Q3 has represented an interesting period for me in the world of cyber, and in more than one way has demonstrated just why the world may be so vulnerable and suffering so many successful attacks and compromises.
My first observation is related to the aspect (or lack of) cyber-skills, which are deployed inter-organizations who are in one case delivering products services to national customers based on on-the-job training and course attendance to hone the lacking skills of key operatives—including the management to underpin their security operations—followed up with blindly following the ISO/IEC 27001 as the demi-god of all things secure to underpin the million plus deployment of critical assets with the very real potential of deploying longer term exposures into millions of residential and business premises – a security problem for the future, one may add, but at least it is on this occasion a known-known.
This brings me to a Security Conference I attended with around 200 delegates, discussing such things as Mobility, and Bring Your Own Disaster (sorry, I did mean to say Device). Whilst the majority of the delegate base were taking in all the statistics about the future of security, aspects of Governance, Compliance, and International initiatives to deliver higher levels of security, I was busy looking at something else.
Whilst the presenter was discussing the future of security, I spent my time looking at the real-world running a WiFi service against the connected Delegates, and discovered the following:
- There were 64 systems connected to the AP – including 34 Apple devices, 3 Blackberries, 67 Samsung, and 9 Intel (and a few other odds and sods, like Dell)
- Of the above connected about 20 percent were offering up opportunities for Social Engineering through their ‘Personal of Corporate’ naming conventions
- Around 15 percent were hosting up open ports offering potentials of attack in the form of TCP 139/139/445 and some others
- Four connected devices were offering up default SMB account set with ‘guest’
- Two devices were supporting SMB default accounts with ‘guest’ with a ‘blank’ password meaning they were accessible by an attacker over the AP connected WiFi environment
Now as I said, this was a security event at which the professionals from some of the biggest names in the corporate market were in attendance in their security capacities, yet it is still nevertheless a realistic discovery of such juicy snippets as these were available – and not a copy of Firesheep anywhere in sight.
I guess at the end of the day, we as an industry have come to accept that lacklustre security is acceptable, and that it is OK to just have ago and to try, so long as one can tick the right box – but my question is, just at what juncture will someone announce enough-is-enough in a world that is so very dependent on technology to drive its wheels.
Will it be at such time a well-known banks ATM’s stop working, or better still start spitting out money? Or will it be when some remote hacker takes control of a SMART meter, or connected home, and does something nasty – however in the latter case, this has already occurred in one undisclosed case I am aware of in Scotland, so to some extent the potential has been proven already.
But the bottom line here is, where companies are allowed to evolve a lackluster approach to delivering security into the public arena, remember, they are potentially messing with the lives, stability and the economic wellbeing of the vox-pop – should this be tolerated?
Or are we still waiting for the inevitable to impact one more?
About the Author: John Walker is a Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), CTO and Company, Director of CSIRT, Cyber Forensics at Cytelligence Ltd., Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts,and is a Certified Forensic Investigation Professional.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.