Possibly my finest contribution to the infosec industry is introducing the concept of #yolosec, first discussed when I introduced decision trees as a threat modelling device in my Black Hat talk back in 2017. Not one to let a solid shitpost go to waste, I want to expand and expound on that concept, and introduce its ideological opposite: #fomosec. Most security efforts are hilariously inefficient, but only one end of the spectrum (#yolosec) is typically called out. That changes today.
This post will explore why both YOLO security (YOLOsec) and FOMO security (FOMOsec) are pernicious disservices to infosec defense and how you can spot them so that you may yeet them from your organization’s security strategy.
The tl;dr is that #yolosec and #fomosec are disconnected from the goals and needs of the business, forsaking pragmatism and prudence in favor of fanatical flavors of recklessness. YOLOsec reflects a security strategy driven by a “you only live once” mentality – one that emboldens people to ignore future concerns around security to achieve today’s gratification. FOMOsec reflects a security strategy driven by a fear of missing out – one that frightens people into misallocating resources towards what makes them feel better about their security efforts.
If you imagine your organization as a sea-faring vessel, infosec’s goal is to ensure the boat can survive krakens or canon-wielding pirates and successfully complete its journey. If you ignore the existence of sea terrors (#yolosec), you may not make it to your destination unless Poseidon grants you merciful passage. If you prioritize defense above your vessel’s mission (#fomosec), you will find yourself aboard a battleship that is entirely inadequate for transporting revenue-generating cargo.
First, does security matter?
Before we dig into defining #yolosec and #fomosec, I want to establish the appropriate context for these concepts. The potential peril inherent in these two “strategic” approaches rests on understanding security’s relevance to private-sector organizations. The not-so-dirty and not-so-secret dirty secret is that information security does not matter nearly as much as the infosec industry proselytizes. In the grand scheme of business risks, it is solidly in the bottom half, if not the bottom quartile.
Your organization is far more concerned with attracting and retaining customers, successfully competing in an evolving market, macroeconomic factors relevant to their industry (especially right now, amid the COVID-19 slowdown), operational interruptions and downtime, commodity price fluctuations, failure to maintain brand image and public perception, inadequate financial forecasting, changes in product mix impacting profitability, maintaining relationships with supply chain partners, impacts of seasonality, their litigation and regulatory risk profile, changes in international trade relations, climate change impacts, exchange and interest rate fluctuations, inability to access external financing, ability to anticipate consumer preferences, and, well, you hopefully get the idea by now.
As far as tech stuff goes, organizations are primarily concerned about the interruption or inadequacy of IT systems, since those systems power ongoing business operations and, to varying degrees, fuel their revenue growth. To the ops readers among you, congrats, you are critical to modern business operations across most industries! To my infosec readers, I am certainly not saying you are unimportant, but, rather, that it is vital to be self-aware of one’s influence on the reality around you.
With that said, infosec is not completely useless. Attackers can absolutely cause operational interruption and downtime, most obviously through things like DDoS attacks, ransomware, or overloading cloud compute to eke out computercoins. Beyond those examples, security incidents in general necessitate recovery and response efforts which require money, time, and, frequently, system downtime (so money, money, and frequently money). There is limited evidence that security incidents lead to damaged public perception or public market valuation.
Therefore, one can consider infosec important to organizations insofar that it either: 1) minimizes negative operational impact engendered by attacker actions 2) enhances qualities that improve business operations, such as the speed, stability, or scale of IT systems. To be clear, there is scant evidence of infosec achieving this second axiom in any meaningful fashion. Security teams encouraging the adoption of standardized APIs or base images is perhaps the only strongly justifiable example. Nevertheless, it remains an equally important, albeit contemporarily theoretical, justification for infosec’s relevancy to businesses.
Now we can explore #yolosec and #fomosec and why their manifestations are so magnificently monstrous.
What is YOLOsec?
