You can't secure what you don't acknowledge.SM

Thursday, February 17, 2011

Are you focusing on the infosec basics where it counts?

Here's a good read from @arstechnica on the HBGary story. It's a fascinating story in and of itself. But the oversights related to information security "best practices" is amazing.

What is it going to take to get people to focus on the basics? Seriously, folks...Forget about all the fancy hack attacks and complex exploits for now and fix the low-hanging fruit. It's basic triage - stop the bleeding first. Focus on your highest payoff tasks and work your way down the list.

All things considered, by just focusing on the basics of information security controls and testing alone you can achieve top-notch security, relatively speaking, which is light years ahead of where most organizations are today.

Not surprised by the Wells Fargo ATM outage based on what I see

Here's an interesting story about the widespread Wells Fargo ATM outage that occurred last week. There's speculation around the cause of the outage. Was it a hack? Was the system inadvertently taken down during system upgrades? Who knows...

What I can say is that virtually every ATM I've come across in my work performing internal security assessments in/around the financial industry has been riddled with security holes. I've seen weak OS passwords, missing patches dating back 8+ years (many of which are easily exploitable via Metasploit to boot) open network shares and so on. Not long ago, I came across an ATM controller system (the big system typically running UNIX that controls all the ATMs across the bank) that had a blank password for the root account. How's that for accountability?

Seeing what's going on with ATMs it's no surprise to me that this Wells Fargo outage occurred. I'm not saying a vulnerability was exploited in this situation, but you never know. I am surprised these types of outages don't occur more often. When these types of security holes are present in ATMs, all it takes is a rogue insider with a little bit of technical sense to take everything offline, and more.

Remember if it's got an IP address, anything's fair game.