Loose lips sink..companies?...

When talking about security in a company, one cannot just assume it's all hardware and software based protections. It's about the people too. People are actually the weaker link when it comes to a companies security. Many security analyst firms prey on the weak links, and while your network may be locked up tight, someone with loose lips can easily make all of your efforts null and void.

Corporate espionage comes to mind. While at dinner, talking shop with your coworkers, you might be talking about sensitive information and not even consider the fact that you could be overheard or even consider that the information is fairly sensitive and with the right interpretation could cost your company big bucks. Also, you may be approached by a stranger striking up a conversation in a bar, mention your company, and before you know it you could be a target of bribery or extortion to get more information.

This article from darkreading.com reports on a study done by the firm FileTrek. The study was of 2625 Americans over the age of 18. By way of extrapolation the study suggests that over 90% of Americans suspect such actions are happening, whether intentionally malicious not.

Being a busy regional manager of a big-city branch of a company, you might think to just take some paperwork home, so that you can do a little catching up after you have dinner with the wife and kids. Well suppose you forget your briefcase at the dry-cleaner? Or you are robbed? Suppose that information you had could be used as insider trading and/or a way to take your company down. It all sounds very superstitious in nature, but it happens more often than you would think.

The article states that there is a difference in opinion among different generations when it comes to whether or not it is acceptable to take documents off the company premises. Only the majority of people 55 and older believed it was grounds for termination. Well the fact of the matter is, it is a completely termination warranting offense. Actually the article shows some statistics that the only other two crimes in the office-place that rank higher for grounds of termination are Sexual Harassment and Incompetence.

The great wall syndrome is very common in today's bustling market-place. The great wall syndrome is as easy copying sensitive company data to a USB Flash drive, and taking it home. Perhaps you lose the data, and now you are the cataclysm for your own early termination.   It's fairly straightforward to protect networks and design software correctly, but it is nearly impossible to control people and their actions.   Loose lips sink ships, and as far as a companies' security goes, one bad-egg spoils it all and completely undermines and bypasses any safe-guards that are currently in place.  I think it's an important task to get companies to start teaching their employees proper information etiquette and how sensitive data really is. Even the most benign piece of information can be interpreted in a way, in the right hands, to allow for further data compromise or corporate peril like bankruptcy, buy-out, and shutdown.

Pwn20wn Win!...

Earlier in my blog I mentioned the hacking contest named Pwn2Own. Well this article about Pwn2Own shows you just how easy and fast it is for focused minds to write code that can exploit a vulnerability. While the contest's main focus was on browsers, for example Internet Explorer, Google Chrome, Mozilla Firefox, it just goes to show you how important security should be for any software.

I find it rather amusing that the contestants found vulnerabilities, and programmed the exploit in as little as one hour. What is scary is that the target of the exploits were web browsers, major names in the industry, that almost everyone uses. It brings to light how important solid code conventions are, proper programming practices, and astute analysis of risks in all things software design. How is a product supposed to be the 'best' in the business if it has as many holes as Swiss-cheese? It's also fairly interesting, the article sort of suggests it, that software designers do not have the philosophy of security first. From what I understand is they merely wait until an exploit is made public before deciding to make patching that vulnerability a priority.

What I mean to say is software engineers need to have a intuition about their code. I feel as though there needs to be some kind of expertise involved, some shooting down of ideas because they pose a security threat, and also some more emphasis placed on solid code to prevent cheesy hacks from being possible. Companies are in my opinion too focused on being better, and improving on a product. When your product is currently full of holes, how is that not at the top of the queue? 'If it ain't broke don't fix it?' If the screws are loose, it's not broken yet, does that mean you don't need to tighten them up a bit and maybe use a little thread lock this time? I think not.

I feel like it's an perpetual cycle of crap upon crap. You can't build your house on a shoddy foundation so stop building your software additions on top of sub-par products. Make it a priority! It's impossible to fix all the bugs, and some bugs are only noticeable once they are exploited or brought to light, however most bugs are generally fairly obvious. My cynical assumption is that some software design teams will say “Oh I see how that could be a problem but nobody has done that yet so it's not really an issue” To me this is a huge mistake, incurs massive technical debt in a product, and ultimately will lead to more work in the future.

Also, as I have mentioned before, a belief that security through obfuscation is acceptable is a misguided and detrimental one. I am glad that Pwn2Own offered cash prizes for finding exploits, and I am glad that it brings the issue of design priorities to light.

"We created six different exploits in less than 24 hours, which demonstrates that with enough resources and expertise, a team of motivated researchers can write reliable exploits in a very short time,"

Imagine what, for example, a team backed with the budget of a nation state, a growing world power, could accomplish. To me it's scary, and not to be chicken-little, but we all need to start designing with security in mind, and not just an afterthought.