Previously I stated that “Overcomplicating Security is Your Greatest Weakness” [1] and now I would like to expand a little more on this issue. I will state that I have a lot of professional respect for many of my peers, but I know factually that many have been on the wrong security path for some time. Initially I tended to blame certification bodies for putting forth less than stellar explanations of “real world security”, then I began blaming those tasked with frameworks, guidelines and standards for what I feel (not felt), are “less than stellar” explanations and or fixes for issues in the networks. Prior to discussing security issues, I’d like to point out “conditioning.”
clas·si·cal con·di·tion·ing - a learning process that occurs when …show more content…
We all know signs, signals, and so forth. We are all are that red means stop, yellow means slow down, and green usually means all is well (good to go). In the security realm, it is no different. Head over to the SANS Internet Storm Center [2], and you will notice a bar across the top of the page. Red, Orange, Yellow, and Green. These colors to SANS indicate “Loss of connectivity” (red), “Major Disruption” (orange), “Significant Threat” (yellow), and “Everything is normal” (green). The same applies for the “Homeland Security Advisory System.” [3] Now that I have explained this, let’s have a look at three of the most absurd security rated flaws I have encountered during my penetration testing these last few months. These three are repeat offenders, and I see them in over eighty percent of my …show more content…
Some may chant: “Threat Intelligence!” to which that too can fail:
[minemeld]
[sofacy]
For all the chest thumping, high fives, guidelines, standards, and baselines oh my… We continue down this path of not understanding a risk, a threat, and a vulnerability. Forget about the threat actors here. It is all about security awareness. Professionals need to be aware of what their environment is supposed to do, and how to look for the things it is NOT supposed to do. We need to stop this self-induced mechanism of making our security insecure. Last example:
[ssl-cert]
Who doesn’t love this picture? During my penetration tests, I see this error come up whenever I have logged into printers, cameras, phones, you name it. How many of your employees do you suppose have seen this? How many employees have you unwillingly trained to ignore an SSL certificate warning? Do you think for a moment I will not create a man in the middle attack, and be successful at it during my penetration testing engagements? I know it will work, and attackers also know a MiTM will work. Many individuals have been groomed to just hit: “ok… Go take me there
clas·si·cal con·di·tion·ing - a learning process that occurs when …show more content…
We all know signs, signals, and so forth. We are all are that red means stop, yellow means slow down, and green usually means all is well (good to go). In the security realm, it is no different. Head over to the SANS Internet Storm Center [2], and you will notice a bar across the top of the page. Red, Orange, Yellow, and Green. These colors to SANS indicate “Loss of connectivity” (red), “Major Disruption” (orange), “Significant Threat” (yellow), and “Everything is normal” (green). The same applies for the “Homeland Security Advisory System.” [3] Now that I have explained this, let’s have a look at three of the most absurd security rated flaws I have encountered during my penetration testing these last few months. These three are repeat offenders, and I see them in over eighty percent of my …show more content…
Some may chant: “Threat Intelligence!” to which that too can fail:
[minemeld]
[sofacy]
For all the chest thumping, high fives, guidelines, standards, and baselines oh my… We continue down this path of not understanding a risk, a threat, and a vulnerability. Forget about the threat actors here. It is all about security awareness. Professionals need to be aware of what their environment is supposed to do, and how to look for the things it is NOT supposed to do. We need to stop this self-induced mechanism of making our security insecure. Last example:
[ssl-cert]
Who doesn’t love this picture? During my penetration tests, I see this error come up whenever I have logged into printers, cameras, phones, you name it. How many of your employees do you suppose have seen this? How many employees have you unwillingly trained to ignore an SSL certificate warning? Do you think for a moment I will not create a man in the middle attack, and be successful at it during my penetration testing engagements? I know it will work, and attackers also know a MiTM will work. Many individuals have been groomed to just hit: “ok… Go take me there