Matt Fusaro 03:21
Yeah, a lot of the critical vulnerabilities that come out, most of the time, someone knows something about it, or you’ve got someone that’s even worse, they didn’t go through a responsible disclosure. And it gets put out there, either they push the GitHub or whatever the method is, it gets out, right. People have to scramble to fix that, right? Because patches aren’t being pushed out by a vendor, yet. There isn’t a known solution. So you’re kind of relying on the community at this point to find some workarounds. You know, either it’s configure something differently, or hey, you know, I do have some code that will help this. Without that, we’d all be kind of trying to figure that out on our own and just wouldn’t work, right? A lot of these channels for communication kind of came out of early development, right? People working on the Linux kernel, people working on their own independent software projects, a lot of that’s, I mean, that’s a lot of the reason why things like we’re aging here, but things like IRC and all that that’s where a lot of this actually started,
Steven Maresca 04:22
And persists today, like in Discord and Slack and all the forums.
Matt Fusaro 04:28
That’s where you end up finding a lot of these bugs that gets disclosed because of synonymity, all perceived dynamic.
Steven Maresca 04:35
And sometimes people trip over things. You know, responsible disclosure aside, that’s a subject unto itself, you know, occasionally, there’s simply something disclosed that’s so severe that the government of some nation needs to rush out an advisory because, you know, it’s affecting everyone at the very moment. There have been multiple examples of that in the last 10 years. You mentioned, one of you mentioned, Log4j, it’s a really good example of that. Why is it an important example? Well, number one, there was no good vendor advisory. Number two, the actual flaw wasn’t well understood. It wasn’t necessarily characterized in a way that enabled people to even determine whether they were susceptible. There was a huge cloud of uncertainty. And it’s our job to pick at that and try to find patterns to build tools and make it a resolvable problem. The truth is, in the very early days of that particular example, there weren’t any assessment tools whatsoever that could tell you where the problems exist or what systems were vulnerable.
Jason Pufahl 05:46
But I think that’s the interesting part, is you have your formal channels for the advisory piece, right, tell you that there’s a problem, your vendors tell you specifically, there’s a problem. A lot of time, it doesn’t come with clarity, to your point around, alright, well, how does it affect you? How does it affect your implementation? What’s your path to risk reduction, and that’s where oftentimes the community is typically ahead of patches being formally released, but released by a vendor.
Steven Maresca 06:16
Right, there’s an enormous amount of tactical improvement that occurs simply on Twitter. And it’s really excellent stuff from people who are published, who work at Microsoft, who work at Google, who work at nationally known organizations, internationally known organizations. PrintNightmare was another good example. Some excellent, excellent material was solely found in Twitter. So, you know, coping mechanisms, how do we deal with crisis insecurity? Frankly, you go to the places where people congregate, maybe it’s Reddit, maybe it’s Discord, maybe it’s Slack, it’s Twitter. Wherever people are discussing a problem in the very early days prior to it hitting popular press, that’s where you’ll find like-minded people with skills, who might give you some tidbits to either, you know, close up a hole, or improve the likely outcomes. That’s our first stop almost all the time.
Jason Pufahl 07:18
So are you following people of note in some of those forms already? Or can you go there at the time of an emergency and find what you’re looking for?
Matt Fusaro 07:28
Usually you can find it.
Steven Maresca 07:29
Both, yeah. You know, there’s some hashtag that gets dropped, like PrintNightmare, Log4j, and you know, something that’s trending, that’s sufficient, right?
Jason Pufahl 07:38
I mean, I’m just thinking, how do we tell people who might not be as embedded in some of these communities, you know, who all of a sudden find themselves with a situation?
Steven Maresca 07:47
It’s a really fair question. Well, proactive steps up front would be a great idea.
Jason Pufahl 07:47
Steven Maresca 07:47
Find somebody that you can attach through some popular press as being a security researcher. Who follows them on Twitter? Follow those people. Yeah, it’s really simple. That’s enough to get you some secondary recommendations and where to head.
Jason Pufahl 08:03
Don’t overthink it.
Matt Fusaro 08:04
Yeah, I mean, sometimes just following the vendors that you’re using, right? Because while they may not have anything published, that’s like a fix or something like that on it. You may, you know, people will comment on it. So a lot of times the security researchers will comment on their pages, or they’ll just post, hey, we understand there’s a problem, we don’t know how to fix it.
Jason Pufahl 08:11
Right, but at least you get the information.
Matt Fusaro 08:17
Yeah, there are much better channels than just going to the vendor website.
Steven Maresca 08:42
Microsoft’s blog, technical blogs, fabulous a lot of the time usually, yeah, like the people who write there are the people in the trenches, or those who are dealing with a security response of some kind. Then, after words get, you know, dressed up and made clear, they end up in a security advisory, but they start in that earlier phase somewhat closer to where the action is. But you know, it’s easy enough to read if you’re adept.
