Friday, December 21, 2018

For Christmas, don't be Equifax or Donald Trump

All I want for Christmas is to not be an Equifax.  That should be the chant of any VP of IT or even any CEO.

But in the current period of humanity we are in, where diehard claimed christians support an orange lunatic that builds walls instead of protecting refugees, feeding the homeless, or taking care of the countries veterans pretty much violating anything that any version of any bible says.  We must obviously face the facts that humans are mostly hypocrites.   

The Donald after all has been confirmed to have made over 6000 false claims over the last 600 days (link here) including locking down the government because he is not getting the funding to pay for that great wall the Mexicans where supposed to pay for.  Yet the diehard Trump supporters are all behind him, because no one needs to be telling the truth, no one needs to be accountable, and no one needs to be a decent human being because America is great, we are all hypocrites and only care about ourselves.    After all, almost not a week goes by that I cross a company that mentions security a dozen times yet have absolutely no security in place.  So lies are now the golden standard.

So.....

Take a look at the latest claim from Equifax:




https://www.cloudmanagementsuite.com/equifax-blames-one-it-guy

YOU READ THAT RIGHT !

They are blaming a single person for every single one of their failures !

We should call this the Donald from this point forward.  It is a pretty bold move to blame that one IT guy for a long list of failures that cannot possibly be attached to this one poor soul.

Sure, a patch was mis-applied...  but the architecture still remains terrible, nothing is checking their systems for exposed and exploitable vulnerabilities, no lateral movement detection or advanced threat detection is in place, and for this single security issue... no one noticed for months.....

Lets not mention that some of the other divisions of Equifax had open databases visible on the Internet that a chimpanzee could access and see PII data for an entire countries population.

And here is the real kicker, after the breach, Equifax reviewed their security posture and immediately made changes and added technology to the tune of over 100 million dollars to bring their current cyber security posture to what they declared as "modern" and "Acceptable".  

What this means is that they realized that everything they had in place was far behind and needed to have 100 million $ injected to bring it up to "acceptable".

How the heck can that be blamed on that one IT guy.

Equifax, you continue to prove that you are a terrible company and that you only exist because of the strong lobby that is in place combined with the lack of spine from both your corporate customers (The banks) and our government.

So in this holiday period, am I disappointed in Equifax, indeed however the failure remains bigger for the banks and our government including our privacy commissioners who play the big boy game of politics and look the other way.

That is my holiday gift to you, the sad realization that our banks and government suck more then Equifax.  As for all my other friends who are not Equifax, the ones who provides quality and secure systems, I wish you all a merry Christmas.

And for 2019, may we see less Equifax, and lets remain wishful that senior executives who act willfully blind get some real fines that are paid out of their own pockets and not their share holders, and some jail time to serve as an attitude adjustment.

Hey, we can all wish for things under the tree.

Now for some positive comments ;-)

The private sector is booming and much more secure.  I have on-boarded several new clients, all privately owned and all of them listen to suggestions of optimisation based on risks.  So faith in human kind is restored.

So I guess my real wish for Christmas is simple.  Lets all work together to accurately describe risks in business terms and getting risk acceptance performed at the appropriate management level.  Lets call fat...fat... lets call something blue... blue.... stick to the facts, and work to be better as each day goes by.

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com






Tuesday, December 4, 2018

We've got the best people, the best product

This post is going to be more serious.  cough cough...

So the flower site 1-800-FLOWERS just realized that they got hacked years ago (4 years ago) and everyone that came by and entered their credit card numbers had all their information exposed.

But.... it is only Tuesday!  This is supposed to be Friday stuff!

https://techcrunch.com/2018/12/03/credit-card-stealing-malware-flowers-four-years/

For all we know, 800-Flowers may have been doing a great job and simply been a victim of a numerous list of other issues that led up to this.  What we do know is that they relaunched an entire new website claiming to have added security.  That kind of implies that something was fundamentally bad with the old one, or it could simply mean they want a fresh start from a PR perspective.  Time will tell especially if the actual breach details make it out into the open.

Back when Ashley Madison let themselves be hacked end to end because of a complete absence of anything related to security (see my humorous blog entries on this), 1-800-Flowers actually showed some really witty marketing by offering a special flower arrangement for anyone who got called out for having an account on a cheating website.



I have yet to meet someone who will admit ordering the prestigious "Ashley Madison" flower arrangement, so I still do not know the price.


I had a realization today.  Technology companies have long adopted the DJT (Donald J Trump) approach to cyber security.


"They have the best people, really the best, and the best words."

