Sure, maybe its not 1994AD any more. But let me posit this, which I culpably dub Metlstorm's Assertion:
The cost of owning a corporation is a fraction of a percent of their annual infosec spend.
Lets go with 0.1%. Can you think of any organisation you've worked for, or on, or with, or pwned that you couldn't own for the sales margin on a single Check Point device?
Let's assert the value of owning a corporation -- if you're any good at the order-fulfillment bits of crime, which I'm not -- is proportional to its market cap.
The ratio of cost-of-ownership to value-of-ownership is so low as to have an ROI to an attacker that is nearly infinite.
Stated more concisely (unusual for me, I know); the incremental cost to an attacker between not hacking you and hacking you is so close to zero we have to assume they actually do.
Which means you should proceed on the assumption that your corp is already owned.
We live in a world where our desktop machines get USB autorun worms, where a garden or variety botnet worm owns entire Ministries of Health, where insider attacks are commonplace, where biometrics doesn't work, where routers are backdoored by offshore manufacturers with various political goals, where we pay janitorial services staff minimum wage because they've only got physical access to, well, everything via their trivially clonable RFID proxcards running on building management software off a crappy old NT4 box in the basement. Ok Metl. Breathe.
You see where I'm going with this. There is no infosec industry. We're just doomsayers who take the chumps money while they've still got it, and when they don't we just scare the next lot senseless until someone pays up. We don't actually improve anything.
The infosec industry is a trinity; the boxpushers (vendors), the chumps (the users), and the doomsayers (us, the pentesters).
Boxpushers sell kit to the chumps, who've been goosed into thinking they need it. The doomsayers occasionally pity the chumps, but are generally stuck in io-wait, writing off the boxes being pushed as useless, impractically complex, and that highest criticism of all; boring.
Us doomsayers take the chump's money, then tell them in excruciating and savage detail how much they and the boxes they got pushed suck.
And they invariably do.
When we're on a typical gig we sit around, amusing ourselves intellectually by doing something we'd all probably just do for fun anyway, call it work, and then tell the chumps in serious sounding language quite how poked they are today.
There is doom. Unending grimness. Like the darkened frostbitten forests of Ukranian blackmetal album covers.
Hell, in the case of boxpushers, they actually make it worse (Hi mail antivirus gateways! Hi IDS consoles, hi shatter-prone desktop asset management and patch deployment solutions, giving up localadmin like [security researcher] Brett Moore slipped you his best Mr December smile under the digital cyber eMistletoe.)
I ask you again -- is there any corporation you've seen where the upper bound of cost to own them wasn't proportional to the janitor's hourly rate? We all know, deep in our guts, that we could own anyone. And we wouldn't be doing it with Ben Hawkes' heap technique -- that stuff's for impressing cons and talking shit in bars, not wasting on actual attacks. We'd just roll like it was 1994AD; and we'd win. Every time. You know it. And how much would it cost? To own a bank, a telco, an ISP, a critical infrastructure provider? Really, we all know the turgid, sodden, doomladen truth.
How much would it cost?
Yeah. Exactly. Fractions, my man. Fractions of a percent.
Metlstorm is a New Zealand-based freelance security consultant. He's created several tools including Hai2IVR, Winlockpwn and SSH_Jack. He's also an organiser of the annual Kiwicon security conference in Wellington, New Zealand.
