Ceremonial security and cargo cults
philvenables.comMy current title at work includes the words "software" and "engineer", and thus I have a natural mutual predator-prey relationship with infosec and compliance/IA.
Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security.
Compliance is an easy way to force everyone to three-quarter-ass, possibly even hit 90%. It's true that, without compliance, some orgs will hit 99%. It's true that some compliance requirements force you to be less secure than you might otherwise have chosen [1]
But it's also true that for every org that would hit 99% under their own steam, there are a hundred that would do the default ubuntu install, then only patch when something breaks. And that is why I like compliance. I work with our compliance team on lots of things, and everybody ends up winning.
[1] Consider password rules. Some compliance rule says must have a couple funny characters and a mixture of upper and lower case, minimum ten characters. Basically, forces a password that users hit the minimum on, then have no choice but to write down. Compare with an entropy-based measure that would lets users have an essay question, but one that's memorable and has higher entropy. Far more secure, yet rarely how compliance express their password concerns.
I largely agree with you, but the problem ends up being when you have some braindead person in your GRC role who persistently fails to grok the scale of the operation...or doggedly insist that you prove negatives.
Example: Some idiot person we have in IT insists that a control for proving lack of user admin access should be to screenshot the userlist w/ group permissions of every single server in our operation. Idiot IT person doesn't realize that we're at n*10^5 servers and still fails to understand how braindead his request is when you explain it to him.
A lot of people now persue the IT security industry itself without having any shred of experience managing computer systems, then confidently wade out into industry claiming to be experts.
Which kind of begs the question why pro-compliance people don't work to weed out what are effectively the white collar equivalent of clipboard warriors within their ranks since they reflect so poorly on and cause headache for the people who actually know anything.
"I used to be a lawyer but now work in IT", "I'm reporting and escalating your non cooperativeness right now"
I've seen a lot of exodus professions into tech but thankfully after 20 years, I haven't seen many lawyers yet. Very few have the personality for it.
Give me all of the hungry musicians that you can find though, they're great systems-thinkers.
The “proof via a series of tedious screenshots” method of audit is absolutely infuriating. Please bring on the 10x auditors…
When you don't know what you're doing, dazzle them with bullshit.
Best part of the story above is that in our system there are no human users that can access a live system. And proof of that is insufficient because the IT person isn't familiar with the practice.
> When you don't know what you're doing, dazzle them with bullshit.
100% because most people don't know what makes good security so it is easy to get them to mistake volume with quality.
Then they printed those screenshots out to be bound into a thick report to be presented the board. (Not where I am but in a previous employer. Still makes me laugh).
> Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security.
There is one company I know of that added a two step login to their azure active directory where logins expire every twenty four hours. It made no sense to me why they did things this way. As far as I knew, even Microsoft wasn't this restrictive with logins.
Until I saw last week that people are willing to let tools like https://news.ycombinator.com/item?id=34416386 basically hijack their session tokens. If they can use this for good, imagine what other add-ons can use this for evil...
So I think the idea is if someone steals your credentials, they will only work for twenty four hours and they would fail because hopefully they don't have your two step authenticator? I still don't like the idea but at least I see why they'd do this...
Edit: maybe someone else here has a better idea why it is a good idea to require password and two step authentication every twenty four hours?
> maybe someone else here has a better idea why it is a good idea to require password and two step authentication every twenty four hours?
Not saying it's directly the answer here, but some distributed systems lack proper session blocking or revocation, as a session is a signed JWT or similar standalone token.
If the security decision makers favour a 24 hour guaranteed lockout, rather than risking someone whose access has been suspended having an old session still live, this could make sense from being able to know and show access is always "gone" in 24 hours of blocking their ability to get a new token.
Here's a real-world example: https://cloudsek.com/security-flaw-in-atlassian-products-jir...
"... cookie validity is 30 days. They only expire when the user logs out, or after 30 days."
24 hour session limits are what's asked from our site reliability (cybersecurity) insurance carrier.
> Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security.
