You can't secure what you don't acknowledge.SM

Friday, April 11, 2014

Heartbleed - the biggest Web security problem ever???

I just came across this piece from NewsFactor: Is Heartbleed the Biggest Web Security Threat Ever? and couldn't help but chime in. Contrary to popular hype, I don't think the biggest web security issue we face (now or ever) is a technical problem...instead, it's something with hair on top like I talked about here.

As with the hype over the Target breach and the gloom and doom over Windows XP's end of life, it's never the hard-to-find, technical stuff that many people believe is at the "heart" of our security woes. Instead, this issue, like most others in life, can be distilled down into a much more basic form. We're our own worst enemies...

P.S. Wouldn't it be weird if the NSA is somehow tied to this vulnerability...? ;)

Wednesday, April 9, 2014

Windows XP: Goodbye my love...well, not really.

Windows XP...ah, the memories!

I wrote many of my books including the first two editions of Hacking For Dummies and the first edition of The Practical Guide to HIPAA Privacy and Security Compliance originally on Windows XP - not to mention countless articles, security assessment reports and more over a 7-8 year span.

It was nice working with you XP!

I waited to write this post today, the day after all the Windows XP end-of-life hype, so as to not get caught up in that mess from yesterday. What's interesting to me about this whole Windows XP story is that every analyst, IT vendor marketing rep, journalist, auditor, and consultant is an "expert" on the doom and gloom that will be brought upon society with all of the businesses and consumers not upgrading their operating systems.

Looking at the headlines, still today, it's kind of funny (and sad):
"Vital industries exposed to risk"
"Isn't safe to use anymore"
...blah, blah, blah.

Apparently Windows XP is still being run on 25% of PCs. Will we hear stories about Windows XP systems being drywalled into oblivion like we've heard about Novell NetWare? Probably not. I do suspect it's going to be around for years to come. And, sure, vulnerabilities will discovered - especially on systems that have scant security controls to begin with. IT's elite will clamor about their amazing exploits. Management will still have their heads in the sand. Life goes on. 

The funny thing about Windows XP is that the OS itself is not where the real risk is in most network environments. [Oh gosh, did I say that out loud!?...now I'm going to have some "researchers" all over me...shudder.] Real-world experience tells me that much of the risk is all the other stuff people are installing and IT is not patching that's creating the real problems...the latest study shows that 76% of vulnerabilities are NOT Microsoft's issue. I've seen higher numbers in the past.

Microsoft Corporation is being treated like some of the big social/political issues like "global warming", gun control, and income "inequality" because they're expedient, convenient, and intangible enough to get people riled up.

Here's the real issue that we're still not hearing: I know without a doubt that many of the people preaching fire and brimstone about Windows XP are the same people who continue to ignore the critical basics I'll rant about until the day I retire such as:
  • Network shares full of sensitive files made available to everyone with a login
  • Mobile devices with ZERO security controls
  • Minimal - and grossly reactive - system monitoring
  • Firewalls with default passwords
  • Laptops storing tens of thousands of credit card numbers and SSNs with no hard drive encryption
  • Open wireless networks for "easy guest access" that provide full access into the back end network
  • Database servers with no passwords
  • Operating systems with weak passwords
  • Numerous cloud services being used without IT's consent or knowledge
  • Physical security control systems with ZERO security controls
  • etc...
Unless and until these people have helped themselves and the others who depend on them fix this low-hanging information security fruit, I'm going to say: Got XP? No problem!