I have been thinking for two weeks about what to cover in this first post of 2015. I have read dozens of other blogs and articles online that talk about the problems organizations have had in 2014, and the revelations regarding what law enforcement and other three letter agencies have been doing to our privacy. There are several about the issues we in computer security can expect to face in the new year. Rather than rehash the problems of the past or attempt to predict future trouble, I prefer to focus on positive changes I hope to see in the sector in the next year.
As we roll into 2015, which by the way is the year that Marty McFly time-traveled to in Back to the Future 2, we may not be dressing in what the 1980s writers and costume designers envisioned: a cross between cyberpunk and raver style. However, one fact is unavoidable: the environment of the cyber security sector has changed as dramatically as those fashions, and we must keep up with the times. It is time for those that work on the defensive side of security to stop thinking like law enforcement and start thinking a little more like the criminals do. We have reached an age in which the layered security that was so important a few years ago is about as effective as a castle moat would have been during the Second World War. Criminals are not concerned with how much money your organization has spent on fancy defenses or how much harm it will do to your organization to be breached. They only care about what they stand to gain from stealing your data.
The future may not have been right but this is our past.
The best detectives and profilers in law enforcement do not spend their days following regimented procedures. They think outside the box and are not afraid to put themselves inside the minds of the criminals they are looking for. I work in the offensive side of security where it is our job to think like the bad guys, but in big corporations we still find ourselves being stymied by outdated policies and obsolete ways of thinking. I hope that 2015 will be the year that organizations that are serious about their security will be willing to let the security teams do what it takes to stop the bad actors. It is time to stop drawing lines on what we are “allowed” to do and start letting us find the breach points before the bad guys. It is time for us to be ahead of the game instead of spending our days, (and nights) playing catch-up.
In order to promote positive changes to the way cyber security teams function, organizations must be willing to allow a greater freedom for cyber security professionals to determine what tactics are necessary to prevent attacks. These professionals should not be so heavily restricted in their actions that they are prevented from doing their jobs. For example, penetration testers are frequently prevented from performing a DDOS attack. Allowing security professionals to use this DDOS attack has the potential to lead to new methods of prevention or, at the least, will prepare the organization for the possibility of an eventual attack using this technique. Social engineering is an often dismissed tactic, usually avoided because of the likelihood that an organization will fail to pass muster under such scrutiny. This technique is arguably the most common method of entry used in almost every breach by criminals attempting to gain access to an organization’s data. Failure to address this area is a failure to give sufficient weight to the necessity for strong cyber security procedures. Cyber security professionals should be given the freedom to use these and other such techniques to really test the strength of their organization’s security,
This week in my Information Security Management class we discussed planning for security. Of course the discussion in the course was about planning for success. Unfortunately, a lot of the real world discussions I’ve had and articles I have read this week have shown more clearly how people and corporations are failing because of their planning. I am sure they are not planning to fail, but their actions and poor planning skills have been leading to their demise.
My interest in this issue was piqued while reading about the recent problems that Sony Pictures Entertainment (SPE) is facing. Their difficulties stem from corporate planning. Unfortunately for them the planning was of the wrong kind. In an effort to reallocate company resources, many articles claim that they were on a mission to save money by cutting staff. This money saving planning extended to their IT compliance and security department. They did everything they could to save money and cut corners, including having a policy of “just enough compliance.” This resulted in a breach of SPE’s privately identifiable information (PII) at an estimated damage rate of upwards of 47,000 employee records.
In addition to budget cuts to their IT Security programs they laid off a number of employees in the last year. Sony is not alone in this practice. There is an epidemic in the corporate world of layoffs, benefit cuts, and even employee demotions. This, in addition to the cutting of the IT Security budgets, has created a perfect storm, and I think SPE is just the first of many victims. Due to the nature of this breach it is fairly evident that there was help from a trusted insider. Some estimates are saying that this breach will cost SPE over $100 million, and that is not counting the personal cost to employees whose information was captured. Had SPE focused on maintaining a functioning IT Security department, this breach could have been avoided entirely, saving the company far more than the money they will lose because of this attack. Proper planning could have saved them their reputation.
