I was playing Faster Than Light recently and came to a sobering conclusion. As my ship burned and my crew furiously attempted to put out fires and repair systems, I saw startling similarities between roguelike games and the jobs in Information Security.
For those unfamiliar with roguelikes, they are games characterized by randomly generated areas, punishing difficulty, and permadeath. You will die in roguelikes. A lot. With enough persistence and skill, you can win the game. But you must be willing to learn from each death. Each failure highlights a mistake made that should never be repeated in subsequent games.
What does this have to do with Information Security? Let’s start with number one.
Learn From Mistakes
While roguelikes are very hard, they tend to be fair. Playing the game “wrong” is punished quite severely. But playing the game with skill and experience is rewarded with a hard fought victory. If you die in a roguelike, it’s because you made a mistake in how you played the game.
Information Security is no different. Employees will download things they shouldn’t and get infected. AV will fail to detect the latest trojan or worm. But each failure is an opportunity to learn. Sticking to the same processes and procedures will only result in repeated failure.
Java is a great example of this. I’m sure we can agree that Java is just bad. They patch one vulnerability, two more spring up in its place. As bad as the situation is, it would be wrong to just throw up our hands in defeat and do nothing or recommend uninstalling Java (which might have negative repercussions for the business). There are controls that can be placed around Java to dramatically reduce the surface area of attack. Carlos Perez wrote and excellent post about managing Java security through GPO.
The point is to make sure the same problem doesn’t take you down twice. Draw upon the knowledge of others as well as your own experiences to figure out the best way to play the game.
A lot of people don’t like roguelikes because they feel they are too hard. The constant deaths and loss of their hard work causes them to quit. The high difficulty is not what they were expecting and they quit before they develop the skill to properly play the game.
Information Security can be very difficult as well. We are not as well equipped or funded as the attackers. Failures, whether they be a compromised server or a malware infestation, can be emotionally draining. But it helps if, at least mentally, failure is expected and in some cases anticipated. In that way, the seeds of a solution or a remediation could already be formed. At the very least, the failure will be less of a shock and the emotional blow will be small. After all, we kind of saw it coming. 🙂
Roguelikes are hard. The only way to get better is to keep playing, keep trying, and continue to learn.
Persistence is needed to follow through on the Lessons Learned part of any Incident Response. If an incident is severe enough, the recommendations made will probably touch more than one person or department. While grateful for your efforts in cleaning up the incident, they might be less enthusiastic about applying the lessons learned to themselves or their department. Even if they agree to apply the lessons learned, the process will probably be very slow as, in their mind, other things take priority.
Tact and persistence will help keep the lessons learned in their mind without making an enemy. It can also help to do research on your own and offer one or two different solutions. Work with the team to apply the solution. This helps instill a feeling of camaraderie, that everyone is working toward the same goal. Your job didn’t end with the compromise. You worked with everyone to see it through to the end.
Information Security, similar to roguelikes, is a constant cycle of failure, learning from the failure, applying those lessons, and trying again. It can be taxing, but it is never boring. Nothing is given to you. Nothing is chance. So when you score a victory, you know you have earned it.