Profile picture
Jan Schaumann @jschauma
, 11 tweets, 3 min read Read on Twitter
I kinda feel like there's an #infosec equivalent to Brooks's Law: hiring more infosec people does not make an organization (or project) more secure. Likewise, mirroring complexity, I think we have accidental as well as essential insecurity.
We often measure #infosec team success or impact via navel gazing: how many vulnerabilities we identified, how many open ports we found, how many AWS tokens we found in git.
The remedies? Build more tools to detect more stuff, deploy more agents, create more dashboards, tickets, metrics. All that requires more people, so our headcount requests go up.
Let's leave aside the entire discussion of teams and organizations basing self-value on team size, the competition for headcount within a company, and all the Peter Principle tangents.

Finding more vulns etc. does not make you more secure.
Now imagine that you got N headcount approved for your team. How much will you be able to reduce the overall risk, and in what time frame? Is #infosec headcount the most efficient way for the company to reduce the risks you’ve identified?
Suppose instead of getting headcount for your team to beef up scanning, vulnerability management & remediation you had the infrastructure folks invest into fully automated, frequent OS & software updates - which investment would pay off more in both the short and the long run?
More generally speaking, I believe that all too often the security teams are mostly addressing accidental insecurity, while fixing essential insecurity requires cross-company efforts and possibly changes in business strategy:
Accidental insecurity: an old CVE pwns you hard.
Essential insecurity: your systems don't auto-update.

Instead of focussing on detecting vulnerable systems (often run under #infosec), add resources to auto-updating (usually run under infrastructure/product).
Accidental insecurity: your developers access tokens are compromised.
Essential insecurity: you still require interactive login capabilities and privileged accounts.

Instead of spending money on hardening your auth flows, consider working towards not requiring logins?
Accidental insecurity: your users' PII is stolen.
Essential insecurity: you have a need to collect and retain users’ PII.

Instead of spending ever increasing amounts of money on failing to protect it, can you work to reduce the amount you have?
I'm not saying the answers are obvious, the solutions trivial, but I do think the questions are worth asking. Unfortunately, that requires putting the larger org above your immediate team; that's often unpopular. But you didn't get into #infosec for popularity, now, did you? :-)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jan Schaumann
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#infosec

More from @jschauma see all

Profile picture
Google to deprecate TLS 1.0 and 1.1 in Chrome, going to users in 01/2020: security.googleblog.com/2018/10/modern…
Mozilla has a similar timeframe for deprecating TLS 1.0 and 1.1: blog.mozilla.org/security/2018/…

So yeah, you can get started on turning those off, too.
Stick a fork in it, it's done: both Apple and Microsoft also announced the deprecation of TLS 1.0 and 1.1 in Webkit and Internet Explorer and Edge: webkit.org/blog/8462/depr… blogs.windows.com/msedgedev/2018…

(Well, except for all the unpatchable IoT devices you need to support... :-/ )
Read 3 tweets
Profile picture
Secure co-tenancy in VM hosting is a myth. Arbitrary host RAM leak via speculative side channel: xenbits.xen.org/xsa/advisory-2… intel.com/content/www/us… CVE-2018-3615 CVE-2018-3620
RedHat has a good write-up on this L1TF vulnerability: access.redhat.com/security/vulne…

Apparently aka “Foreshadow”, because branded vuln: foreshadowattack.eu
Additional #foreshadow / #L1TF links:
Wired: wired.com/story/foreshad…
Intel: newsroom.intel.com/editorials/pro…
MS Azure: docs.microsoft.com/en-us/azure/vi…
Google Cloud: cloud.google.com/blog/products/…
VMWare: blogs.vmware.com/security/2018/…
Microsoft: blogs.technet.microsoft.com/srd/2018/08/14…
Read 3 tweets
Profile picture
So other than following up on shit that should have been done but wasn't, sifting through miles of forwarded emails (all with full quote below a statement saying "my comments in red” or “+cindy”), and cursing Slack "threads", I spend a good chunk of my day juggling Jira tickets.
So much of our work is ticket driven, yet many of us seem to lack basic best practices and habits that could make our (ok: my) life a lot easier. So let me present a quick primer:

Essential Ticket Skills - just because Jira sucks doesn't mean you have to!
(Note: most of this applies equally to Bugzilla, GNATS, or whatever bugtracking software; I just happen to use Jira at the moment, so that's what my examples are based on.

