http://www.darkreading.com/endpoint/security-lessons-from-my-car-mechanic/a/d-id/1324364



*Security Lessons From My Car Mechanic*

*What an unlocked oil pan taught me about me about the power of two-way
communication between security pros and the organizations they serve.*

I was in the shop the other day because my car was making strange noises,
and the mechanic told me that the oil pan had come unlocked. It was going
to be an easy fix, once they removed the engine to get at the clamp that
needed replacing.

When I tried to get an understanding of how severe the issue was, he told
me that it could bounce around and break other bits of engine. I think he
thought I was some sort of drooling idiot, and thought about taking away my
keys. He probably also looked down his nose a bit because I was behind on
my oil change. (It’s probably a good thing that oil changes are less
enforced than password changes.)

Four hours and more money than I care to count later, I came to a
realization. I had no idea what any of that meant. More importantly, I had
no idea if I was being taken for a ride. But far more significantly, I
realized that my conversation with the car mechanic was typical of how we
security professional sound to the people who come to us with their
problems.

[image: Description: (Image Source: Pixabay)]
<http://www.darkreading.com/endpoint/security-lessons-from-my-car-mechanic/a/d-id/1324364?image_number=1>

(Image Source: Pixabay)

No, actually, that’s a lie: We sound far, far, less understandable. On a
good day: “There was a drive-by download from a malware site and then some
pass the hash…” And on a bad one: “There’s a highly critical XSRF vuln in
the WAF and we decided to take your site offline immediately while we
patch.”

Let me start by ranting about the term “drive by downloads.” Are these
exploits? If so, why don’t we simply talk about “browser vulnerabilities”
and the exploit kits that select a payload that works on your browser? If
so, maybe we should banish the term “drive by download” and say “browser
vulnerabilities” and -- more importantly -- the fix is to keep your browser
up to date? Similarly, “pass the hash” has come to mean a set of credential
theft attacks, some of which no longer even involve hashes.

The second sentence is hard to understand for a different reason. First, it
is acronym-heavy. But more important, the judgment calls are overwhelming.
First, seriously, “*highly* critical?” I don’t even know what that is
supposed to mean.

No, I do: It’s all about who comes up with these schemes. The answer, of
course, is product managers trying to make their product’s report seem more
serious. But no one is really served by a scale that starts from “very
critical” and goes to “extremely critical.” Reality includes moderate and
low severity findings. This problem has gotten so bad that there are now
companies whose entire business advantage is providing a better scale.

Or how about the statement: “We decided to take your site offline
immediately.” Really? Did you think a little notification might be a good
idea, first? Let me put you in touch with our marketing department about
the promotion that *we* are running.

But I digress. What’s important here is that *I* worry when talking to car
mechanics, and, similarly, those seeking help from us worry in the same way.

The car mechanic has studied and developed a set of skills. He cares deeply
about the problem in front of him, and wants my car to run safely and
efficiently. He knows that a bad set of brakes, a failure in the steering,
or a host of other issues could literally kill me or others. There’s an
analogy here. Like my mechanic, security professionals have worked hard to
develop a set of skills. We tend to care deeply about the problems. We want
systems to run safely (and sometimes we even care about efficiency.)

Then, someone comes in for what they think is a minor issue, feeling
virtuous about trying to get ahead of a problem, and they leave wondering
how the explosion of issues that they “must” fix came at them.

So what’s the takeaway? It’s not simply more clear communication, although
that’s a big help.  It’s also about understanding people’s budget, in terms
of time, energy, or competing work. It’s about understanding what their
competing priorities are. Perhaps my mechanic can understand that my
pending tax bill makes it hard to fix something right now, and can advise
that it needs fixing on some other time frame.

That understanding needs to be a two-way communication, and not just
between me and my mechanic, but between security professionals and the
organizations they serve.

*First in a series. Coming next: What I learned visiting my doctor.*




__._,_.___
------------------------------
Posted by: "Beowulf" <[email protected]>
------------------------------


Visit Your Group
<https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmdmtqaGRpBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0NTYwNzk3NTE->


[image: Yahoo! Groups]
<https://groups.yahoo.com/neo;_ylc=X3oDMTJlODU2MnAyBF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQ1NjA3OTc1MQ-->
• Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> •
Unsubscribe <[email protected]?subject=Unsubscribe>
• Terms of Use <https://info.yahoo.com/legal/us/yahoo/utos/terms/>

__,_._,___

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to