Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

6/13/2017
05:05 PM
Chris Roberts
Chris Roberts
News Analysis-Security Now
50%
50%

Fixing the Tech Behind the Cyberwar

As security, we have failed our very charges. We continue to allow them to be attacked and we fail at defense. What must we do to change this?

Something that has vexed me for some time now is that we've all stood up on stage; talked at conferences; preached the word of security from our lofty perches; and explained our views, our methods and our ways for the last 20 to 25 years or so. And nothing has changed.

Oh, we've helped build a multi-billion-dollar industry on the misery of others. However, the bad guys have done the same. We've managed to create an entire segment of the working population dedicated to beating the crap out of others... and the bad guys have done the same. And let's not forget we've managed to create an alphabet soup of useless credentials to go along with it.

Thankfully the bad guys left that one alone.

We have failed to protect the very charges that rely upon us for safety and security; we have miserably failed so spectacularly that the very charts of our failure have to be redrawn year after year.

I've personally stood on stage over the years threatening to tar and feather users and CIO/CEO/CFO's, and more recently have regularly volunteered to taser the entire population (or at least the 90% of them who don't "get" security) but that focus is wrong. We are wrong. The red team is not the solution. Beating up on the weak and feeble apps or useless companies is not solving anything. It hasn't solved anything. Heck, even when the government and regulation stepped in and created PCI DSS, HIPAA, FERC, NERC and other things it didn't solve a bloody thing. The mess is still there and daily we are cleaning up.

So, what the hell do we do about it?

We have to have a mental reset. Red has to lose and blue has to win, be sexy, be popular and actually be effective. Those of us with red romper suits and the toolbox of doom have to put it down for a while, grab a seat next to the blue team and actually help them. Why?

Here's some logic:

  1. There's too much to fix, and too few people focusing on the fixes (beyond the point solutions).
  2. Many of the vendors are basically vultures preying on the dead and dying while they bleed out their data. They crowd around victims with their Band-Aid fixes and insurance policies. And still the victims lie there, cyber bleeding.
  3. The few blue that are out there are throwing up their hands in exasperation. There's too much to do and not enough time to do it.
  4. The rack of blinky lights is no longer a challenge, it hasn't been for a while, and even the automated tools can bypass everything that people build into it.

There are 101 more reasons, but let's face it we know it's right. We are getting old and the red romper suit is starting to wear thin in places... let's all help blue before it is too late.

So, what do we do?

We have to go back and look at the rules we are operating by, we have to help those around us, from the users to the managers, the leadership and the influencers.

So what kind of rules are we talking about? What principles should we follow if we want to make security something people and companies can really count on? Here are some of my security rules.

Security is not an afterthought

  • Build it in from the very start of a project!
  • Build it like your mother is going to have to use it.
  • Built it as if I'm going to come and tear it to shreds.
  • Build it with insight and foresight, this is your baby, don't make it ugly.
  • Help everyone on the project, educate and advise them, show them pictures of your Mother when it comes to user interfaces and more bloody passwords, show them pictures of me when it comes to handing credentials, etc. Use all the resources at your disposal to make something good.
  • Make it adaptive and predictive, make it preventative, don't make it reactive... remember evolution is good, look at the future and build to that.

Security is a mindset

  • Welcome to 2017; the hackers own this year. Can we try to take back 2018 please?

Security is the differentiator

  • Your organizations actually might thank you!
  • Your customers will thank you!
  • Use security to your advantage in marketing.

Vendors need to be held responsible for delivering secure products to all of their clients all the time. Not three years down the road if enough people scream. Now. For everyone.

Integrators need to be held responsible for educating partners and vendors, and choosing wisely.

I feel like we are flogging a dead horse, but it would be nice for once to not break into a company because defaults or outright dumb passwords are being used.

These are baseline points to build from -- something to consider next time a project kicks off or a vendor comes around or the leadership team asks for input. I hope this helps. I hope this starts the very real discussion that needs to happen because if not that tsunami of technology is going to drown us all.

Chris Roberts is currently the chief security architect at Acalvio. He is credentialed in many of the top IT and INFOSEC disciplines. As a cybersecurity advocate and passionate industry voice, he has been featured in several documentaries and is regularly quoted in national newspapers, television news and industry publications.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...