I have to agree with you because I have seen first hand how many ordinary office workers, if left to their own devices and not given any other tool that they're mandated to use, will happily and blithely do things like store shared credentials/passwords in an Office365 Excel sheet that everyone in the company has access to.
It's the role of the infosec people to set up something better and work with the C-levels to ensure that its usage is mandated, and people are not sneakily bypassing its use or sharing credentials for expediency's sake.
I’ve found it immensely frustrating in numerous roles when discussing security, audit and compliance requests that the requesters can seldom actually explain their reasoning.
I want a clear statement of risk and why their proposed compensating control actually mitigates it.
Far too often the answers are just “it’s securerer” or “it’s the way we do it”, and actually proposing something that genuinely mitigates the underlying issue is ignored.
All that said, I’ll end up referencing this in the future as somewhat useful steps in a number of situations.
Some have simpler approaches - eg for password security can just reference NIST guidelines which currently clearly state not to rotate and just require length above complexity. And they’re backup to with tested evidence and a clear rationale.
Agreed totally. I had a nightmare govt double vpn situation. Very hard to get an account, you had to run ancient OS and Java (it would annoy you with warnings about lack of security/age) and comical password complexity / rotation rules. The result was rampant password sharing but also because you had this double vpn setup, each layer rotating - folks just couldn’t remember passwords. So they outsourced password reset. To reset your passwords you provided your 100% predictable username - that was it. Even I had to get a reset due to an inactivity lockout and I had to laugh at how easy it was after all the silliness - I could have given any username
I've found that quite often, the people suggesting that "they way we do it" mitigates a risk don't understand either aspect. Their goal is to achieve the feeling of having made it go away. They only want to do the thing and compliance is getting in the way, as they see it. Understanding the risk often works against that, as it might put them in a position of having to understand just how much effort they are wasting as they live with lots of residual risk that their superiors don't actually want.
To put it another way, using a risk-mitigation approach instead of compliance only works when you have honest, earnest, and full good faith investment in the process. In practice, this is incredibly rare. We all know, are, or have been engineers who cannot imagine a system they wrote running without them having the ability to SSH in and sudo at will without having to justify anything.
This is where compliance comes in. It sets standards and forces the issue. Even bad faith, low-effort implementations wind up having to meet a whole series of very clear - if occasionally box-tick-y - standards.
I aim to build systems that are both secure and compliant. It’s convenient when (but not a given that) those two adjectives overlap with each other.
This is an interesting article that puts words into what I've been feeling and observing for a long time — at first the transition into Academia from tech felt this way (e.g. wow everyone's programmed to follow the PhD track!) to moving to Australia (wow everyone's so rule abiding and pattern matching; anyone who's attempting to "lead" gets cut down; there's even a term here for it called "tall poppy syndrome)
But lately with all the layoffs it's kind of put a spotlight on tech startups and VCs. These are the smartest group of people who are supposed to escape mimetic behavior... but how do you explain all the VCs investing in me-too scooter companies or BNPL companies or yet-another-meal/grocery-delivery-service, who are now all absolutely wrecked by higher interest rates because these can only really thrive (or even survive) in low to no-interest rate environments? Why would these ever be $1B+ companies in the first place??
Sorry for the rant, it's just that the more you look, the more even the "smartest people in the room" are just performing rituals and it's disheartening and depressing.
> But lately with all the layoffs it's kind of put a spotlight on tech startups and VCs. These are the smartest group of people who are supposed to escape mimetic behavior...
Well. That is your problem. You bought the marketing. There is no reason to think that VCs and startups are the “smartest group of people”.
We tend to learn through imitation more than we think. Humans lean on Theory of Mind: when we see others do a task we assume that it’s the right way of doing things, so we adopt their incantations.
Generally this is not something that should be disheartening. It’s an incredibly efficient learning method that spreads cultural advancements quickly.
Have you ever tried to train a dog? They try to understand you, but they don’t imitate. You have to meticulously motivate them through each step of a behavior and mark it consistently with commands. It’s fun, but requires a lot of patience.
