Continuing our tradition of tweetchats, we were fortunate to have the brilliant Lesley Carhart join us as a special guest to share her views on security myths. It was a lively discussion with many viewpoints shared. Searching for the #AlienChat hashtag should give you a good insight into all the conversation.
We kicked things asking what people thought were some of the biggest myths or misconceptions around incident response.
Lesley summed up the thoughts of many that incident response isn’t necessarily a rapid process.
A1: A misconception I see a lot is that it’s a fast process. IR certainly involves quite a bit of emergency triage and first response, but actual forensic analysis of incidents takes hours upon hours of evidence processing and painstaking analysis. #AlienChat— Lesley Carhart (@hacks4pancakes) March 15, 2018
Additionally, many viewpoints were shared
That attribution is the end of the hunt instead of its beggining— Arthur (@lomokol2) March 15, 2018
And it’s critical that more people are involved. When running a tabletop, there is always one guy who “knows all the answers.” The first thing I do is kick him out of the room (e.g. he’s on vacation and can’t be reached) and see how the rest of the team runs. #AlienChat— Hacker⚡️Hiker (@hackerhiker) March 15, 2018
A1: that the validity of first analyses will be held up. Your first results will not necessarily encompass the whole scope of an incident or even be the real target. It could take even days to determine actual and full extent of impact #AlienChat— killall -9 khaxan (@khaxan) March 15, 2018
Security conferences are big – you’ll probably find a security conference or event of some description in nearly every major city around the world.
A lot of the discussion revolved around the concepts of the speakers and public perception of the attendees.
A2: #AlienChat You need big names to make them worthwhile. while I do find the "Rockstars" give good talks, I always find just as good and even more interesting talks from "lesser" known people.— Michael Kavka (@SiliconShecky) March 15, 2018
A2 - That hackers and security cons are devoted to illegal activities or that attendees are professional criminals. I’m sure some are but most sec pros teach/learn these techniques for better defense #AlienChat— Jim Wojno (@jim_wojno) March 15, 2018
Agreed, but, as an unknown speaker, it is difficult to get pas the CFP process if you are not a famous speaker or have some sort of 0-day. There is a reason you see the same speakers everywhere— Michael Kavka (@SiliconShecky) March 15, 2018
A2: wow how long do you have? I'd say a lot is around perception or the feeling like speaking at a conference is needed for validation. Or that people that speak at cons know more than others. Or even that cons are a true reflection of the industry. https://t.co/CcpJUTlBwn— Javvad Malik v2.0 (@J4vv4D) March 15, 2018
Q3: What are the biggest misconceptions in the industry around Security Information & Event Management (SIEM) and how it works? #AlienChat— AlienVault (@alienvault) March 15, 2018
SIEM has been the topic of debate for many years. Is it the one tool to save them all, is it just an overhyped technology, or can nobody agree on what it actually is? As expected, there was no shortage of opinions on the misconceptions surrounding SIEM.
A3: Lots of companies rely on the out of box reporting that SIEMs provide. Though they are nice, they cannot beat a well-tuned SIEM. Similarly, just because you are getting *some* log data, does not mean you're seeing everything. Make sure you audit sources!! #AlienChat— kateo (@vajkat) March 15, 2018
A3: That it is a blinky box that solves all your problems and protects your hopes and dreams? #AlienChat— InfoSecSherpa (@InfoSecSherpa) March 15, 2018
A3: That merely placing a box in the network mitigates need for understanding your network and its operational function. A SIEM or “next generation” appliance can certainly help you understand your network, but security still requires business and topological context. #AlienChat— Lesley Carhart (@hacks4pancakes) March 15, 2018
Q3: Not realizing that for every dollar you spend on a #SIEM solution, you’ll have to spend five dollars to fully and properly implement it. And that SIEM is the opposite of ‘plug n play’. When Guns N Roses sang "Its so easy", it was not about SIEM. #AlienChat— Ben Rothke (@benrothke) March 15, 2018
A3: Misconception - that it works out of the box without massive tuning! #AlienChat— Ed Tucker (@Teddybreath) March 15, 2018
People tend to view SIEMs as tools that once installed can be left alone... if it's not part of your daily operations, and you aren't maintaining it/tuning it on a daily basis, you likely aren't getting much value out of it. #AlienChat— Rot26 (@rotate26chars) March 15, 2018
Encryption and Backdoors
I may have had a little rant about this one…
Not that anyone disagreed
A4: That “totally secure” encryption backdoors are plausible. Mathematics and engineering aren’t magical. Providing a means to backdoor encryption either weakens the math, or the engineering behind encryption solutions. It is a recipe for disaster. #AlienChat— Lesley Carhart (@hacks4pancakes) March 15, 2018
A4: Misconception, that encryption is THE answer to data protection. Kind of negating legitimate access from a legitimate asset, genuine, malicious or compromised. #AlienChat— Ed Tucker (@Teddybreath) March 15, 2018
2020: It's no myth that long ago, politicians and other power-crazies used to believe both encryption and backdoors could co-exist. Then they faded away into irrelevance.— railzand (@railzand) March 15, 2018
There were also some valid observations around the usability and education around encryption.
