Tuesday, January 20, 2015

Not a lot of drool lately... but how bout hacking in the mainstream eh???

"You work dark alleys, I work the dark nets..."  So that is the tag line that Patricia Arquette's character drops during the latest trailer for the next installment of CSI, CSI: Cyber.  It was bound to happen sooner or later.  With high profile breaches like Sony Pictures, Target etc etc..  Hollywood is cashing in on the idea of digital terrorists and cyber criminals stealing anything not secured stored in a fireproof, airtight container at the bottom of an ocean.  Seriously it is terrible out there.  It was hard enough keeping track of the latest vulnerabilities and exploits so we can defend out networks, but now this stuff has hit the main stream.  So this is both a good thing and a bad thing.

I'll start with the positives...  We, as security pros, now have a way to explain to our non-technical associates and managers about the dangers of the internet.  Granted the material in the TV and Movie versions of our daily lives is a bit inaccurate (I'm being nice), it is still being put out there.  Sure we can go back to great movies like WarGames and Sneakers, but they are a bit dated (Sneakers is still my favorite).  Swordfish was a good flick as far as action goes and well Halle Berry made it even more tolerable, but know one out there is going to hack the NSA in 60 seconds at gun point and... well you saw the movie.  Oh wait I was supposed to be positive here.  So yeah it gets the concepts in front of the civilians.  They now know there is a danger out there in the digital landscape.  Information is not as private as we once thought and anyone with motive and ability will do their best to get at it.  This will certainly help those of us who struggle with securing budget to improve our current environment.  That larger budget will help us bring in additional staff, train our current employees and install that SEIM we've been wanting all these years.  Now when the CIO questions your budget you just need to say "Because Blackhat!".  OK, you will need to do more than that but it will certainly help sway their opinion on your needs.  Also I say "CIO" because there are still big corps out there that have not yet gone the route of having an official CISO to handle InfoSec.  Also no reason you Sys Admins can't use the same argument.

OK so the negatives were mixed in with the positives a bit.  Something that I think these Hollywood interpretations of hacking may do is set an unrealistic expectation on our current security teams.  I mean, companies are going to expect their IR teams to be able to handle themselves in a firefight, or decrypt anything with a power cable attached to it, and maybe even go toe-to-toe with trained assassins while getting root on the Unix server.    Sounds exciting huh?  Believe me there are days where we wished it was a little more exciting.  The reality of it is that our jobs, on the outside, do not look all that awesome to the non-tech folks.  I mean if they tried to make a movie about what most of us due but still include action, this would be the result:

Don't get me wrong, in our minds and what we see, we do pretty exciting stuff.  But some folks may just think we are nerding out over some code or the latest gadget.  Now we can scoff at this latest trend in Hollywood or we can use it as a tool like we use PCI or HIPAA, to get what we want from our senior management.

Well, ranted enough for the day.  I'll have more here in the coming weeks I imagine.  For now you can also head over to Nutmeg Infosec and keep up with some stories there!