And don't you fucking start with Trello or sticky notes and "swimlanes". Those can fuck right off here.)
Read 24 tweets

Related threads

Profile picture
I've been tagged in quite a few #FF today, and as it's the last Follow Friday of the year, I wanted to take a sec to chat about social media as it relates to #infosec and #threatintel.

Kind of like a year in review.
Social media has been a hot topic this year. It's literally made it into the halls of Congress. But I'm not going to talk about how Jack and Zuckerberg are selling our souls away at our own consent, or about how they're knowingly assisting in foreign information operations.
Let's chat about potential.

Social media has a massive potential for change. You don't have to look much further than the Arab Spring to know that. For our industry, it has a massive potential for great, or awful, change.
Read 14 tweets
Profile picture
The #aabill is incredibly short-sighted & luddite. Even if the AU Gov. can coerce tech companies to backdoor encrypted messaging platforms, nothing's going to stop people from resorting to using free & opensource #crypto software like @GnuPG! #auspol bit.ly/2QbxUor 1/
Popular #crypto software is trusted because it's been written & vetted by members of a decentralized #opensource community which you can't coerce. If you want to make it illegal to possess @GnuPG in Australia because you can't backdoor it, then you'll kill the IT industry. 2/
Software devs/engineers use #crypto daily to safeguard the apps & systems we code & run against malicious tampering. The #InfoSec community also needs to be confident it can discuss and coordinate responses to security vulnerabilities before they can be patched in private. 3/
Read 11 tweets
Profile picture
So, I've waded through the Evangelical Alliance's new pastoral "guidelines" for interacting with trans people (ughh, the things I do to expose #transphobic #ciswits to the world), and let's just say it's time to tear this particular sh*t-bag a new hole.

1/n
CW: #Transphobia, #ConversionTherapy, #Zucker, #Religiously #driven #zealotry

2/n
So, straight off the bat, first page of text, the use of #language is . . . well, yeah, see for yourself:

"It is important to remember that transgender is not simply an issue to be debated;" - p5, #Transformed

*sigh*

When such language gets reinforced by insisting...

3/n
Read 176 tweets
Profile picture
A world which increasingly consists of destinations without journeys in-between them, a world which values only getting somewhere as fast as possible, becomes a world without substance.
One can get anywhere and everywhere and yet the more this is possible the less is anywhere and everywhere worth getting to. To travel is to be alive but to get somewhere is to be dead. To travel well is better than to arrive.
To succeed is to fail, as we mostly get caught in the trap of wanting to always succeed, thus forgetting to live. Grasp nothing, refuse nothing, receive but don't keep anything to yourself...Be a man of value more than a man of success. #Think #ItIsLegal
Read 3 tweets
Profile picture
This is the best thing on Twitter this morning. I see too many security products trying to *replace* human-to-human interaction - there’s a good chunk of security and privacy that’s about *people*.

Let’s make more products which help people STOP, collaborate, and listen 😝
Forgetting about the “people” part of security is why we’ve heard “GRC is dead” for the last 10 years. We’re on “GRC 4.0” now and it *still* sucks.

GRC tools like Archer are designed for Process and Technology but forget about the poor People who have to use that dumpster fire.
We still have new vendors trying to design single-pane-of-glass “CISO dashboards”, meanwhile *very* few security companies are truly focused on people (not just security people) inside of organizations.

@duosec is one of the few companies who has focused on people. @habitu8 too
Read 10 tweets
Profile picture
A thread on being a so-called “Security expert”.

I cringe at how much sincere, well-meaning, yet ultimately WRONG #infosec advice I gave out while working as the founder/VP Eng of a major security vendor.

When I left at IPO, I knew I needed a broader perspective. (1/N)
It’s too easy for someone in #infosec to call themselves an “expert” or (god forbid) a “thought leader”. Very few of us so-called experts have a rigorous background in security. My background is software. Most of us just jumped in early and learned as we went.
#SecurityExperts
#infosec is so broad, it covers so many technical and non-technical disciplines, that most of us who were experts in ONE area (like vulnerability mgmt in my case) have very deep expertise in that ONE area, but we’re amateurs in most other areas. #SecurityExperts
Read 25 tweets

Trending hashtags

#nation #Gnosticism #AccidentsWillHappen #other #antichoice #time #History #Opposition #battle #repent #Bible #SecurityExperts #young #RecordStoreDay2019 #Transform #Trump #crypto #think #Intel #ICCS2018 #2factortuesday #security #Blogs #LookNow #MyHealthRecord

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!