mostly cisco/linux/wifi work.

    I’m saving up to buy the OSCE course – which is the bolt-on addition to the OSCP course, which focuses on more advanced tactics and spends time in debuggers doing exploit work.

    OSCP = you’re outta dat trapezoid.
    If you want to, I mean.
    You could take the oscp and then go back to the cisa work…

  3. My perspective of certs is that the landscape is tiered. There are undeniably shitty ones, and there are amazing, useful ones, and that there is an in-between. I’ve held many certs at one point or another in my career, and won’t say too much more here, because I’ve written up a lot of it over on Peerlyst, and it is probably more efficient to just link to it.

    This one is specifically just on pentesting certs:
    https://www.peerlyst.com/posts/penetration-testing-certifications

    And this one is on analyzing the value of certs, reasons to get them, etc. I even joke about how having TOO MANY certs can be a red flag for someone. Just kidding, I wasn’t joking, that’s definitely a red flag 😉
    https://www.peerlyst.com/posts/post-by-adrian-sanabria-2016-03-07-2027

  4. Not sure if it was intended to, but this kind of inspired me even more.
    I hope to soon start working a little more and do some things that I should already be doing.
    I’ll also be reading this again and more in-depth in a bit.

    Off-topic: Although it’s not unusual, it’s cool to see that people watch and have interests in the same shows as me!

  5. I learned a lot in my cert course (GWAPT), so much I got scared of the test and put it off for 6 months. Test turned out to be a joke – I could have passed it before the class. Lesson learned – find an expert to learn from and you’ll get a lot, but the actual cert isn’t worth the paper its printed on (they use some real fancy paper for it though, even came framed for me).

    Post has a lot of good points, and great advice on how to break in without participating in the cert system, but there is still one big problem. How does the non technical hiring manager discern the person who knows his shit from the one who doesn’t? Granted, CEH/CISSP don’t do that either, but we still need a solution. As hackers, we can quickly tell who can pass a shibboleet test – but outsiders are completely lost.

Leave a Reply

Your email address will not be published. Required fields are marked *