A4: Firms don’t do adequate training on how to use #encryption. The paper 'Why Johnny Can't Encrypt' showed that the use of encryption programs like PGP are not intuitive to an average end-user. And they incorrectly use encryption. And about that bear key management. #AlienChat— Ben Rothke (@benrothke) March 15, 2018
From what I see, people outside our industry largely believe encryption is something they don’t need. They need to be educated on why encryption is important for everyone. #AlienChat— Help Net Security (@helpnetsecurity) March 15, 2018
Q5: What misconceptions would you like to dispel relating to anti-virus use? #AlienChat— AlienVault (@alienvault) March 15, 2018
We were on a roll by now and we weren’t looking to avoid any of the tricky topics, anti-virus being the next on the list. Surprisingly, it didn’t turn into an all out anti-virus bashing question, with some good points raised about its usefulness.
Anyone who says "AV is junk" doesn't have the right one, or has the right one, and has misconfigured it.— it's chris plummer (@chrisplummer) March 15, 2018
With spam, a lot of attention is paid to new attacks, but ~30+% of abuse is using old techniques. The same is probably true about AV - it may not be the new hotness, but lots of older attacks still need to be prevented.— Autumn Tyr-Salvia (@aceofemail) March 15, 2018
As such, running shotgun with no AV and scanning files on VT before running them isn't a solid alternative. Recommend using at least on AV. Windows Defender is pretty solid, if you can't afford a commercial product.— Catalin Cimpanu (@campuscodi) March 15, 2018
A5: Just because a skilled hacker can evade it, it makes it worthless. It is an important layer of a defense in depth strategy to catch to garbage everyone knows about. #AlienChat— Hacker⚡️Hiker (@hackerhiker) March 15, 2018
Q6: How about professional certifications? Are they needed for career advancement? What common misperceptions have you come across? #AlienChat— AlienVault (@alienvault) March 15, 2018
Professional certifications are a polarising topic. Some professionals strive to collect as many as they can, while others turn their noses up in disgust whenever one is mentioned. Others, see them as a necessary evil to jump through recruitment hoops.
People seem to think they're just a waste of time and just a CV must-have, but I've actually learned a lot from my only and lowly certification courses. Some of them have pretty good intros into certain fields. #AlientChat— Catalin Cimpanu (@campuscodi) March 15, 2018
A5: At the end of the day, #infosec certifications are the nice, warm glass of milk #HR people need to make them feel they're doing their job. I’ve yet to see any empirical evidence that certs add to #infosec. I’m saying that as someone with a number of certifications. #AlienChat— Ben Rothke (@benrothke) March 15, 2018
I have seen them needed to clear the HR hurdle, but some are not indicative of any particular level of passion or work ethic. I have had fantastic staff with and without, and had questionable staff with and without certifications. To me, they are like the sprinkles on ice cream.— Joseph Nyleen (@JoeKnowsCyber) March 15, 2018
A6: It frustrates me to see people degraded for getting certifications. They can provide an important career stepping stone and foundational knowledge for people who start out at a technical, financial, or geographic disadvantage. See them for what they are. #AlienChat— Lesley Carhart (@hacks4pancakes) March 15, 2018
Are they "needed" - No.— rnbwkat (@rnbwkat) March 15, 2018
They are useful, but not required. They should never be a single measure of any #infosec professional. If someone had years of experience and no certs, great. If someone had only certs, but no experience, then I would be concerned. #AlienChat
A6: I used to think they provided no value until I saw that HR departments really look for it, but also so do customers. They prove the individual knows X about Y and if that's what you're looking for, it's a valid measure! #AlienChat— kateo (@vajkat) March 15, 2018
Cloudy with a chance of Security
There’s no escaping the cloud. More and more organisations are adopting it to some degree or another. So, it makes an important topic of discussion.
It reminded me of the wise words of an ex-colleague.