YOLO is an acronym for “You Only Live Once,” the modern carpe diem and mostly ironic millennial catchphrase meant to express the unbridled living of life to its fullest in the present, believing the current moment to be vital and unique, with scant regard to the future. YOLO-driven actions tend to manifest as risk-seeking activities, such as skydiving or, in the case of Napoleon Bonaparte’s Hundred Days, sneaking into France during exile, ripping your coat open and daring your former troops to shoot you, marching on Paris with said troops, reclaiming your title as emperor, engaging in a war against Europe’s major powers, losing at Waterloo, and returning to exile.
YOLOsec, and my irony-flavored hashtag #yolosec, is a term meant to describe a security strategy that embodies the “you only live once” mentality. A yolosec strategy says, “Setting our S3 bucket full of customer data to public will let us deploy our service faster, what could go wrong?” YOLOsec whispers sweet deceits in your ear, telling you that basic security countermeasures like privilege separation and access control are tomorrow problems – knowing full well that tomorrow will distend into months or years. And this temptation can metastasize across your systems and organization.
#yolosec is rarely instigated by a refutation of security’s importance; its wellspring is often found in an arguably myopic attention on specific business goals that are more easily or quickly achieved by ignoring or dismissing security considerations. True to Hanlon’s razor, #yolosec is almost assuredly due to incompetence rather than malice.
For instance, developers are not specifically aiming to write code so riddled with bugs that swamps are jealous, nor are they storing API keys in plaintext as an expression of their love for hackers – although both constitute #yolosec. Or, in organizations with high turnover, fresh engineering teams may barely understand how a legacy system works, rendering the exercise of upgrading or migrating it from its current insecure conditions clearly intimidating .
It is thus understandable, albeit undesirable, that the default state of engineering teams is to overlook or neglect infosec concerns when performing their work. This is rarely due to succumbence to temptation, but simply the dearth of pragmatic security wisdom among engineering teams.
What is FOMOsec?
FOMO is an acronym for “Fear of Missing Out,” the modern “keeping up with the Joneses” meant to express the anxiety and regret borne from not participating in experiences in which others are involved – usually examined in the context of witnessing those experiences via social media. FOMO revolves around the basic human desire to understand what is going on, especially the impulse to stay connected with other humans’ experiences.
FOMO can represent a sensation that others are living life better than you are, that you are outside of a social loop, that you are behind in life relative to others, or that everything is beautiful and nothing hurts for everyone but you. Human brains are wired to judge outcomes relative to a perceived status quo and to feel bad when experiencing a perceived loss, so FOMO quite unfortunately presents a “buy one cognitive bias, get one free” deal. In a nutshell, there are two primary dimensions driving FOMO: a desire for belonging and anxiety about isolation.
FOMOsec, and the corresponding hashtag #fomosec, is a term meant to describe a security strategy that is driven by a fear of missing out and its psychological underpinnings. A #fomosec strategy says, “If you aren’t perfectly protecting literally all the things, what are you even doing?” FOMOsec cackles in your face, mocking your impotent control over the security of your organization’s systems and the flaccidity of your defense relative to the potency of your adversaries and the adulations showered upon your I.T. peers in engineering and operations.
Prioritization and pragmatism fade into the background under FOMOsec; what gains the spotlight is escaping the feeling of inadequacy – regaining a sense of autonomy and control irrespective of outcomes. Under #fomosec, you cry happy tears as your teeth clench and your knuckles whiten from the domspace ecstasy of gripping the wheel, euphorically ignoring that the wheel is not attached to anything and that your supposed steering is relegating you to stagnation.
Defenders, from security engineers to CISOs, are not deliberately sabotaging and impeding organizational operations because of a hatred for business growth or improvement. Every human longs to belong. Defenders are not immune to this basic human need nor immune to its capacity to desecrate strategic thinking.
The human desire for approval and acceptance from groups who share their social identity is what most foments FOMO – seeking inclusion is even more powerful than avoiding exclusion. Both urges result in largely the same outcomes, however, as humans who feel excluded aim to strengthen their connections with social groups and more tightly enmesh their group membership with their self-identity. Ultimately, FOMO drives humans to alter their own behavior to imitate others within their chosen social group, regardless of specific underlying motivator.
