Security Is a Useless Controls Problem

I work at medium to large government orgs as a consultant and it’s entertaining watching beginners coming in from small private industries using - as you put it - consequentialism and virtue ethics to fight against an enterprise that admits only duty ethics: checklists, approvals, and exemptions.

My current favourite one is the mandatory use of Web Application Firewalls (WAFs). They’re digital snake oil sold to organisations that have had “Must use WAF” on their checklists for two decades and will never take them off that list.

Most WAF I’ve seen or deployed are doing nothing other then burning money to heat the data centre air because they’re generally left them in “audit only mode”, sending logs to a destination accessed by no-one. This is because if a WAF enforces its rules it’ll break most web apps outright, and it’s an expensive exercise to tune them… and maintain this tuning to avoid 403 errors after every software update or new feature. So no-one volunteers for this responsibility which would be a virtuous ethical behaviour in an org where that’s not rewarded.

This means that recently I spun up a tiny web server that costs $200/mo with a $500/mo WAF in front of it that does nothing just so a checkbox can be ticked.

I don't think this is limited to security.

I have friends who are very scary drivers but insist on backseat driving and telling you about best driving practices, and coworkers who are insistent on implementing excessive procedures at work but constantly are the ones breaking things.

I think following rules gives some people a sense of peace in a chaotic and unpredictable world. And I can't stand them.

Securities laws are written in terms of duty ethics ("fiduciary duty", "duty of due care", etc). That's all anyone at the top would care about.

I recall a grugq podcast several months back in which they compared it to a "chastity pledge", wish I had the exact episode.

I’m an engineer who now works security. Very few of us come from an engineering background. Most lack the technical skill to do much than apply controls and run tooling. Some try to do design work but imagine a junior dev with 2-3 years experience trying to write a service.

Those of us who are architects and coders don’t often get to do it anymore because we’re not working on single projects or solutions.. so we become people who swoop in on a project for a month at a time to make sure there’s no major smells before moving on. Our understanding our your system is shallow as a result.

Compliance is useful, just not for security.

* You get a cool industry certification that you can put on your website to justify the vague "we take your security seriously" platitudes we spew.

* It lets you stop putting money and effort into security once you've renewed your certs this year.

* You don't need to hire a dedicated security person, any sysadmin can check boxes.

* You can say you followed industry best practices and "did all you could" when you get breached.

It's the answer to "how do we not care about security?" across an entire industry that stands to make billions from said lack of care. In a depressing way, the company with useless performative security certs will fare better after a breach then the one without them but that actually tried.

My less cynical take about this is that if you need to actually care about security because you'll be up against sophisticated targeted attacks then you probably already know that. For everyone else there's checkboxes to stop companies from getting owned by drive-by attacks.

Well one of the big problems is that businesses don't do root cause analysis on incidents and learn what controls failed, or should have been in place that may have prevented the incident.

Additionally, actually testing if the controls works. I work in testing controls and I find a lot of controls might be developed well, but just simply aren't being done due to resource constraints.

> More or less, they were told what they did was clog the flow of useful work.

That sounds like a very valid complaint, too rarely heard these days.

People seem to forget that security always comes at a cost, so security decisions are always trade-offs. The only perfectly secure system is the one that does absolutely nothing at all.

Does forcing everyone's machine to run real-time scans on all file I/O improves our security more than it costs us in crippling all software devs? Maybe. Being on the receiving end of such policies, including this particular one, I sometimes doubt this question was even asked, much less that someone bothered to estimate the expected loss on both sides of the equation. Ignoring the risks doesn't make them go away, but neither do costs go away when you pretend they don't exist.

The Phoenix Project has been very influential on me in my security career, at least partially because I share the name of the ineffectual CISO and want so desperately to avoid the link.

I think the book is still very applicable, and every security practitioner needs to be hit over the head with it (or at least The DevOps Handbook or Accelerate). Security generally is decades behind engineering operations, even though security is basically just a more paranoid lens for doing engineering ops; the ideas from Phoenix are still depressingly revolutionary in my field.

> More or less, they were told what they did was clog the flow of useful work.

Similar to seeing IT as a cost rather than a benefit.

I think it's fine to implement a useless control to get a customer.

Just don't pretend that you're doing it because it is a useful control, pretend that you're doing it because jumping through that hoop gets you that customer, and "we're a smaller fish than the government". Especially with the government (especially if it's the USA…) there are going to be utterly pointless hoops. I can pragmatically smile & jump, … but that doesn't make it useful.

Note, though, that "the government" (NIST to be specific) says that requiring passwords to be changed every 90 days is counterproductive and shouldn't be done, yet many corporations (including my employer) still mandate it. Corporate bureaucracy can be as backward and counterproductive as government bureaucracy.

"We have an alternate implementation / mitigation" gets you passed the hangup, for folks who need the magic words for 'thats dumb. we do it right'.

>that NIST has killed in competent circles

Just because this is my favorite soapbox - anyone that has to deal with passwords should go read NIST SP800-63B:

https://pages.nist.gov/800-63-3/sp800-63b.html

I was kind of shocked by just how gosh-darned reasonable it is when it came out a couple of years ago. It's my absolute favorite thing to cite during audits.

"Are you requiring password resets every 90 days?"

"No. We follow the federal government's NIST SP800-63B guidelines which explicitly states that passwords should not be arbitrarily reset."

I've been pleasantly surprised that I haven't really had an auditor push back so far. I'm sure I eventually will, but it's been incredibly effective ammunition so far.

I bumped into controls mandating security scans, when people running the scans don't need to know anything about the results. One example prevented us from serving public data using Google Web Services because the front-end was still offering 3DES among the offered ciphers. This raised alerts because of the possibility of Sweet32 vulnerability, which is completely impractical to exploit with website scale data sizes and short-lived sessions (and modern browsers generally don't opt to use 3DES). Still, it was a hard 'no', but nobody could explain the risk beyond the risk of non-compliance and the red 'severe' on the report.

We also had scans report GPL licenses in our dependencies, which for us was a total non-issue, but security dug in, not because of legal risk, but compliance with the scans.

I actually wrote blogs about two of my (least) favorites: [VPNs](https://securityis.substack.com/p/security-is-not-a-vpn-prob... [Encryption](https://securityis.substack.com/p/security-is-not-an-encrypt...). Thank you for pointing out I don't link to them in this original post.

Password resets are definitely one, and I still have to tell prospects and customers that I can't both comply with NIST 800-63 and periodically rotate my passwords, every single day. Other ones I often counter include other aggressive login requirements, WAFs, database isolation, weird single tenancy or multitenancy asks, or for anti-virus to be in places that they don't need to be.

in the spirit of this article, can anyone explain why the Linux host-level firewall is a useful control?

Agreed. As an ISO 27001 auditor I see a growing demand for security compliance certification / attestations (ISO 27001, SOC 2), and it's client driven 95% of the time. So, in the end, it’s often worth it to go ahead and do it.

ISO 27001 is more affordable (2k-3k for audit, and additional 1k-3k for external provider to manage everything for you), SOC 2 will set you back at least 10k

The chimps story is made up. There was a study that tried to test something like that but only in one case, out of many trials, was a chimp discouraged from doing something by another chimp, due to the second chimp’s fear.

There's certainly a lot of cargo cult security controls out there. One of the big issues is simply that it is very hard to change established practices. It takes a lot of effort, and senior people who are not security experts have to sign off on the "risk" of not doing what all their peers are doing.

There is one word I would change in your post title. Security has a useless controls problem, not security is a useless controls problem.