A7. As my man @sawaba used to say, too many people mistakenly believe "Secure because Amazon". You still have stuff to secure, monitor, and assure. It's not secure just because you've moved it to the cloud. #AlienChat https://t.co/RUQRIv7Vi1— Javvad Malik v2.0 (@J4vv4D) March 15, 2018
Couldn't agree more, the recent outage is the perfect example for it https://t.co/xgtiUYgGsG— Deepak Ravi (@iyerintel) March 15, 2018
A7: I’ve had people say to me, “Nobody can see my organization’s data if it’s in the cloud. It’s totally secure!” Me, “Have you read your terms of service to see what permissions you gave your storage provider when you signed that contract?” Them, “Uh, what the what?” #AlienChat— InfoSecSherpa (@InfoSecSherpa) March 15, 2018
A7: People treat the “cloud” in general as if it is independent of the rest of IT. Cloud is distributed computing resources using fairly familiar infrastructure. Traditional security rules apply, including those regarding storing and transferring data externally. #AlienChat— Lesley Carhart (@hacks4pancakes) March 15, 2018
A7: People treat stuff in VPC’s as on premise. Internal traffic over http, bad horizontal traffic monitoring, non-immutable servers with ssh access... y’know the fun stuff.— KaptnKiwi (@CaptnKiwi) March 15, 2018
A7: That the cloud vendor takes on the bulk of the security responsibility.#AlienChat— Infosec Samurai (@infosec_samurai) March 15, 2018
Q8: Let's turn our attention to threat intelligence - what are your favorite myths & misconceptions here? #AlienChat— AlienVault (@alienvault) March 15, 2018
We weren’t joking when we set out to destroy the big myths and misconceptions in the industry, so we pointed our focus towards threat intelligence and Twitter didn’t disappoint
Replace the word ‘indicators’ with ‘metrics’ and your statement is just as valid.— Lance Spitzner (@lspitzner) March 15, 2018
A8: Threat intelligence is one of those overused terms that promises to solve all your problems. Sometimes, especially if you lack the manpower, it can just add more noise instead of providing insight. #AlienChat— Help Net Security (@helpnetsecurity) March 15, 2018
The commodity that is marketed as threat intelligence but also the misconception that technical indicators can provide absolute certainty on attribution #AlienChat— Raj Samani (@Raj_Samani) March 15, 2018
That it is completely useless - threat intelligence from within your industry can be very valuable. If you're not in an ISAC or ISAO for your industry, join up. If your industry doesn't have one, start one (even an informal group).#AlienChat#Repost— Bill Kyrouz (@Kyrouz) March 15, 2018
A8: That the IP address in your logs has literally any connection to the geographical location of your attacker's corporeal form. #AlienChat— aGV5aXRzbWlrZXl2 (@heyitsmikeyv) March 15, 2018
Open Source Software
Q9: What erroneous myths do people believe about Open Source software? #AlienChat— AlienVault (@alienvault) March 15, 2018
The cost and security of open source was a consistent theme among the participants.
A9: Just because the code is open to everyone, it does not mean it’s more secure. #AlienChat— Help Net Security (@helpnetsecurity) March 15, 2018
That it’s dangerous because “hackers” might have written it— Miss IG Geek (@MissIG_Geek) March 15, 2018
A9: That all open source apps are equally secure. Or even secure in the first place. #AlienChat— Ben Rothke (@benrothke) March 15, 2018
A9: That open source software is “free”. Lack of an initial capital expense doesn’t take into account the engineering hours required of the responsible teams. Open source software is awesome, and we should leverage it, but those costs must be taken into account. #AlienChat— Lesley Carhart (@hacks4pancakes) March 15, 2018
That its free and works. Just because something open source doesn't mean there isnt maintenance involved. There need to be constant contributions for bug fixes & code changes. So if you use it, and can code - contribute. #AlienChat— Jack Halon (@jack_halon) March 15, 2018
I don't think people realize how much open source is in their ecosystem, even small unseen components, all of which can present an attack surface. #AlienChat— it's chris plummer (@chrisplummer) March 15, 2018
Q10: When it comes to threat detection - are there things that people consistently get wrong? #AlienChat— AlienVault (@alienvault) March 15, 2018
We wrapped up our marathon hour by asking what common misconceptions there are with / around threat detection.
I love when people freak out because a binary file changed because they don't keep track of patch updates, or see packets going to "weird" ports without the knowledge of something benign on the network #AlienChat— killall -9 khaxan (@khaxan) March 15, 2018
They expect to be able to detect threats using their own threat intelligence and tools, when in reality, they need to be using shared threat intelligence and actively collaborating with others to defend against today's continually-evolving threats #AlienChat— Brian Hayes (@writerunroar) March 15, 2018
A10: The "I know just enough to be dangerous" crowd has a habit of getting really hung up on file modification timestamps. Timestomping is trivially easy to do. Just because that malicious script in your webroot says it's been there for months doesn't mean it has been. #AlienChat— aGV5aXRzbWlrZXl2 (@heyitsmikeyv) March 15, 2018
Undervaluing end users. If you build your #culture around business integration and not being punitive with mistakes, you can generate an extra set of eyes. You save time when someone says "yes I clicked on that." #infosec #AlienChat— Infosec Samurai (@infosec_samurai) March 15, 2018
It would appear as if there are more myths and misconceptions in information security than there are truths. Although, that being said, there were a lot of common themes that most participants agreed upon, so maybe it’s a case of fixing a few issues to have a broad impact.
Let us know if you have any additional thoughts or suggestions for future topics by tweeting us @AlienVault or join our next #AlienChat – we look forward to continuing the discussion.