With humans you can just demonstrate something and they can imitate complex workflows in just a session or two.
The master said to the apprentice: “I’ll only show you this once, so watch carefully!”
Thank you, I've just learnt something this morning, almost before the first sip of coffee...
Cargo culting is unavoidable. We build everything "on the shoulder of giants". We do not have the infinite time and energy to analyse every problem from beginning to end and develop a perfectly fitting solution for it. For the most part we must copy behavior observed in successful entities. We also do not have the energy and effort to perfectly analyze the observed behavior so some data is lost in the copy. You end up with ceremonial solutions to problems that might not even exist in your case.
Ceremonies mostly get discarded by evolutionary pressure in the long term. Some end up taking a lot of time and energy to perform for zero benefits so they reduce the evolutionary fitness of those who perform them. These ceremonies get gradually removed from the "gene pool", being replaced by behaviors that actually bring some benefit. But those will be imperfectly copied as well and the cycle begins again.
> We build everything "on the shoulder of giants"
There may be huge variances in the degree that we do that, though, and to the degree that we're able to prevent really bad ideas to spread. Some organizations are seeing really bad (but good looking) ideas spread like cancers, until the organization is completely perverted.
> Ceremonies mostly get discarded by evolutionary pressure in the long term.
This is perhaps the main strength of capitalism. There needs to be an actual mechanism for bad ideas to die off. Many large organizations (especially "too large to fail" or publicly owned) lack good mechanisms to limit the growth of organizational entropy.
I believe that such dogmatic "thinking" (if one can call it that) exists and propagates only because people are being discouraged from thinking critically. They are instead encouraged to find "best practices" and "solutions" from others (often giving them $$$), which they can blindly follow, instead of evaluating their unique circumstances and thinking independently about their own needs. The constant use of "security" as an excuse or thought-terminating cliche, because it and similar FUD seems to have such a strong persuasive effect to those uninitiated unthinkers, doesn't help either.
No offense, but I think you're exactly wrong. People need to trust the science, so to speak, and leave the thinking to domain experts who can dictate the best course of action for everyone.
On their own, too many people are prone to following misinformation, and can't even be trusted to read both sides of any given argument critically. If the last few years hasn't taught us this lesson, what has it taught us?
Should we have trusted the experts on satanic ritual abuse in the 80s and 90s?
I have many gripes with this attitude; experts can be wrong and even entire fields can be wrong. The satanic ritual abuse is a particularly egregious example with many "experts" mouthing off complete nonsense, but also see e.g. the replication crisis.
And which expert do you believe? There are many expert. "You've got to ask the right expert" https://www.youtube.com/watch?v=lADB9Qu53CY
Remember all the "experts" that told us that asbestos and smoking was harmless? Or the "experts" that told us climate change wasn't real? Later turned out that this was just industry FUD/lies.
Experts view things from their expertise. That's great, but many scenarios extend beyond one expertise and involve trade-offs, and can't be viewed purely through one lens.
Now, I'm not so arrogant to think that "I know better than the experts"; in many cases I don't, but to always just "believe the experts" seems naïve.
My favourite example to illustrate this is the story of Louis Braille. He invented Braille because the tactile reading system taught to blind pupils was horribly slow and inefficient. Once he invested his 6-dot reading system, he had to teach it to fellow blind people in secret, because the institution he worked for condemned what the blind have apparently come up with. Yes, because the "experts" on teaching blind people were not even willing to consider anything these people were coming up with, because, apparently, this is a danger to the institutions wanting to claim expertness.
These stories happen all over the place, and still repeat themselves when it comes to how disabled poeple are treated in institutions today.
Still, some conservatives are still willing to wink anything through a self-proclaimed expert utters to the masses.
It has taught us that media distorts scientific information on demand. I am generally on your side, however, my lesson in the last years is that the communication channels can not be trusted, therefore I can no longer blindly trust what science supposedly tells me.
Also scientists distort scientific information.
I was recently arguing with a vegan about how healthy it really is to be vegan, and I sent a german paper that tested 75 people and found a generic lack of iron absorption.
