Top 10 Reasons You’re Wrong About Your Own Security
By: Charlie Hill 1. You don’t know your own target value. There was a time, decades ago, when only the big or interesting got hacked. Hacking required time and effort, so only high value targets were worth the energy. But times change, and last year’s ninja level hacking is this year’s stocking stuffer. (USB Rubber Ducky, Pineapple Mark IV.) Now, you’ll get hacked not because you’re worth the effort, or because you angered the wrong hacker, but because you fell between the starting and ending addresses of a scripted attack. It’s random, and as persistent as pop-up ads on top ten lists. 2. You’re still using last year’s tech. [No Money, Mo Problems] Old hardware gets later, and less frequent software updates, leaving it vulnerable to emerging threats. This means that to stay safe you have to stay current, with hardware. Unless your network is shiny and brand-new, you’ve got old components that you try not to think about. They are low-hanging fruit for hackers. You know the ones: That scanner that still sends you a weird email with your scan attached. The voicemail system, that’s running on an old Pentium in the closet. These systems still operate, albeit at an archaic pace or manner, but they do work. The cost of upgrading is difficult to justify if you already have something that works. 3. You don’t see the boulder coming. [Circus clowns are seldom successful deer hunters.] Most of the attacks that come from the internet are minimally effective. The bored and nerdy playing with the latest hacking toy. Basic anti-malware or intrusion-detection will spot and stop most of this traffic. These are launched by the script-kiddies that choke the internet with shared automated attacks that they don’t even understand. We are comforted by the alerts we receive; telling us our systems are protecting us. But those are only the attacks you know of. It’s the others that should truly worry you. Home Depot, Target, Chase Bank, Kaspersky Labs were all the victims of targeted attacks. They were chosen victims, not random. And the attacks were tailored to the victims’ networks. It wasn’t until months AFTER the breach that most of these incidents were even discovered. As we learn from attacks and adapt our defenses, the enemy is learning, too. They’re adapting attacks in response to our defenses. High value targets merit advanced techniques such as “zero-day exploits” unknown, and therefore indefensible. 4. You have a life. [Nobody has the time it takes to stay on top of this.] As the pace of change continues to accelerate, the varied attacks emerge a rate faster than any one person can match. We must specialize. Become the “Email Engineer” or the “Database Wrangler” or the “Encryption Oompa-Loompa.” Sure, It takes all your time, but you’ll know your area well enough. And that’s about it. We have mountains of knowledge, separated by vast valleys of ignorance. 5. It’s easier to sleep if you think you’re safe. [Ignorance is bliss] If you knew that your house was on fire, you’d have to act. Immediately. If you knew how many ways your network and data were vulnerable, you’d be compelled to act. Immediately. We all know there are critical problems that require our attention, but our days are already full. We’re usually plenty busy just trying to keep our networks afloat. That security audit will have to wait until 25 o’clock on Nonesday. 6. If you find it, it’s YOUR problem. “Thanks for bringing this to our attention, Larry. We want you to head up the team to solve it. We’re calling it Team Larry, or Project Larry, or the Larry Syndrome or something like that. You’ll really make a name for yourself with this one. Good work.” An unfortunate consequence of a breach is that heads will roll. The board and investors demand blood, and the Chief Security Officer is gonna get fired. This often means that the person most qualified to keep this from ever happening again, is placing personal affects in a cardboard box while security watches closely. Ironically, a lot of recent jobs in network security means you’ve probably been through a lot. That makes you more valuable. 7. There is no justice. So let’s somebody does hack you, steals your data and publishes it; what are you going to do about it? You can’t un-publish. The internet NEVER FORGETS. The damage is done. You can’t “get even” with whoever did this. In fact, you’ll probably never find out, nobody will. The vast majority of cybercrimes are unsolved. Strike that, un-investigated. Most organizations would choose to keep this embarrassment out of the public eye. Regional legislation is the only reason most companies disclose a breach: the law compels. 8. You think your airbags will save you. Firewall: check. Anti-SPAM: check. Anti-malware: check. Anti-perspirant: check. Multiple backups: check. Sounds pretty secure, so we can stop changing our passwords all the time and locking our screens, and we’re going to make everyone administrators. It is when we feel we are most protected that we are the least vigilant. 9. You wouldn’t know a “bad-guy” from a co-worker. You can look up Kevin Mitnick or Sven Jaschan and learn something about famous hackers. Hackers get the press. Hackers are sexy and the media love them, but most breaches aren’t caused by hackers. It’s users. And they didn’t even mean to do it. Click and drag a file and what did you do, move it or copy it? The difference matters as one gets completely new permissions, and the other keeps the old permissions. If you don’t know which one is which, then you’ve probably already made this mistake. 10. Security is Hard. [You probably did it wrong] To completely secure your network and data, remember to select the “Completely Secure” option during setup. It’s that simple. No it isn’t. The best security is the result of constant diligence. Endless testing and adjusting. Each change to improve security introduces a ripple of consequences throughout the network. Update that database to address the command injection vulnerability, and now your backup program can’t parse the indexes. Even if you could perfectly configure all your systems right now; by now there’s already been a change and you better get back and test it. Bonus: You waste too much time with top 10 lists. [Comprehension requires concentration and contemplation] If you thought the answers to your network security were going to be found on a brief top ten list, then you’re part of the problem, and probably in management. As we are all asked to do more with less, to sacrifice for the company and meet the goals, we are pressured to reach for shortcuts. To find the fastest way to mark this objective as completed. Maybe this top ten list will help me? There are no quick answers. There is no finish line. We’re never done fighting this battle. There is no absolute security. Only acceptable levels of risk.