@denverpilot
And here I thought I was a cynic.
Against nation states, yeah. Basically impossible, but in that case the focus should be mitigation and recovery. Often overlooked aspects of cyber security.
With that said, I have built systems that have passed audits and white hacker attempts hired by federal agencies. It can be done, just dam difficult, and requires extensive planning and acceptance of certain losses (e.g. some level of information loss on workstations).
Tim
Sent from my HD1907 using Tapatalk
Heh. You're exactly right.
The cynicism probably began some time around us becoming tangentially involved in stuff DHS is (rightly) interested in and we have an IT staff of three.
If others in our space have 20-30 dedicated security staff and we have three "catch as catch can" staff wearing six hats... Simply a reality at our size...
We're baked if someone actually goes after us.
And nation-states are interested in the stuff one of our six businesses does.
Do they really care about our piece of it or could they gain anything from messing with us? Hell if I know.
I'm just the guy having the hallway conversation with the Accountant ...
"Man, this security stuff is expensive. I told the bosses it's killing us."
"Our customers have a 30 to 1 ratio of full time security staff to us. They expect certain things theyve been doing for decades. We don't even have a single full timer."
Are we really dying? No. I expect accountants to do that job of whining about costs consistently or I would wonder if they're doing their jobs.
As far as our part in it, like my boss said ... "We do whatever they want to pay for, and tell them the risks."
It's very similar to the other thread on mechanics. Our bosses don't know much about system security but the regulators say they're in charge of doing it. They delegate to me, and I've done it at much bigger places with budgets capable of supporting it. I say, "Here's the next thing you should do and it'll take a year and cost X."
Unless a regulator forces it, they're stuck knowing we recommended it and their customers won't pay for it. Their customers just think it probably is getting done. If we hand them a paper that says we passed any particular audit, maybe they like it maybe they don't.
What they want done will change next week with the new list of zero day announcements. It'll be on next year's checklists and by then the zero day flaws are completely different.
The software biz has never truly told the customer how expensive it is to build software right in most sectors. Nor priced it correctly.
A staff member took all six of our companies offline this week. He had legitimate but poorly intentioned access to something he wasnt trained or qualified on to get him access to something he needed to do in the same system. I wouldn't have ever given him that access but I was vetoed years ago on that one. Business reasons.
It worked until it didn't. He felt bad. Lots of reports and stuff to say "He shouldn't have had access to things he didn't understand."
Multiply that by millions of people and you have the current state of the industry.
We changed the access and started three significant projects to alleviate someone else accidentally doing it in the future. I'd guess a few hundred man-hours of work as a start. All because someone way above us wanted stuff he does done quicker than a change controlled process would ever allow and didn't get him any training.
There was rumblings of firing the guy. I was the first to say in the meetings that their anger at him was misplaced if they never trained him on what he was doing. And it wasn't a security issue. He was authorized to be in the system he was in. They didn't put proper controls around his work.
That's a security problem but not one that I can fix. They will probably lock him out anyway and make someone else do that work, but he didn't do it maliciously or breach anything.
Still took everything down. And I truly mean everything.
Came up with some stuff where the same mistake would only take down a fraction of the stuff and I'll get that risk partially mitigated through a better design, but he had access to the self destruct button and didn't know it, and pushed it.
Security wise I'm not sure if a dedicated malicious person could have figured out that buried self destruct button was even there but if they got only a small bit of read only access to a workstation and looked, they'd see big hints of it. So ... Could have been far worse.
By the way, all those nice gonernment and private testers who were given that much access without having to even break in to do it, completely missed it. They had the visibility to it and only needed one more step of easy social enginering to exploit it. Easy.
That same industry guy with a huge security team talking to the regulators candidly even mentioned that problem, "There's no standard in pen tests. I can buy a good one or a bad one. You'll accept either one."
The industry is in a really bad spot right now. You have to buy expensive things to meet regulators desires but the regulators don't set any standards on those things.
The industry group asked the regulators to make recommendations that a national lab take over both the standards and the testing. They want nothing to do with the liability of guarding stuff against bad nation-state actors. They also want nothing to do with their required documents being waved around by politicians with agendas in open hearings.
The really bright guy went so far as to say either set real standards and do the testing you want, or classify the documents such that the politicians can't publish them without approvals that would allow for a reasoned response.
Pretty interesting meeting. He wasn't wrong. None of us has anything to hide but we also know all that paper is ultimately fairly meaningless. The checklists are yesterday's threats. Tomorrow's threat won't be on the expensive checklists. Never are.
Locked the gate after the chickens got out.
**