Matt Fusaro 09:12
What I always found interesting is, is how this works in cybersecurity, because it quite honestly, I have a hard time thinking of any other fields where people act like this, right, where there’s a big problem, and people come together in a community to try to fix it for everyone, not just for their own profit. Yeah, the medical community kind of comes to mind a little bit they do make an effort to do stuff like that. But again, you still have a lot of people trying to protect their own IP with that. And while you do find that with security every now and then it’s just less so.
Jason Pufahl 09:50
Yeah, well, I think that the spirit of open source, right, in this sort of free release freely releasing software or information, it is pretty prevalent in our field, which is great. And it’s one of the, I think it’s really truly one of the unique things about information security, or maybe IT, because, you know, we’re talking about this from an information security standpoint, but the IT community often comes together in that way. How much of an influence do you think it has potentially in, say, job satisfaction in the field? You know, because I think we have, we have a stressful, we have a stressful role very often. But it is one that has a sense of sort of community, I think it’s community within a company you’re working for. And then clearly, as we just described, it’s broader than that, does that contribute in any way to to people maybe staying in the field longer do you think? I don’t know that I have an answer.
Steven Maresca 10:43
I’m inclined to think so. Because, you know, for listeners who don’t know, Matt and I have a fairly deep development background. And the only way we were there, despite aside from education being somewhat helpful, is because of open source communities being inclusive, welcoming, supporting of new participants. It’s kind of the the truth here, you go to a decent security conference where if it’s salt, there will be tracks specifically for people who are trying to enter the field. And you don’t as a as an individual, say you’re in IT, you don’t necessarily need to be a developer to have meaningful input or get meaningful information out of some of these areas that we’re talking about. Simply knowing that there’s something coming over the horizon that was not forecast or expected, is very helpful, because you might give a week or a day or a few hours, heads up to the people in your organization that can respond more effectively, or your vendors for that matter. That’s hugely important. So participating at that very simple way, helps get your foot in the door, then you can learn, then you can maybe build some things and, you know, buoy, the active participation that everyone else is doing.
Jason Pufahl 11:59
Yeah. And for sure, like, like anything, right, as much as we want to talk about the fact that there is this robust community, I think, and I think that’s accurate. It’s biased toward participation, and people who are active, sort of gain reputation, and you’re sort of leaned on for advice, or certainly sought after newcomers. It is a little bit of effort. And so we certainly would suggest anybody who’s interested in participating, do it earlier, you know, early and often, I suppose, is the ideal, but, you know, it is always going to be a little bit more difficult at the time of crisis to jump into something and hope you get help.
Steven Maresca 12:38
And give credit, where do.
Jason Pufahl 12:40
Yeah, for sure.
Steven Maresca 12:41
For example, going back to Log4j. CISA, you know, the official CISA government GitHub repository has Log4j scanner that they’ve put together and curated. The first org that built something particularly useful was FullHunt.io and CISA based their code on theirs and many other practitioners as the end result, but they acknowledge along with all the other people who, you know, contributed code, fixed bugs, introduced new mechanisms for exploiting that vulnerability. That is a sort of social recognition that helps to keep people fueled, when in their home organization, they may not receive recognition that is specific.
Matt Fusaro 13:27
Yeah, I think that’s very important.
Jason Pufahl 13:28
Yeah, for sure.
Steven Maresca 13:29
And, you know, if you were talking about job satisfaction, people are mobile these days. One way of increasing mobility is participating in these communities, and developing some degree of not necessarily stature, but at least recognition that you’re participating. That also matters.
Jason Pufahl 13:48
Yeah, in some way, I guess it’s social clout. But it’s an opportunity, our field does offer opportunity to be sort of recognized academically in some ways without being you know, purely an academic profession, which I think is appealing for a lot of people. The topics pretty straightforward, it’s really just around you, how do you find job satisfaction? How do you keep yourself sort of energized, mobilized, and sometimes it really does come in some ways in a field that is prone to incidents and unexpected events, through the community that’s built around that, which I think we’re fortunate to be part of.
Matt Fusaro 14:27
Yeah, I think a lot of that was built because of the shared pain, right, we’ve been, a lot of us had been through the incidents or issues where there is no fix. So we don’t want other people to have to go through those same things and try to build around that.
Steven Maresca 14:42
Security doesn’t exist without community effort. That’s the main message, and it permeates the entirety of this conversation.
Jason Pufahl 14:48
It does, and it’s funny you say that, I think about some of the security awareness training we do, we say the same thing, right. It starts from from users being part of the community all the way up through practitioners. I mean, that’s what it’s what it is. Well, as always, I think a straightforward topic, but one that’s important. And I think one that might actually maybe entice people a bit into the field. So if you enjoyed this, we appreciate you listening. We’re happy of course, to continue the conversation, just let us know. But as always, thanks for listening. We hope you got value.
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.