The other person said 75 is too small size, and sent me a literature review that claimed that iron absorption in vegans is fine. The only source for that claim in the literature review was the same paper I had originally sent.
So the authors of the literature review just quoted a paper, completely changed the original conclusions, and got it approved.
If we were serious about science, they should all face punishment for even attempting this. But they knew that at worst their paper would be rejected.
It is similar to what happens with teachers where I come from. Once you managed to obtain the status of "teacher", it is virtually impossible to loose it again, no matter how bad your teaching is. Apparently, something similar is going on with scientists, and a few other professions. There is no mechanism in place to get rid of bad apples, because society thinks it would be unfair to remove someone from a job where they had to go thru considerable training to actually get it.
Trust is earned, not given.
The word "Science" came from a type of knowledge/knowledge-seeking that has been very successful from the age of Newton to present day.
But Science's success has become it's curse. Lots of fields now call themselves "Sciences" even if they're not employing the kinds of standards and methodologies that lead to the early successes. People with ulterior motives (economic, ideological, political, social or religious) have for a long time claimed to represent Science.
Lately, "Science" has warped into "the Science", meaning a world view promoted by a set of authorities that can be highly partisan. In many cases, the kind of mechanisms that ensured (eventual) falsification of bad ideas have been abandoned. Instead, "the Science" now must now often comply with what is what we WANT to believe, rather than with evidence.
Understanding real Science is still as useful as ever. Not only does an actual scientific education give access to undertanding directly, it also helps us see through those who claim to represent "the Science", but who are not respecting the Scientific Method. People without a proper scientific education will, today, be helpless in distinguishing between real Science, cargo cult Science and outright fraud.
I would argue the same goes for IT security. At least a few decision makers in an organization needs to have a fairly good understanding of it if the organization of the topic to know how to deal with it, either internally or through service or software vendors.
I am invoking Poe's Law on this one.
A manager once asked me to rewrite a bunch of tests written by some former employee, because a security tool was complaining about hardcoded credentials. My guess is that he wanted to satisfy some OKR about how many security issues reported by that tool had been "fixed". Probably the most ridiculous thing I've done.
So you think hard coding credentials, or other variables for that matter, is a good idea?
If those were unit tests they weren't real credentials.
How do you test the rules about passwords containing at least one uppercase letter, one number and one special character if you don’t test with passwords that definitely do not contain those characters?
I don't think it's a bad or good idea, it depends. In that case they were harmless. For comparison, some people shared passwords on Slack and email in plain text.
I'm currently working at a mid-size startup that is undergoing ISO27001 certification. A lot of the complaints we are getting from employees are similar to the contents of this article.
Part of my job is training our staff on the new requirements. They question everything from why each individual has to badge in one by one to why doors can no longer be propped open. Why can they no longer access company resources with personal gear? Why can't they install whatever they want on their company gear? It goes on and on.
My answer is always the same, in order to be certified we need to show that we have demonstrable, verifiable control over this (for example entry logging).
Away from standards like that, we also sometimes have requirements from clients' compliance people, and "what they don't know won't hurt them" (which some would love to get away with) doesn't, can't, wash. We will directly loose work, or the chance to bid for it, if we don't comply or can't demonstrate compliance. People moan less about some inconveniences if it is explained as "because jobs or bonuses may be at risk of we don't comply".
Ceremonial Security of another form is Key Ceremonies with HSM. They are "why should I trust this Trust Anchor" stuff. Highly ritualised behaviour, but it can be very important for public trust.
You don't know anything, and have no control, so you create an illusion of control. https://en.wikipedia.org/wiki/Illusion_of_control
If you truly have control, then largely the artifacts of that control should be auditable by everyone.
The security cameras.
The door logs.
The DNS and netflow logs.
Ok, not sure about 10,000 screenshots showing nobody has admin access...
An essay without a thesis? The topic seems interesting, but I am not sure what the author wanted me to get out of this.
Apply the "How to remedy" steps where you see the ceremony going too far?