Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/11/2019
10:30 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Kudos to the Unsung Rock Stars of Security

It is great to have heroes, but the real security heroes are the men and women who keep the bad guys out while fighting their own organizations at the same time.

People love to hear me describe the espionage simulations that I perform, putting together teams of former Special Forces and intelligence officers and targeting organizations, in what many might call penetration tests and social engineering. Still, I bristle when anyone calls me a hacker.

True, I admit that I love performing human elicitation and black bag operations, and it is always a rush to get the access to "steal" $1 million or its equivalent. Yet the "gotcha" games can get old, and while the results may be incredible, they are frequently useless.

I consider myself a security professional, and my goal is to leave a company more secure than I found it. Consequently, I've learned that finding flaws in security programs is only useful when you can identify practical countermeasures that can actually be implemented. Otherwise, you're essentially just highlighting that a company can be easily compromised, which is, at best, a footnote in a security presentation.

Even when a problem is seemingly simple to fix, it is usually not that easy. I am sick of hearing "social engineers" perform tests where they get employees to divulge passwords, and then proclaim that the solution is to tell employees not to divulge their passwords. Likewise, people performing technical penetration tests frequently find unpatched systems and recommend patching the systems. Any qualified CISO already knows these issues likely exist in their environment, and that they should address them. But it is grossly naive to believe that it is that simple to just do it.

Addressing the password problem requires a comprehensive solution of technology, process, and awareness, which requires proper funding, resources, planning, execution, and it still won't be perfect. Social engineering, when performed with proper statistical distributions, can potentially tell you the scope of the problem, but it is far from a useful solution. While patching systems appears to be straightforward, it is an incredibly complicated matter to first find all of the systems that exist, determine their architectures and versions, get administrator access, ensure that licensing exists to update systems, determine if there are any incompatibilities with patches, get the required permissions to have outages, acquire the systems, software, and/or personnel to roll out the patches, etc.

Then consider that these are just two projects among countless other projects that a CISO has to address, and especially prioritize, with each potentially project expending their organizational reputation, and all involving buy-in from other parties.

On multiple occasions, I performed penetration tests that were able to grab the attention of Fortune 50 CEOs by demonstrating the substantial business value that could be lost due to poor security, and providing actionable recommendations. In response, the CEOs increased the security budgets by more than $10 million and increased staffing to begin to address the problems. For my team and me, it was fun and easy. Periodically, we are brought back to advise and further assess how well the improvements are progressing. However, finding damaging flaws in the security posture of a Fortune 50 company is too easy for highly skilled attackers, like those on my team. The people with the really hard jobs are those responsible for fixing the problems.

The general public, and even the security industry, seems to idolize the "hackers" and people who can compromise security of organizations with ease. They are frequently referred to as the "Rock Stars of Security." Some of these people have incredible skills at what they do. However, the "Rock Stars" we should be revering are those working on internal security teams, who know all too well that real security involves infinitely more than telling people "don't give away your passwords" or "patch your systems." They frequently experience failures of one form or another but somehow manage to effectively mitigate losses and keep major organizations up and running.

It is great to have heroes, but the world needs to realize that the real heroes of security are those with the really hard jobs, which means those who are constantly trying to keep the bad guys out while fighting their own organizations more than the hackers. Unfortunately, we rarely know their names, how hard they're working, or acknowledge them for the heroes that they are.

Related Content:

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/14/2019 | 8:55:12 AM
On hospitals
The WORST job I ever had (everyone should have one such job) was at a major hospital chain in a major city.  11,000 systems (Windows XP, 2000 and NT back then) with hard coded IP addresses and subnet (nobody knew where the next chain subnet began),  Security?  DID NOT EXIST.  IT was outsourced to First Consulting group (later bought by CSC) and it was a nightmare.  Porn, malware, virus RAMPANT and re-image?  No firewall at all, stuff came back in 24 hours.  AND 30 systems STOLEN from a locked room.  Just like that.  So security in a large environment - some are beyond belief.  (Then there is blue tarp over a mainframe that had a water leak too.  And then a Windows 3.11 system as a server on a cinder block over a flood line).   This is true stuff folks. 
markgrogan
50%
50%
markgrogan,
User Rank: Apprentice
1/22/2019 | 9:17:02 PM
Security package
With an increasing number of users of the internet world today, security lapses are unfortunately increasing too. The real deal should be the other way around but sometimes there could just be too much to handle. In due time, service providers need to somehow come up with a solution to tie service with security in a package.
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
1/23/2019 | 12:48:54 AM
All hail the security team!
The security department is most definitely not as well appreciated as they should be. At the end of the day, there's a lot of things going on in the backend of all of these companies with regards to keeping out unwanted attention that we just don't pay enough attention to. But these departments do and we should thank them for it.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9561
PUBLISHED: 2019-06-19
In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7...
CVE-2018-9563
PUBLISHED: 2019-06-19
In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 ...
CVE-2018-9564
PUBLISHED: 2019-06-19
In llcp_util_parse_link_params of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Andro...
CVE-2019-2003
PUBLISHED: 2019-06-19
In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-...
CVE-2019-2017
PUBLISHED: 2019-06-19
In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 ...