I work for a security vendor and I see into many customer environments. Often, the thought pops in my head, “If I were an attacker, I’d really get them if I [REDACTED].” And if I don’t think I can get them with [REDACTED], then [REDACTED], [REDACTED], [REDACTED], and [REDACTED] round out my top five most common ways to break into an organization and have access to quite a lot that I shouldn’t have access to.
It’s not that these methods necessarily have something to do with the product I support. Some do, like [REDACTED], [REDACTED], and [REDACTED]. But [REDACTED] and [REDACTED]? Well, that’s some other vendor that helps out with those weaknesses.
Now, as you read those paragraphs, what thoughts do you have that fill in the blanks I left? Unless you’re someone that works in the same line of security that I do, I’d dare say your top five exploits list is different from mine, in part or in whole. What’s more is that we may even have some of the same customers, and we may, between all the people that work in security at that customer or on behalf of that customer, we may actually know dozens of things that fill in those tantalizing [REDACTED] blanks.
Now, I know that the customer might want to know all the details of everything I notice, but I’m often noticing things that are out of the hands of the people I’m directly working with. They can only report up to their manager, and that communication only goes so far before it drops in urgency and loses its audience. Or, worse, it’s just added to the list of security things to fix, right behind [REDACTED], which got noticed last week in an audit finding.
So, let’s ask the question: what are the things that are the hardest to fix that leave organizations the most vulnerable? There are a number of “10 Quick Security Fixes” articles out there. Everyone knows how to pick low-hanging fruit. What I want to ask about are the projects that nobody wants, the projects that get people fired, the projects that land everyone in the [EXPLETIVE DELETED]. Because these are the ones that don’t get done, get done but badly, or get done only to such a point as a box on a checklist can be ticked, and then no more. For example, nearly everywhere I’ve been to has firewalls set up. That’s good. But when we talk about turning the firewall concept inside, to regulate traffic in a segmentation project, then I know I’m going to have an uphill fight in getting information about which apps use which ports.
Why will I have that uphill fight? Because I have to ask for netflow, that’s why. And then we need to talk to different teams about when they run their apps so that we’re sure to not block anything that runs only once per year. And then we have to deal with how Microsoft recommends that we leave open ALL. THE. PORTS.So that’s just one type of project that is practically a mission impossible.
What projects do you face that are nearly impossible, but fill in those [REDACTED] blanks?