Even mere tourists of the infosec industry are likely aware of the shockingly borgish tendencies of its constituents, culminating in boldly defined shared identities that glut themselves on in-group signaling mechanisms. Whether the identity of the misunderstood Nostradamus who must save the feeble users from themselves or those who treat a piece of software as “completely broken” if there is a vulnerability requiring local access, special configuration settings, and dolphins jumping through ring 0, the nature of infosec culture and cliques certainly suggests the presence of imitation towards the aim of cementing group identity and gaining group approval. And this, in turn, supports the credibility of #fomosec’s existence.
Envy + FOMO Security
I believe envy waters the roots of #fomosec. Envy is best described as the painful feeling of hostility, inferiority, and resentment resting upon a foundation of admiration. When you admire or respect someone else’s situation and compare it against your own, FOMO and envy mix together into an especially potent poison.
The targets of infosec’s envy are attackers and software engineers – that both possess measurable and meaningful goals that result in tangibly meaningful work. For attackers, the obvious goal is “did you get in?” For engineers, the obvious goal is “did you deliver software customers will buy and use?” Offense attains swaggering victory and software engineers attain lucrative accolades. Infosec’s goals are nebulous or self-serving, its metrics either non-existent or inconsequential, its success abstract and bittersweet at best.
In response to my own work, I have witnessed infosec professionals bristle at the notion of adopting ops metrics like mean time to recovery (MTTR) to inform their own work. Infosec seemingly wants its own special metrics, despite the obvious logic of adopting metrics that align with operational objectives. This palpably inefficient priority of feeling special over pursuing more meaningful work is not only driven by FOMO-via-envy, but FOMO-via-social-identity, too.
Envy is made even stronger by a need to belong. Social identity can even be thought of as blossoming from FOMO, which is also made stronger by the longing for belonging. Extending this to infosec, FOMOsec is perhaps the catalyst for the stark, shared identities found across the industry. In fact, the infosec community, in many ways, is not unlike online gaming communities – featuring guilds (like CISO cliques and SecEng sects), server-wide events (like conferences), and highly active chat channels (like Twitter and Slack groups). And, much like online gaming addiction, the human need to belong perhaps fuels infosec’s obsession with adhering to the shared identity of “outsider.”
FOMO Security Budgets
Unfortunately, #fomosec discourages practitioners from pragmatic budget decisions towards choices that make them feel accepted by their desired social group, whether fellow CISOs or security engineers. This desire for praise and prestige from others leads to consumption behavior based an expectation of how others will perceive the consumption, rather than prioritizing product quality. Driven by the fundamental need for social inclusion, humans purchase and use products that are symbolic of the groups with which they desire connection – and they are willing to sacrifice “personal and financial well-being for the sake of social well-being.”
The purchasing of tools such as threat hunting, fancy threat intel reports, or protection against niche, nation-state threats can be thought of as luxury goods that serve as costly signaling mechanisms to generate interpersonal acceptance. Adopting frameworks trendy among the in-group – such as MITRE ATT&CK is currently – is a less expensive signaling mechanism, until you factor in opportunity cost. Security engineers building their own SIEM, rivalling children’s attempts at building majestic towers with popsicle sticks and glue sticks, is costly both in people hours and opportunity cost incurred by the organization. However, it represents a feat worthy of admiration from their peers despite the substantial downsides, true to #fomosec’s essence.
FOMO not only drives people to spend excessively and forget their true needs, but also leads people to consult their peers when making purchasing decisions for goods or services – the combination of both leading to impulse purchases that are far from strategic. While there are few studies on how security leaders make purchases, anecdata suggests that peers are one of the stronger influences in decision-making, especially if you include indirect peer influence through research analysis firms.
