I haven’t posted in a bit and thought I would update my site and share some quasi-random thoughts and lessons learned in IT/InfoSec in the past year or so:
1.) Having enough staff and support that handles IT/InfoSec matters is not only an operational concern but also a security concern. There have been plenty of instances of businesses being compromised or having issues during holidays when they’re running on a skeleton crew. There are businesses who try to continuously run on skeleton crews and use automation to augment them. In my humble opinion this is more of a risk than what it’s worth. Which leads me to my next point.
2.) Revenue and control are top priorities for businesses. I would even argue revenue is more important. Having and running a business is a risk/reward venture. People who take the risk of starting and growing a business are willing to do what helps the bottom line. This means that they don’t necessarily care about if they’re using vulnerable software or infrastructure. They don’t care how much you can ‘pwn’ them; they want to know how much of a risk it is and will it affect their bottom line. Adding to this point, years ago I remember seeing posts (that I can’t find at the moment) that some western businesses knowingly/assumingly let China steal intellectual property but were too afraid to report it to the western authorities because they did not want to lose the Chinese market.
3.) The world runs on vulnerable software and will continue to. If I’m a business owner and I have a Windows XP machine that is hooked up to my network with appropriate safety guards in place and this XP machine interfaces with a machine that is helping my bottom line, I really don’t care if it’s necessarily within compliance/regulations. As a matter of fact, a lab I worked at had a blood platelet counting machine that is FDA approved, this machine still runs Windows XP.
4.) Regardless of what makes sense in the security realm, management can override controls. Try telling a CEO/founder that they need to have MFA on when they’re of an older generation and computers are just an annoyance and necessary evil for their business. Again, this person has likely taken big risks to get to where they are and make the business flourish. Additionally, auditors to this person are an annoyance and a barrier to how they want their business to operate.
5.) Rookie mistakes can lead to catastrophic failures. Recently, I was tasked with performing upgrades on a server farm and due to work, which was done on this server some years back, a loose screw was left in the chassis. The screw arced the motherboard and brought down huge sections of the network and security controls. Let us not forget what happened to MGM. Regardless of what level you’re at in IT/Infosec, having solid fundamentals is key.
6.) Documentation is almost as important if not at times more important than the work performed. We all know there’s google and ways of searching the web, however, the web can lead you down roads that are not accurate or only provide partial answers. In addition, documentation can be removed by the entities who desire this and this includes archive.org. A robust documentation system that is up to date is key to any successful IT operation. Projects and complex issues should have well documented and reviewed processes that can be easily searched. I’m personally not a fan of documentation being stored on samba shares and prefer a solution maybe more similar to: https://itflow.org/
(This is also a good read/worthwhile mention: https://xwiki.com/en/Blog/open-source-alternatives-to-Confluence/)
7.) Skip the salesperson, reach out to an engineer. This might not necessarily be a given but anyone who doesn’t have to support a product or solution and is just peddling it, will try to sell you the moon. Contact the support engineers and see how that goes. Pick their brains and play the role of someone who may need more advanced help with the product or solution. Sales engineers could be a potential answer but to me, “sales” means we have a product or service to sell.
8.) Advanced threats or state actors will always find a way in. There’s this idea of absolute and perfect security that people may strive toward. We all appreciate their efforts but as long as there are entities with deep pockets and nearly limitless resources, they will find a way to compromise their targets. Your ransomware protection scheme has its gaps and a state actor will find flaws. Accept this reality.
9.) Your anti-ransomware backup solution isn’t bullet proof. As long as you need to perform space management on your backup solution, some sort of flag or parameter could be potentially exploited to encrypt your backups. I personally think off-line backups are a great means of deterring ransomware but again, they’re not bullet proof.
#Update 3/9/2024
10.) The software you use that relies on libraries or code from multiple sources is a huge risk. Software supply chain attacks should be a huge concern and not overlooked. Controlling the source of where you get your software from and how its verified is crucial. Hashing and using mock environments to test and monitor software might be a great means of mitigating this risk.
11.) Geofencing is a great tool but attackers adapt and errors can cause denial of service conditions. Pertaining to errors, see this reddit post regarding maxmind that I personally experienced: https://maglit.me/unngenedismist
12.) Saying, “I don’t know” is ok. If you don’t know something.. say it and don’t start speculating if you truly don’t know.
#Update 3/26/2024
13.) Air gapped security only works so long in isolation. An offline MS-DOS system that does a limited range of functions can be a victim to the sands of time. For instance, a key that this system produces may work for the intended applications of a time period or range but technology changes.
14.) All technology that is connected with some sorts of means to the internet is spyware. A device that is built with the best intentions of privacy and security, once connected to the internet is a means of exposing an almost infinite attack surface. For example, your 100% trusted device could connect to a bank and while your device is 100% secure by itself, you provide information to a compromised entity.
#Update 7/25/2024
15.) People have passions about their careers, companies exploit them. Companies need to realize that humans are flesh and bone, not machines. If you take that aspect for granted, they will jump to another company or get burned out and do what is needed to meet whatever expectations at the reasonable minimum. Companies should keep in mind that not all employees are debt ridden financially illiterate slaves. I personally believe there are some companies who exploit the higher educational degree requirement because they believe this person has student debt.