cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

May The Information Security Management Force Be With You

Level 12

“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted”. - Kevin Mitnick

“But evil men and impostors will proceed from bad to worse, deceiving and being deceived”. - 2 Timothy 3:13 NASB

In the last five posts over the past three months I have explored the topics on Security Management. I touched upon the top three types of threats in the information security - Infrastructure, Application Attacks, and User Attacks. In this last one of my series, I’m going to look back on each post and to reflect on the audience’s feedbacks.

INFRASTRUCTURE

Dark Side Of The Encryption

The increasing amount of the encrypted traffic inbound and outbound on the network certainly challenges the visibility and the control of the security management. Some commented that the wonderful defense in depth still had something to be desired due to the nature of the encrypted traffic. I agree that our monitoring technology and techniques will need to evolve, but I believe that there hasn’t been a solution yet. No, inserting SSL Interception will break stuff.

It’s Christmas Day. Do You Know How Long You’ve Been DDoS’ed?

Many companies are still unprepared for the DDoS attacks. It’s hard to defend and mitigate massive DDoS attacks solely with the perimeter security equipment. Isn’t it nice that the DDoS attacks can be stopped at the ISP before hitting your door? Some commented that it’s indeed the practice by the companies they knew of or worked for. It won’t be a surprise that a gaming network will be taken offline by DDoS attacks before a major holiday.

APPLICATION ATTACKS

OMG! My Website Got Hacked!

Let’s face it. The best designed and most thoroughly tested web applications still have many issues - just look up the OWASP Top 10 lists since 2004. Now we hook these web applications to the public internet, the wild wild web of good and malicious users. Same techniques were used again and again to successfully hack these internet-facing web applications. It’s not a matter of carelessness. In fact, web applications are written by human on frameworks and systems that have vulnerabilities.

Almost 17 Years of SQL Injection, Are We Done Yet?

The No. 1 technique that breaks web applications today is SQL injection. It’s not hard to figure out why this 17-year-old technique still cracks modern, well-protected web applications. One seldom finds a useful web site without an input form nowadays. If data sanitization is taught in every programming class, how come security, especially of SQL injection vulnerability, would become an afterthought? And how come there have been increasing number of SQL injection incidents in 2014 and 2015? I am looking forward to seeing the 2016 OWASP Top 10 List; I won’t surprise that Injection is still No. 1.

USER ATTACKS

Spear Phishing - It Only Takes One Click

Ah, I like this topic. The reason is, as Kevin Mitnick put it, the human factor is truly security’s weakest link. We had phishing emails against mass audience in large scale campaigns. Now we have increasing targeted phishing, or spear phishing emails against individuals. The scary thing is that spear phishing works. Hey, even the Pentagon was hit by this kind of attack. Many companies started internal “simulated phishing” campaigns in order to increase their employees’ security awareness and observed improving results. However, hackers will still gain advantages from this human factor.

So, what’s my conclusion? Well, Winning The Loser's Game of Information Security, Personal Edition because even though it’s getting more difficult, we are still able to Winning The Loser's Game of Information Security.

It’s been a great pleasure to interact with you on the above topics of the information security in this quarter. Please review my past posts in this series and leave your feedback here or on the individual post.

8 Comments
MVP
MVP

mfmahler‌, thank you for this informative series. 

There will always be attacks on the infrastructure and application side...but the user attacks are likely the most fruitful for the attacker.

Most people aren't diligent or have the "it won't happen to me" attutude...or in many cases just don't know any better hence the email scams work, social engineering, and phishing tend to be easy wins for the attackers.

While companies can make efforts to educate their people, many think it is a waste of their time probably because they really don't know any better or possibly don't care.

Thanks again for this series..

That very first sentence set a mighty high bar.

Outside of a CIA / FBI / NSA / KGB / MI5 environment, where someone's literally standing next to every person who has computer access, to protect against a corrupt or disgruntled employee violating policy--how does one do a perfect job of preventing non-sanctioned activity by a trusted insider?

Training, training, training.  Trust But Verify.  In God We Trust (All Others Pay Cash).

But after all that, Skeptical Cat remains skeptical.

Fear of punishment, jail, being caught--has not stopped all crime.  Having increased monitoring & newer high-tech security solutions can reduce unauthorized access & sharing of restricted files.

Achieving 100% security while keeping accessibility may remain a good dream to dream.

In the meantime it's good to be informed, have policies, and learn how to better secure our resources.  I'll remain cautiously optimistic, but I won't become the Pollyanna that trusts all people are basically good.  Particularly when you have something they want badly enough.

pollyanna.JPG

I DO like the security series though!  Keep 'em coming!

Level 14

Great series.... I'd love to see more like it in the security arena..

A closing thought... In this case paranoia can be a good thing - in moderation!

Level 12

awesome.

Level 12

mfmahler,  After my recent switch to an industrial setting this last month, I noticed one observation, that information security has one thing in common with industrial safety, "The Human Factor." Because of this I know how to drive the Security Awareness Related Program, because the execs already understand the human factor in Safety, I should be able to make the comparison to Information Security, right. I'll let you know how that goes over the next few months.

The other big revelation after coming out of the financial industry is that companies in other industries really don't care about information security because  they rarely see a monetary value or ROI attached to it. In the Financial Industry regulations and laws drove information security. Regulations also drive some security  in industrial environments, but you can quickly see that they only do the bare minimum to get by and mainly only protect the critical stuff.

Your series hit on a number of great security topics. Thank you for sharing. Sharing is caring...

Level 8

great information

Level 14

User training should always given a high priority.  Security problems expand the higher you go up the OSI model, with people residing at Layer 8.

Level 8

Very good information. Thanks

About the Author
CCIE Data Center #46006. I am passionate IT professional who splits the work hours as a Datacenter Architect and a Network Security Specialist. Yes, I enjoy this double personality professional life.