As a result, #fomosec creates the consummate conditions for snakeoilism to spread. FOMOsec germinates from defenders’ fears of being the outcast sheep of the I.T. family, fears of always being one step behind of attackers, fears of their work being meaningless in light of the inevitability of failure, and fears of looking foolish to peers when an incident is emblazoned in public headlines. Rather than promote mindfulness on business objectives, the industry encourages their dismissal, shaming and guilting and goading defenders into throwing away budget towards products that pursue perfection – the unattainable ideal that tacitly stokes the ego’s lust for heroism.
Horseshoe Theory & FOYO Security
Despite #yolosec suggesting a blistering lack of attention on security and, on the other end of the spectrum, #fomosec suggesting a desperate and egoistic obsession on security, they both result in poignantly poor security outcomes. I argue that they represent the two ends of a Security Strategy Horseshoe, and, in their extreme forms, are nearly indistinguishable in their outcomes.
When you FOMOsec, you are prone to treat the security of all assets, and threats to those assets, equally – or worse, overcorrect for niche threats (like 0day or nation state actors) under the “gotta catch ‘em all” mentality. In the former case, even the largest teams with the highest budgets cannot perfectly secure all systems against all types of incidents. One result is spreading efforts far too thinly in order to maximize breadth of coverage or concentrating on what feels like the biggest gap and neglecting others.
Desperate for Data
They were all in love with data
They were drinking from a fountain
That was pouring like an avalanche
Coming down the mountain
Those who #fomosec believe that one must collect all of the data possible, as missing the one clue indicating an incident will be catastrophic, embarrassing, or result in some other ill-defined tragedy. There is a shared, somewhat histrionic belief across the industry that attackers just need to discover one flaw to win, while defenders must cover all flaws to win. From the assumption that attackers possess an (unfair) information advantage, it can flow that gaining an advantage comes from rebalancing the pervading information asymmetry. That is, defenders can elevate their status relative to their adversaries by accumulating enough data, where the quantification of “enough” is persistently vague.
Through this lens of data accumulation, the end results of FOMOsec-driven behavior look an awful lot like those generated by YOLOsec. To quote Professor Netzer of Columbia University (invoking Andrew Lang), “A lot of people are using data like a drunk man uses a lamppost, for support rather than illumination.” Doing so is a decidedly YOLO vibe, even if it is fostered by FOMO.
When FOMOsec ignores the basic wisdom of the central limit theorem and the reality of diminishing returns on data set size in improving performance and reducing errors, it wraps around closer to YOLOsec. Data is a tool for improving outcomes when faced with the unknown, but resolving uncertainty presents finite benefits – and thus data presents finite and diminishing returns.
Like a dragon slowly burying itself in treasure, FOMOsec growls, “We need to hoard all the data…” and YOLOsec roars, “…and who cares if it causes operational distractions and management headaches in the future?” The FOMOsec-distorted cost / benefit model not only overstates the benefits of data accumulation but also misses the costs of handling all that data going forwardin a classically myopic YOLOsec fashion.
FOMOsec tells you that you desperately need to collect all the things (and to buy fancy tech that can help you do so) because otherwise you are not in the know, and YOLOsec tells you to collect all the things just because you can. These impulses are nearly indistinguishable in flavor, and equally as damaging. You should not measure things just because you can as it will lead to a form of self-sabotage via information overload, which leads to cognitive overload, which leads to a variety of issues that can be summarized as significant human performance degradation.
The social element of FOMO manifests in infoxication, too. The giveaway that data accumulation is not actually about better business outcomes is found in infosec teams refusing to leverage data sources and tools deployed by operations teams, which would streamline budget and promote collaboration. Instead, security teams seemingly refuse to let go. Budget is viewed as a status signal, and security leaders in the vice grip of FOMOsec are disincentivized from taking actions that make them feel less influential, even if it is the right move for their organization and team.
Defenders who #fomosec seek out approval and praise from other defenders as well as their organization – and performing challenging engineering feats helps fulfill that impulse. As one study looking at Amazon’s big data practices unearthed, the accumulation of “big data” is mostly viewed as an engineering challenge rather than providing tangible modeling benefits. Additionally, most of this “big data” is wasted, with potentially as little as 0.1% of the data treasure hoard being used to power decision-support systems, as in Google’s case.