It is time to stop planning for the right now and start planning strategically for the future. It is time to focus less on the bottom line and more on preemptive planning to maintain a secure front and protect the information that is the lifeblood of any company.
Let’s talk about oxymorons, those annoying little things they keep trying to teach in network security and computer security and, well …. Cybersecurity. I have a Bachelor’s in cybersecurity, am working toward my Master’s, and I have been officially (as in professionally) working in the field for just under 8 years. Before that I had been into the dark arts (computer hacking) since I was 11 or 12, right about when the internet appeared, so that is about 23 years give or take, that I have been in some form or fashion involved in cybersecurity.
That paragraph was not to toot my own horn, I have plenty to learn, cyber security is such a constantly changing and large field, for example in all that time I did not REALLY understand false positives, and true negatives etc. until the last few years. Learning the concept is relatively easy and logically they all make sense a false positive is an alarm that goes off for the wrong reason. A true positive is a proper alarm that went off for the right purpose. A false negative is the bad guy getting through because the alarms think that he is perfectly acceptable. And finally true positives are what happen when the defenses actually catch the bad guy and sound the alarm.
Regardless of how annoying and, well, kind of ridiculous these things sound, someday (if you really go into security) they will be something you care about. They are important to me in my current job as an offensive security professional because I want to get past the alarms. They were important to me as a defensive security professional because I wanted to alarm to catch the bad actors. And someday, maybe right now, they will matter to you too. So, embrace the oxymorons.
Thank you for reading, check back next week for more.
Today starts a new chapter for me, partly because last week I finally completed my Bachelor’s of Science in Cybersecurity and partly because I just started my Master’s in the same. As part of one of my current courses, and from what I understand, many of the courses I will be taking over the next 18 months, I am to keep up a weekly blog. This is good news for all of you that want some good reading, for the next 18 months (at least) I will be showering the world of security with my thoughts on security. Enough about why I am writing my blog and onto the topic at hand, vulnerabilities with brand names.
In the last year we have seen a cascade of vulnerabilities announced that have spread their brand all over the media, well beyond the typical security and techie sites. I think it is safe to say that this problem started with “Heartbleed” in April of 2014. This was, at the time, an anomaly it was a rather serious vulnerability but it was “released” with a logo and a website devoted to it. I can’t remember a vulnerability being branded like this before and it sparked a trend that is starting to have a detrimental effect on those of us that actually work in IT security. Since “Heartbleed” there has been Poodle, Unicorn, Shellshock to name a few.
The problem is that, while Heartbleed was pretty bad and it did help that the executives, and their wives, and our grandmothers all heard about it, it helped us in the industry to get the resources and visibility it needed. But now these “less serious” vulnerabilities, like Unicorn for example, come out with a brand, get on CNN and suddenly something that professionals have decided are a medium risk at best, are suddenly becoming “drop everything and fix this NOW!” type issues. Someone in the executive suite has seen the constantly repeating clips on CNN and now we have to drop more important things to “fix” the Poodle issue, or whatever the latest newsworthy vulnerability is.
So, in short, if you are good enough to discover a new vulnerability, please let us in the industry know before you give it a brand name and send a press release to CNN.
Check back next week for more.
We will start blogging in earnest now, here at EndisNye Security we have some unique and fresh views on the changing world of IT and physical security. There are several different projects in the works some that are coming sooner, rather than later are listed below.
- A new blog post will be here at a minimum of once a week.
- New videos will be posted frequently, for the time being not as often as the written blogs because of time constraints and production takes a little longer.
- Links to other great blog posts and articles.
- We also plan to set up a Q&A forum where you can ask questions and get professional answers.
We will discuss everything from Penetration Testing and hacking techniques to new concepts we are working on for user awareness education. Of course we will put our two-cents on the current IT and Security news and give updates from conferences that we attend.
We hope to see a lot of feedback, suggestions and general participation. We also are more than happy to post stories, reviews, articles, and experiences from the community as well so please feel free to send us anything that you would like to see published.
Thank you for you interest and we look forward to a long and interesting road ahead.