Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/11/2019
10:30 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Kudos to the Unsung Rock Stars of Security

It is great to have heroes, but the real security heroes are the men and women who keep the bad guys out while fighting their own organizations at the same time.

People love to hear me describe the espionage simulations that I perform, putting together teams of former Special Forces and intelligence officers and targeting organizations, in what many might call penetration tests and social engineering. Still, I bristle when anyone calls me a hacker.

True, I admit that I love performing human elicitation and black bag operations, and it is always a rush to get the access to "steal" $1 million or its equivalent. Yet the "gotcha" games can get old, and while the results may be incredible, they are frequently useless.

I consider myself a security professional, and my goal is to leave a company more secure than I found it. Consequently, I've learned that finding flaws in security programs is only useful when you can identify practical countermeasures that can actually be implemented. Otherwise, you're essentially just highlighting that a company can be easily compromised, which is, at best, a footnote in a security presentation.

Even when a problem is seemingly simple to fix, it is usually not that easy. I am sick of hearing "social engineers" perform tests where they get employees to divulge passwords, and then proclaim that the solution is to tell employees not to divulge their passwords. Likewise, people performing technical penetration tests frequently find unpatched systems and recommend patching the systems. Any qualified CISO already knows these issues likely exist in their environment, and that they should address them. But it is grossly naive to believe that it is that simple to just do it.

Addressing the password problem requires a comprehensive solution of technology, process, and awareness, which requires proper funding, resources, planning, execution, and it still won't be perfect. Social engineering, when performed with proper statistical distributions, can potentially tell you the scope of the problem, but it is far from a useful solution. While patching systems appears to be straightforward, it is an incredibly complicated matter to first find all of the systems that exist, determine their architectures and versions, get administrator access, ensure that licensing exists to update systems, determine if there are any incompatibilities with patches, get the required permissions to have outages, acquire the systems, software, and/or personnel to roll out the patches, etc.

Then consider that these are just two projects among countless other projects that a CISO has to address, and especially prioritize, with each potentially project expending their organizational reputation, and all involving buy-in from other parties.

On multiple occasions, I performed penetration tests that were able to grab the attention of Fortune 50 CEOs by demonstrating the substantial business value that could be lost due to poor security, and providing actionable recommendations. In response, the CEOs increased the security budgets by more than $10 million and increased staffing to begin to address the problems. For my team and me, it was fun and easy. Periodically, we are brought back to advise and further assess how well the improvements are progressing. However, finding damaging flaws in the security posture of a Fortune 50 company is too easy for highly skilled attackers, like those on my team. The people with the really hard jobs are those responsible for fixing the problems.

The general public, and even the security industry, seems to idolize the "hackers" and people who can compromise security of organizations with ease. They are frequently referred to as the "Rock Stars of Security." Some of these people have incredible skills at what they do. However, the "Rock Stars" we should be revering are those working on internal security teams, who know all too well that real security involves infinitely more than telling people "don't give away your passwords" or "patch your systems." They frequently experience failures of one form or another but somehow manage to effectively mitigate losses and keep major organizations up and running.

It is great to have heroes, but the world needs to realize that the real heroes of security are those with the really hard jobs, which means those who are constantly trying to keep the bad guys out while fighting their own organizations more than the hackers. Unfortunately, we rarely know their names, how hard they're working, or acknowledge them for the heroes that they are.

Related Content:

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
1/23/2019 | 12:48:54 AM
All hail the security team!
The security department is most definitely not as well appreciated as they should be. At the end of the day, there's a lot of things going on in the backend of all of these companies with regards to keeping out unwanted attention that we just don't pay enough attention to. But these departments do and we should thank them for it.
markgrogan
50%
50%
markgrogan,
User Rank: Apprentice
1/22/2019 | 9:17:02 PM
Security package
With an increasing number of users of the internet world today, security lapses are unfortunately increasing too. The real deal should be the other way around but sometimes there could just be too much to handle. In due time, service providers need to somehow come up with a solution to tie service with security in a package.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/14/2019 | 8:55:12 AM
On hospitals
The WORST job I ever had (everyone should have one such job) was at a major hospital chain in a major city.  11,000 systems (Windows XP, 2000 and NT back then) with hard coded IP addresses and subnet (nobody knew where the next chain subnet began),  Security?  DID NOT EXIST.  IT was outsourced to First Consulting group (later bought by CSC) and it was a nightmare.  Porn, malware, virus RAMPANT and re-image?  No firewall at all, stuff came back in 24 hours.  AND 30 systems STOLEN from a locked room.  Just like that.  So security in a large environment - some are beyond belief.  (Then there is blue tarp over a mainframe that had a water leak too.  And then a Windows 3.11 system as a server on a cinder block over a flood line).   This is true stuff folks. 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.