We must change how we do information security. Here is my suggestion

The Information Security Profession, ThoughtsEitan Caspi

As you advance in years in this profession, an increasing part of the efforts required of you is concentrated on “not giving up”.

A significant part of this is due to the huge gap between the information security tasks that needs to be accomplished and the resources given to realize these tasks, with an emphasis on the lack of personnel (in quantity and quality) and the objections of those who are not part of information security, i.e. the internal customers of the organization (mainly development, DevOps, marketing and so on).

In recent years, there has been strong public talk about the lack of manpower in the field of information security, and there are many efforts to overcome this gap, when unfortunately these efforts also cause the entry of quite a few suboptimal personnel into the field. The main thing is to apparently count more professionals added to the field, but this causes to a decrease in the level of performance and quality in some cases, so the advance using these efforts is sometimes questionable.

It is important to understand that the gap in information security between tasks and resources will always remain, to one degree or another, because:

  1. That’s life, it’s not unique to information security – you almost always don’t get what you want, and usually not what you need either (and thanks to the “Rolling Stones” band for that). You have to know how to work with what you have, constantly reflect to the relevant people the gaps and accordingly the risks, and live with it knowing that you are doing the best you can under the given circumstances.

  2. In most places where you will do information security – information security will not be a top priority, to say the least, and depending on the resources you will receive (and the resources in this domain are expensive). And that’s fine, and that’s true. You will not spend 1000 cash to guard an object worth 600, it makes no sense.
    Information security is not a core activity of most organizations. Information security does not bring in money, on the contrary. At best, it can be marketed as a Business Enabler, meaning a positive feature of the organization and/or products/services that can be marketed to the world.
    Information security is an envelope service provided to the organization, according to risk prioritization that the organization does (hopefully…), and the gaps you encounter are supposed to be “priced” as part of the organizational risk management. Information security in most cases pursues those it needs to protect, they are almost never a partner from the beginning, and the results and prices are accordingly.

  3. In many cases information security is seen as a type of “insurance”. In other words, we know that we need to prepare for possible damage, but in the current we suppress the thinking about this risk and accordingly devote as few resources as possible to it, with the assumption (part of it is suppression) that the chances are that the risk will not materialize and therefore we want to avoid unnecessary expenses for the benefit of this activity.

  4. And here I come to the main topic of this post, which links to the issue of the lack of manpower that I mentioned at the beginning – information security is considered as an exclusive subject/problem only of the information security department and its people, and therefore they are solely responsible for it.
    Everyone else does a favor and helps when possible and when they “feel like it” or when they are forced to, usually due to external reasons such as laws, regulations, or external criticism.

Information security, as an organizational function, because it is not a high priority in organizations – always has to run after the internal customers, especially development and DevOps, and try in one way or another, positive or negative, to get their “attention” and working hours of execution to promote information security with them.

In my opinion, changing this attitude is much more important to address than the lack of information security professionals. We need a fundamental shift in how we do information security.

As long as the current attitude will not change – the attempt to add more people to the information security profession, all continuing to follow the same activities as mentioned above – will not solve the problem.
It is not the direction in which efforts should be invested. Information security is a challenge too big to be handled exclusively only by information security professionals.

In my opinion, the only way to significantly improve the situation is only if it will be defined for all relevant internal customers of information security, from the top, from the CEO on down – that information security:

  1. Is an integral and essential part of any products/services that the organization creates. It’s not nice to have, it’s not “let’s do a favor to the poor information security folks who are begging us to do some information security”.

  2. Will be integrated into every product/service life cycle – from the product planning by the product managers and architects to the cancellation of the product/service and its fade out and closure

  3. Information security will not be the sole responsibility of the information security department. Each department, each manager, and each employee – will be responsible for implementing information security in their field of activity. The responsibility will first be on them.

The information security department and its people will assist them, with training, direction, advice, integration, etc., as a kind of internal “consultants”, but they will not be the first line. Information security will manage this activity “from above”.

Also, of course, the information security department will continue to be exclusively responsible for the core topics of information security and will operate products and services that are distinctly information security.

In my opinion, only a change of direction as proposed above could actually improve the implementation of information security from its current dismal state, otherwise we will continue to rely on the inherent incapacity of the current situation as described above and lose severely in the battles against the bad guys.

Microsoft Office 365 blocking access to sites with digital certificate issues – is not working

Hacking, Hardening and Mitigations, Vulnerabilities, What have I discovered?Eitan Caspi

Dig this – a bonus for you, my loyal readers… 🙂

Do not click on this link – https://2.21.143.74. It is the IP address of microsoft.com (the IP itself is of Akamai). Copy it to a clean Word document or clean Excel worksheet (make sure the apps are using the latest version of 365). Make sure the text becomes a link. Click on the link. A warning message will appear as in the attached image, stating that there is no match between the site you requested (because you requested an IP address) and the name of the site for which the certificate is intended (microsoft.com).

If you click “No” or the “X” button for closing the warning message window or even typing the keyboard combination of Alt+F4 to close the Word/Excel app – the link will open anyway … only killing the Winword.exe process for Word or Excel.exe for Excel – will cause the link not to open…

Also notice that the default focus in the warning window is on the “No” button, so a user’s automatic action (hitting “Enter” or “Space” on the keyboard or clicking the mouse main button, if the cursor feature of “Snap to default” is enabled) will cause the site to be opened instead of avoiding the site. That means that this protection does not work.

I contacted the MSRC with the above information, and they responded as follows:

Hello Eitan,
Thank you for submitting this issue to MSRC. We determined that while the issue you reported is valid, it does not meet our the bar for immediate servicing. That being said, this submission has been flagged for future review by the product team as an opportunity to improve the security of the affected product. We do not have a timeline for when this review will occur, and will not be able to provide status for this issue moving forward.

The Iran experiment?

Critical Infrastructure Protection, Cyber-physical systems, ThoughtsEitan Caspi

I thought – the recent cyber attacks, not too frequent, but quite regularly, against broad civilian infrastructures in Iran, such as electricity, gas stations, trains and the like.

This kind of things that will not bother directly the regime, but will actually make it really difficult for the lives of the citizens there very extensively, who already suffer from difficult living conditions – is this an attempt to bring them to despair and rage that will lead them to a coup against the regime?

I do not think such a thing has been tried before in the world, but in a “cold” look, if it is so – then it is an interesting experiment of pushing the masses into action through cyber
attacks against the physical dimension.