The mythical “data feedback loop” does not bear out in practice, but it can certainly help defenders burdened with FOMOsec feel like they are in the know, that they are performing prestigious work, and, besides, everyone else seems to be doing it as part of their security strategy, so mimicry feels right, too. But, just as your mother warned you once upon a time, jumping off a bridge just because everyone else is doing it is a decidedly YOLO course of action.
All Aboard the Vulnerability Hypetrain
The infosec industry is firmly strapped onboard the vulnerability hypetrain: the flurry of media attention and industry panic that explodes upon publication of previously unknown flaws in software, known as zero-day vulnerabilities (or 0day, as the kids say), that often come with their own branding and public relations strategy. Each new, provocatively-named vulnerability adds a stop on the interminable journey. The engine of the vulnerability hypetrain is #fomosec and its exhaust is #yolosec.
Aboard this train, security leaders roleplay as special agents and muse through their tinted Morphean shades about “threat actors,” presenting idle speculation about how geopolitical events shape their firewall policies. The names of vulnerabilities hold special power, like an eldritch deity lurking in the forests surrounding a village, to whom blood sacrifices must be made each full moon lest it devour any newborns in their cribs. The truth that is lost among these rituals of the status quo is that vulnerabilities, and their monikers, should not be given more thought than the names of hurricanes that threaten power or data availability.
Wherefore this pestilent paradigm, then? Each vulnerability with its own PR campaign is a chance to trigger #fomosec, which leads to money or attention (so money or indirectly money). Constantly stimulating the FOMOsec response leads defenders to adopt a vulnerability-centric approach to security that merges into the unkempt path of YOLOsec. YOLOsec curls around you like an anaconda, obscuring your vision until you can only see the industry headlines screaming about the newest cyberweapon or threat group, the peripheral sliding away until the more relevant factors that contribute to security failure, like misconfigurations, are overlooked.
Overly permissive access controls will not receive a fancy name like RootRipper or DefaultDesecration but will make an attacker’s job much easier. Thus, when #fomosec panics about missing the presence of the latest heralded vulnerability in your organization’s environment, #yolosec high fives its partner-in-crime and springs into action to beleaguer your colleagues with the false positives and intractable UIs of vulnerability scanners while the attacker stumbles upon a publicly exposed k8s management dashboard and takes control of prod.
The stated motivation for the vulnerability hypetrain is to protect users in the surrounding countryside. But, well, COVID-19 was not named LungTempest, and we do not see pharmaceutical companies publishing blog posts by self-proclaimed rockstars about how to improve the scalability or functionality of LungTempest so amateurs can DIY their own virus with a bit of copy pasting and tweaking.
We would all rightfully be outraged if pharma researchers were publishing posts about leet bioweapons online for fun and profit, about how to bypass a competitor vendor’s vaccine (after an oh-so-generous 90 day window for them to fix the vaccine), or with technical details that dramatically overstated the potential severity of the virus in order to raise funding for a new miracle drug.
Alas, #yolosec relishes the joie de vivre of dropping 0day to thunderous applause and #fomosec drinks deeply of it – the shimmering waters of an oasis in the lonely desert under the blisteringly hot sun of irrelevancy. Defenders thirst for significance and acceptance. And researchers (and the vendors who employ them) are more than happy to provide a means of feeling “in the know” and phantasmic progression towards solving the frustratingly contumacious security problem. I leave it up to the reader to evaluate whether this is symbiosis or parasitism.
FOMO Security Fosters YOLO Security
The desire to acquire the sexy, shiny security toys that seemingly signal membership in the Cool Kids Club is incited by FOMOsec. Equifax deployed FireEye to protect against advanced threats and yet: 1) failed to patch a vuln in their database within their own mandated time frame of 48 hours (it was more like four months); 2) neglected to update the security certificate in their network traffic monitoring tool for 19 months, rendering it useless.
