If you were going to test the fault-points of a building, you wouldn’t hire the architect, you’d hire a demolitions expert. Similarly, you don’t want the designer of your network testing its security. If the team that configures your network does so incorrectly, they are most likely unaware. The creator of the environment has an inherent bias based on the angle from which they view it. They are blind to vulnerabilities, not necessarily because they are under-qualified, but because they are too close to the project. A security team has a “black box perspective”, which means they have the same outside view of the system that an attacker would. This outsider point of view is just one of the advantages a security expert has over an internal IT team. They also have the training, experience, time, and resources that would be impossible to lump in with a standard IT program.
Here’s a quick one for all of the administrators and security practitioners. There’s no shortage of third-party programs designed to do remote desktop management and support. And while sure, many of them are secure, the ones we find in use most often are not. The reason being, they tend to be low or no cost solutions. Now, I’m not one to say that security should always be spendy, but let’s be honest, a lot of the time tools are an investment that management is not always willing to invest in. More often then not when we hit a business that is using VNC as their de facto remote management and support tool, the reason behind it is; “Well, it’s free, and we can shadow and control other machines with it for support calls.”
You’re sitting on your couch at home, it’s 8:00 on a Saturday night and one of your interns emails you about a new security vulnerability he just heard about on the latest and greatest podcast. You know that this new vulnerability is going to be the first thing to come up during the morning water cooler talk Monday morning. It’s time for you, the great server admin, to take flight and protect your kin!
Let’s just say there’s a lot to learn from history without quoting Sun Tzu… again. Especially in information and cybersecurity. While much of the birth of cyber realm revolves around the military - many of the members of our community are current or former members of various armed forces - many of us still refer to the military influence of old when working through our business planning and various actions revolving around cybersecurity. A great example is the common use or reference to Boyd’s OODA (Observe–Orient–Decide–Act) loop flow chart in both attack and defensive security applications. In sticking to a military theme, I want to touch on a story from World War II and its applicability in today’s modern cybersecurity world.