When a potential vendor I am evaluating gives me this type of response...  I get alert.  nothing focuses my attention more than hearing "we have great developers", or "our dev team is the best",  Both statements are actually dead wrong.

Here is why.  

A dev team is put together to deliver technology on a predetermined set of parameters such as a delivery date and a budget.  Sure "features" and "functions" are in there, but security rarely is present in these items.

When the CEO says his dev team is the best, this means they deliver on-time and within budget.  From a security point of view, this could spell trouble.

So why exactly would a CEO think his dev team is awesome?

I'm looking at it from the point of view of security.  The senior executive is looking at it generally from delivering a product that works, looks good, didn't cost a kidney, a limb or your first born, and was done within a reasonable time.

So the word "Awesome" means two completely separate things.

Here is the generally accepted truth about a software development team.

They rarely get the luxury to include a strict security testing methodology within their SDLC (if they even have an actual software development lifecycle process in place).

So I do not disagree with a CEO that says their dev team is the best.  I just place that information into the correct bin.  Bin #46:  Dev team is nimble and generally delivers what is asked of them within a reasonable amount of time/budget.

However, as the Chief of Security Officer, my questions and my priority Bin is #1 to #10 and all touch security, non of it touches short delivery times and limited budgets.

The fact is that dev teams are not trained to be cyber security testing experts, so obviously security should be integrated somewhere in the process with someone who does master this area of expertise or with a trusted third party who provides guidance, or testing with the maturity required to do it for real.

Keep in mind, that outsourcing security in no way affords you the ability to think everything is fine, because in the "services" area, we find plenty of folks who know how to make a buck yet offer very mediocre services (read here... sub par).

Security is a philosophy that needs to be infused across all players.  This takes the right talent, patience and a reasonable investment.

Outside of this, thinking that the lowest bidder, or the really inexpensive web development company we met last week is doing great security is simply beyond crazy.

Most enterprises simply aren't there.

So here is something to think about.


  • Car manufacturers have great engineers
  • NASA has the "best people"
  • Pharmaceutical companies have bio geniuses 
  • I could go on....


They all have something in common.   Good processes that includes formal testing worthy of the asset they are producing.

So we can learn something from these types of enterprises by realizing that if the technology we are deploying is not critical or does not (cannot) expose sensitive data, then sure, the lowest bidder or whatever service is fine.  However, when the service or data is sensitive, an appropriate amount of testing AND oversight is required to ensure that everyone delivers the quality expected.

One of the biggest dangers in the technology industry is the belief that a big company, or an old company, or a company that says the word security eight times on their website.... delivers quality.

Things in the technology world change at an extremely fast pace.   Security professionals that do "real" testing is a rare commodity.  

This means you have to ask the right questions.

First off, prioritizing your assets or your systems at any level is an important part of the puzzle.  You need to know how critical something is so you can handle it accordingly.

Knowing that you are about to outsource to a SAAS or Cloud provider a piece of your business has to mean knowing what value that piece has for you.

So what are the right questions to ask:

With any service that someone delivers, you want to know that they are delivering something reasonable.

My favourite example, is web application development.  In the last months, I have had to deal with several such providers, who all claim to do a great job, yet cannot answer even basic questions about how they achieve this.

Some examples (and the answers I got from a prestigious company): 1) How is security integrated into your software lifecycle?  We test monthly
2) Who does the testing? Our developers
3) What are their qualifications? Senior developers have worked for us for over 10 years
4) What triggers a retest?  We always test monthly
5) What types of tests are performed (provide a list)? Web tests
6) Are these tests automated or manual? Automated every month
7) Who is vetting the test results? Our senior developer 
8) What secure development training has your dev team received?  They are senior developers and have been trained as such
9) What where the last three significant security issues identified during testing? We have not had any significant security issues

That last one is a real kicker.....  they have to provide you with something, and statistically it should be something real, and juicy.  Yet, nothing.  So they have never event had an XSS on a forgotten form field.  Impressive indeed!

Bottom line, these questions should be like the questions you get asked when clearing customs.  The question itself is not that important, it is the response that we are looking at and gauging the maturity of the answers.  The answers above.... simply suck and show no maturity at even a basic level.

You simply cannot just hand off your critical data to any third party that claims they develop secure applications and assume this is all good.

Once you have identified someone that gives you reasonable answers, you should still perform your own testing (or mandate someone to do quality testing for you) assuming the system in question is valuable to your business.

This is the sanity check to ensure that the wonderful rainbows promised to you have been delivered.

The old adage, TRUST BUT VERIFY always applies. 

One thing you can trust me on, is that statistically, most companies claim to provide the absolute best security, and just like Donald J. Trumps hands, come in a little too short. 


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com





Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...