Equifax simultaneously FOMOsec’d and YOLOsec’d, demonstrating the conceptual compatibility of the horseshoe’s ends. The same security team can both be like, “We need to stop nation states!” and also completely fail to patch their shit.
I argue the general case that #fomosec almost necessarily engenders #yolosec elsewhere, not unlike life outside of security. An obsession with the perceived inadequacy of your own life in light of the perceived excellence of others’ lives (FOMO) is likely to lead you to take extreme action to “prove” how exciting and fun your own life is (YOLO). For instance, college students who experience more FOMO also are more willing to place themselves in riskier social situations and make impulsive, embarrassing, or physically harmful decisions.
The yearning beget by FOMO to belong to a social group and receive praise from it leads people to pursue novel experiences, with the expectation that these experiences will arouse approval from others. That is to say, FOMOsec is quite likely to lead defenders to make YOLOsec-flavored decisions, sprinting down a path of myopia filled with seemingly impressive feats – whether buying sexy tech, paying out the nose for “exclusive” threat exposés, being on an advisory board of a hot infosec startup, attending VIP conference parties, and so forth – that are entirely uncoupled with what is required to ensure business operations are pragmatically protected.
This may be a shock to some security readers, whose self-image might shatter at the thought that they could allow – let alone foster – #yolosec. But, when you allow #fomosec, when you want no security stones left unturned, when you demand security approvals on every last bit of new code, or when you lust for security gaining a sacred seat at the Big Kids’ Business Table, you are losing sight of your organization’s priorities and thus inherently routing limited resources in suboptimal directions. You fight your eng org to integrate the vulnerability scanning tool made by the company who let you meet Mr. Robot at RSAC into your organization’s code repo, and now you gain the glorious outcome of developers ignoring the tool’s findings and resenting you – thereby deciding to stay quiet about security issues they do find – while your precious security budget is six figures lighter. You did it!
And before you think that this could not possibly apply to you, consider this: you could be under the influence of FOMO as you read this and be unfeignedly unaware of how it is negatively impacting your work.
Conclusion
If security must shun both YOLOsec and FOMOsec, how should it look instead? To simultaneously alleviate a longing for belonging, envy, and myopia, infosec defenders must seek out and share the identity of “builder” with software engineers. Aligning infosec metrics to software delivery metrics facilitates the alignment of infosec work to software delivery work. Acting upon this alignment – not just paying lip service – engenders the opportunity for security teams to more tangibly connect the work they perform with value and meaning produced.
If you can understand nuance in security problems, you will absolutely be valued by your organization. If you can support the customer experiences required to facilitate business success while ensuring ongoing operational sustainability, it is difficult to imagine your organization viewing you as a nuisance or cost center. FOMOsec poisons missions away from achieving business goals, while YOLOsec erodes the prospect of ongoing sustainability.
Perhaps what is most needed is to shed the label of “security” entirely to encourage a restructuring towards “resilience.” Organizations do not need professionals who self-identify as critics or “breakers”; they need professionals who self-identify as builders but who take pride in building robust systems that can quickly adapt when exposed to any sort of incident – whether an outage caused by an attacker or a performance bug.
That, I think, is the easiest way to kill #fomosec and #yolosec in one fell swoop: the recognition that outcomes are everything and that the differentiation between performance and security concerns in the context of resilience is an unnecessary, outdated construct. #yolosec cannot thrive if engineers are accountable for minimizing instability, regardless of its source. #fomosec cannot thrive if security concerns are treated equally to performance concerns, subject to the same pragmatic prioritization.
The infosec industry would hate it (how many billions of dollars less would vendors make?) and I would lose a multitude of industry insanities to explore… but how much time, money, user pain, and wasted fucks given would we save? I think we should keep an open mind.
Thank you shoutouts to Dr. Nicole Forsgren, Camille Fournier, Kyle Kingsbury, Ryan Petrich, Andrew Ruef, and James Turnbull.
from Hacker News https://ift.tt/3hXaJaq
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.