Day 12: 10 Reasons Why Security Sucks

Cyber Security has come a long way in the last decade and so has the culture, but we still have a long way to go if we are to start seeing greater improvements and I put a lot of the shortcomings down to the culture.

Culture is very important, it defines everything from organisations to countries and has the power to influence the way we act and think, the trouble is Security culture sucks and here are 10 reasons why…

1. Focusing on 1337 hacks and 0days
   It’s an obsession in the community and the press, APTs and 0days are all around us, or at least that’s what people would have us believe. Too many people are obsessed with the fringe cases, truth is you’re more likely to get hacked through some PHP web app or through targeted phishing attacks. While it’s cool to learn about fringe case hacking, it should not divert our attention from the basics, if in 2018 people are still getting hacked by SQLi vulnerabilities then we need to come back down to earth and fix all the basics first.
2. Responsible Disclosure Policies
   Speaking as a bug bounty hacker and as someone who has done web application security research for many years, I can honestly say that the state of responsible disclosure is not even close to being acceptable. For one, most companies don’t even have the standard security@company.com email address. Secondly, in most cases there is no clear procedure for reporting vulnerabilities which often leads to public disclosure (e.g via social media). Finally, if you do manage to get through to someone you’re more likely to hear legal threats than any kind of instructions on how to disclose.
3. Victim Shaming
   Links are meant to be clicked, emails are meant to be opened and websites are meant to be visited, users cannot be blamed for using technology as it was intended. Unfortunately it’s still common to blame people who in most cases should not have had that level of access/responsibility anyway. Victim shaming is common in the community too, you will often hear ‘they should have just patched’, those that say this clearly have no experience in the complexities of some production environments and just attempt to shame the victims, most likely to inflate their own ego.
4. Security Awareness
   There is none. Well that is a bit of a dramatic statement but you get the idea, it’s still a very limited number who are truly aware of the risks we face. This is why we need to keep educating people. For example, if some people simply knew the structure of a URL they might be able to spot 99% of phishing attacks, yet security awareness is still something a lot of companies think is beyond them and users think is boring.
5. Vendor Dictatorships
   Vendor dictators who specify that their products cannot be tested or refuse to release CVE info are only hurting the state of security, this is an old way of thinking and one that needs to stop if we are to move towards a more secure future. Will it happen anytime soon? Probably not, but we can start to move away from these companies and protest with our purchasing power, companies like this won’t start taking security seriously until it starts to impact their bottom line.
6. Lack of Organisational Planning
   The story is usually the same, organisations react to incidents as they happen and generally believe that they won’t be targeted, after all they have done nothing to get noticed by 1337 hackers. This culture is simply wrong, all forms of security should be proactive and not reactive, security is like insurance, by the time you realize you need it, it’s already too late.
7. Embracing Hackers
   Too many organisation fear the word hacker, but it’s worth remembering that people who commit cyber crime are criminals, people that push the boundaries of what’s possible with technology are hackers. Most hackers want to do what’s right but they don’t always want to work for a corporation nor do they want to participate in bug bounty programs, some like to just scan the internet and poke around. Don’t get me wrong, I understand this is a shocking concept to some but it’s going to happen regardless. So companies have two choices, either be rude to and threaten those that try to help or embrace the community and give credit where credit is due. If they don’t the hackers will just move on leaving your organisation exposed to the threats they tried to help you fix. Quite honestly, often fixing the issue and good manners are all it takes.
8. Too Many Egos
   From pentesters to sysadmins and vendors, egos are all around us and they impact security in many different ways. Some pentesters I know do not know when to stop and will quite literally ‘hack’ a company and go too far just to prove they are 1337, testers are not there to prove anything, they are there to help find issues and offer advice on ways to mitigate those risks. Sysadmins egos can be an issue too, sometimes they will just deny a request to prove who is in charge or they will argue to the death that they are right even when they are wrong, they most likely feel threatened or undermined in some way, so we need to build a culture where it’s ok to be wrong and it’s ok to get help, no one has to be right all the time. Finally, most vendors don’t really like it when people point out security issues in their products, some will even go as far as gag orders, this is just wrong. We as consumers have the right to know if the products we use are secure or not.
9. Powerless Security Teams
   Far too many security teams might as well be called overpaid puppets, not because they are not skilled or move, talk and act like puppets but because they do no more than act as sub-servants of a certain department with no authority. The worst case scenario is when security teams are not empowered enough to enforce policies which are in the best interest of the organisations security. If organisations want to avoid disaster they need to start empowering their security teams and give them the authority they need, and deserve.
10. Breach Shame
    As long as you didn’t get hacked via a 10 year old SQLi vulnerability or leave your data exposed on ‘the cloud’ and you actually did everything you could to be secure, then there is absolutely no shame in being breached. Yet there seems to be massive stigma around being hacked, for anyone who thinks being hacked is shameful I dare you to challenge an MMA champion to a street fight; see naturally there will always be adversaries capable of carrying out a successful attack, it’s the nature of life but what’s most import is how you deal with it. How fast you limit the damage, how fast you report the breach to your users, how fast you patch the issues and how fast you learn the lessons. If you try to cover it up, forget about it or deny it then you simply add to the negative security culture that is dragging us all down.

I am hoping now you can see that perhaps it’s security culture we really need to address if we are to be serious about being more secure and that we will only get there through creating better ones, be it internal, external or national.