• You can’t see the light ’til you open your eyes…

    12 Aug 2013

    I noticed a lot of interesting topics/news coming from the Black Hat conference last week such as:

    •  SSH Communications Security Unveils General Availability Of SSH Risk Assessor Tool
    • Preparing For Possible Future Crypto Attacks
    • Crack of mobile SIM card crypto and virtual machine features could let an attacker target and clone a phone 
    • HTTPS Hackable In 30 Seconds: DHS Alert

    No doubt, these are all worthy topics that will help improve information security over the long haul…researched and presented by people who are much smarter than me.

    Yet, given where most businesses are with information security today, we’ve got *much* bigger things to be concerned with such as:

    1. Network shares – open to anyone on the network – providing unfettered access to sensitive information
    2. No proactive event monitoring using the proper tools and expertise (outsource it!)
    3. Firewalls with no passwords or a complex rulebase with a lot of redundancy and risky rules
    4. Phones and tablets with zero security controls
    5. Laptops with no drive encryption (I know most laptops, according to business executives who know more about security than their IT staff, have “nothing of value”…like the ones listed here, but still)
    6. Database servers without passwords, or with default passwords, serving up PII and more to anyone with simple curiosity and a copy of SQL Server Management Studio or Heidi SQL.
    7. Physical security access control and IP video systems that are accessible to anyone on the LAN (sometimes even Wi-Fi) for track covering, system disabling, video deletion, etc.
    8. Operating systems with patch management software that are *still* missing critical updates that are exploitable using free tools to provide full admin access to the system without the attacker ever having to “log in”
    9. Web apps with SQL injection, rampant cross-site scripting, and login mechanisms that are easily manipulated
    10. Mobile apps that have yet to see an iota of security testing

    These are all things I find on a consistent basis…Not because I’m smart but because they’re very predictable and often go ignored.

    “Can’t see the light ’til you open your eyes” …minimal yet insightful lyrics from one of my favorite bands, Black Country Communion. The “light” that people aren’t seeing because they’re being distracted by flashy headlines, sky is falling “exploits”, valueless auditor mandates, or IT execs who are (ironically) “threatened” by information security is the very light that’s going to end up biting them if they’re not careful…such as the items listed above.

    I read something recently from sales/achievement expert Jeffrey Gitomer that said “People who are cocky and arrogant say, I know that and move along. People who are confident and positive ask themselves How good am I at that? and seek to improve.”

    Great tie-in to the point I’m making. Which side are you on?

    Concentrate on the fundamentals and nothing else for now and as long as it takes to ensure you have true control over the information security basics that have been around for decades. Otherwise, you’re ignoring the obvious that will rear its head at some point. As we see time again in the research studies (Verizon DBIR, etc.), odds are much greater that you’ll get bitten by something silly rather than a niche exploit that hits a relative few.

    Finding and fixing the low-hanging fruit (the 20% of vulnerabilities that cause 80% of the problems) is something I’ve been advising for years and I’m going to keep doing it because that is where the risk is.